You hack us, we bomb you -- what's the right way to respond to cyberattacks?
Today's Wall Street Journal discusses the Pentagon's first formal cyber strategy. The interesting part is that it takes the position that some acts of computer sabotage ("cyberattacks") --shudder! I hate that term -- are "acts of war" and may be dealt with through conventional military force.
This is both obvious and frightening at the same time. The idea that you respond with literally lethal bombs in an attempt to shut down civilian or military infrastructure facilities is going to strike many as "disproportionate." There's something to proportionality, but you can take it too far. Recently, Palestinians in Gaza fired an anti-tank missile at an Israeli school bus. Would the proportional Israeli response have been to fire an anti-tank missile at a Palestinian school bus? If you feel you've been attacked wrongly you have every right to hit back hard, is there no good reason to limit yourself to the weapons of the enemy?
This mostly isn't a technology question. There is, as I see it, one important technological constraint on the matter, and the DoD is aware of this: It is usually difficult, and oftentimes impossible, to attribute responsibility for these cyberattacks with certainty. We know that there are hacker groups in China and Russia conducting many of these attacks. Are they under the control of their governments? Do their governments look the other way and shirk their responsibility to stop the attacks? My impression is that, for the most part, we don't know. It's plausible that many of the attacks are performed by criminal/nationalist gangs for profit. Strange how that could be a legal defense.
In the cases of China and Russia it's an academic question. We're not going to go bombing those countries just because of computer sabotage. Who would we bomb? When you think about it, the set of countries against whom we would be willing to take such measures and the list of countries that have the capabilities to conduct such attacks is probably a null set, especially when you consider which countries would have a real incentive to attack us that way. North Korea? It has nukes, and I'm sure we would try as hard as possible to avoid giving even a phony reason to attack the South. Anyway, I wouldn't think that North Korea has the expertise to do such things, although perhaps the dicatorship could buy it (using money it blackmailed from the West).
In the end, the use of boom-boom munitions in response to hacking is a distraction, at least for the United States. What we need in order to retaliate against such attacks, if we really think we're sure enough to know where they came from, is our own retaliatory hacking capability. And we need to let other parties know we have them. If real governments are behind these attacks there's a pretty good chance they would be deterred. If some wacky terrorist group is behind them, they won't be deterred by bombs or hacks.
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contibuting Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.