Wednesday, December 28, 2011

Comments on the Comments on the Washington Post Editorial "China's Cyberwar" of December 15, 2011

"I would certainly begin by examining the cause and not the symptom".
- Q, in Star Trek: The Next Generation
At the risk of carrying recursion a bit too far, I wrote these comments in response to the comments on the Washington Post editorial China's Cyberwar of December 15, 2011.They are too long for the native comments system so I have posted them here.

First, one country cannot "disconnect" another country from the Internet; it does not work like that.  Second, geographic borders are largely meaningless on the Internet; threat actors routinely hijack and control computers by the millions across dozens of countries. These hijacked computers then become attack platforms or relays, which tends to conceal the identity of their controller, particularly when these computers exist in a country whose law enforcement many have difficulty cooperating with themselves, never mind anyone else. This makes “attribution” – confirming the actual identity of the person or entity that are attacking or “hacking” your networks – elusive. Even is cases where the trail is less fraught with complications, IP addresses are not easily resolved to the level of an individual computer today. Internet service providers may not maintain sufficiently detailed public records and their customers may place many thousands of computers behind a single address in an address conservation scheme known as NAT, or network address translation. One possible way to combat this is by converting the world to IPv6 - Internet Protocol version 6 - which has a sufficiently large address space that today's conservation methods would be unnecessary and each computer or device could conceivably have a unique and relatively fixed address, making it more practical to identify false or "spoofed" traffic and messages. This could also enable decisioning based on the reputation of the source computer and its custodial entity by considering the relative hygiene of the source based on factors like like the volume and frequency of attack traffic that appears in their history - possibly incentivizing operators of frequently compromised networks to "drain the swamp" and practice better security or else risk having their traffic increasingly shunned. Converting to IPv6 is, of course, a massive undertaking and is still many years away due to its cost and complexity. Complete conversion is even further away and will not take place until millions of older devices that cannot be made to speak IPv6 disappear during long-term capital equipment replacement cycles.

Next, those advocating unrestricted "cyberwar" should sit down; nobody is particularly ready for, or in need of, this. The volume of attack traffic on the Internet today is supernumerary and places a strain on corporate IT departments in the private sector. For-profit corporations don’t want to field large private armies of security engineers and technicians, they want to have a reasonable overhead and remain profitable. A decade ago it might be said that private corporations were treading water; today, some are drowning in a tsunami of attack traffic as the year’s headlines illustrate.

Today’s situation is complicated further as we build out the global economy.  Interconnection, a necessary ingredient for globalization, gives us the modern economy we have today and I would not advocate undoing this, regardless of the respite it would provide for security teams. What we have failed to consider, it seems to me, is that we have interconnected vastly different, and partially incompatible, political economies with real-time networks.  East and West do not agree on many aspects of political philosophy, including some that underpin western capitalism – intellectual property rights among them. These differences mean that large scale theft of intellectual property, as well as many types of valuable data, may go ignored by foreign authorities – a relatively new reality for many western organizations. The same networks that allow for global collaboration allow for global malfeasance at the speed of light.

The ability to prosecute those who perpetuate theft or do harm  is a foundational tenet of western civilization; the goal of most critical incident response operations is to identify and prosecute the offending subject, in order to remove them from the playing field; dis-incentivize others from mounting copycat attacks or intrusions; and possibly recover losses through legal judgments. Removing legal recourse completely unbalances the equation and fundamentally breaks the risk management model of the western political economies.

The result is that modern global corporations many no longer assume that the courts will provide a safety net and adjudicate intellectual property theft or disputes. Removing this assumption, and this disincentive to IP theft and infringement, drops western corporations into a new playing field where they must abandon recourse to the legal safety net and learn to build and operate massively complex security systems backed by standing armies of staff  engineers, contractors, and consultants. This is economically viable at neither end of the scale - it is beyond the reach of the small businesses and trying to do this at scale is equally challenging for larger corporations. Private security armies are something of a white elephant – expensive to maintain, and even harder to recruit and retain. There simply aren’t enough skilled security practitioners for everyone to have a private army – and countries with larger populations can threaten to outman us.

This has been debated for years in the tech world as you might expect. I recently began to suggest, and found that some of my colleagues agree, that perhaps we are going about this the wrong way by trying to solve a political and/or economic problem with technology.  The way to solve this, it seems to me, is with a treaty on intellectual property that restores the legal safety net and provides real disincentive for intellectual property theft by aggressively prosecuting IP thieves in their home countries.  Such a treaty is probably a complete fantasy at the moment, given the absence of intellectual property concepts in certain political economies, but is still quite probably the approach that would provide the most effective solution.

No comments: