Would U.S.-Iran Cyberwar be Fair Fight?DDoS Assaults on Banks Seen as Retaliation for Stuxnet Attack
Reports that the self-claimed hacktivist group Izz ad-Din al-Qassam Cyber Fighters is a front for Iran's government, if true, raises the question: Is this U.S. at cyberwar with Iran?
See Also: What is next-generation AML?
Izz ad-Din al-Qassam, in postings on the Internet, contends it's behind the series of distributed-denial-of-service attacks that have temporarily overloaded the online sites of several leading American banks, as my colleague Tracy Kitten has reported in a series of stories (see DDoS Hacktivists: No U.S. Bank is Safe and Explaining DDoS to Consumers).
If the United States is going to respond offensively to such actions, it needs to make sure that a response yields something useful. Responding to them because they did it to us isn't strategy; it's instinct.
Now, a new report, appearing in The New York Times, asserts Iran - using the cover of Izz ad-Din al-Qassam - has penetrated data centers to launch the DDoS attacks as retaliation for the United States allegedly infecting Iranian nuclear centrifuges with the Stuxnet computer worm. Sounds like a digital war, right?
To assess the situation, I reached out to Martin Libicki, a senior management scientist at the Rand Corp., a think tank. Libicki has written extensively about cyberconflicts, including the book "Conquest in Cyberspace: National Security and Information Warfare" and a monograph "Cyberdeterrence and Cyberwar" [see see Conventional War Strategy Doesn't Work in Cyberspace]. Here's an e-mail exchange I had with Libicki:
'Declaration' of War
ERIC CHABROW: If Izz ad-Din al-Qassam is a front for Iran, does this mean the U.S. is at cyberwar with Iran?
MARTIN LIBICKI: Whenever I'm asked whether this or that is an act of war my reply is: would it be in our interests to consider it an act of war? Similarly, would it be in the U.S. interests to consider itself at cyberwar with Iran? Could we convince others that our perception is reality? Would they reply that, with Stuxnet, the United States fired first? Indeed the damage from Stuxnet was far in excess of whatever disruption these bank DDoS hackers have done to the United States.
CHABROW: How prepared is the United States (its government, military and industry) for such a virtual conflict?
LIBICKI: We're probably not very prepared for a virtual conflict against a really competent state such as Russia or China, neither of which have much interest in carrying out such a conflict. But I'm less impressed from what I've seen from Iran.
CHABROW: With DDoS attacks being launched from data centers, how can banks or other institutions defend themselves?
LIBICKI: There are technical defenses, the details of which I'm not all that well informed about. However, against a serious sustained attack, the most straightforward answer is more bandwidth, purchased either directly, or indirectly by hosting one's services on a large company's cloud or by using the services of a content distributor (such as Akamai).
CHABROW: Whose responsibility is it to defend the banks or other non-government institutions? The banks themselves, the U.S. military (isn't this what National Security Agency Director and Cyber Command Commander Gen. Keith Alexander speaks of when he says one of the roles of the military is to protect U.S. interest in cyberspace?), private-public partnerships?
LIBICKI: For penetration attacks, the responsibility is clear; if someone got into your system, it was because your system have pathways that it shouldn't have had. For DDoS attacks, where the subverted system belongs to a third party, there may have to be a collective response that focuses on preventing the abuse of the third party's system, which, in turn, is ultimately, a responsibility of the third party.
It's a difficult problem because it requires defining new responsibilities for those who connect to the Internet and distinguishing between permissible heavy outgoing traffic and impermissible outgoing traffic. DDoS attacks would have to get to a particular level before it becomes worthwhile turning on that policy machinery. I'm not convinced that they have gotten to that level (that is, doing nothing may be more cost-effective), but that may not be true forever. Note that I haven't mentioned the military here. I don't think it's a military responsibility, but having said that some very bright people work for Gen. Alexander and their help may be quite useful.
CHABROW: Does the military have the authority it needs to conduct cyberwar and if not, what authority does it need?
LIBICKI: My feeling is that they do, but I'm not a lawyer and some of them may disagree.
No Loss Sleep
CHABROW: How worried should American business and citizens be about such attacks?
LIBICKI: I don't think this is worth losing sleep over; it's one business risk among many.
CHABROW: What other points would you like to make on this situation?
LIBICKI: If the United States is going to respond offensively to such actions, it needs to make sure that a response yields something useful. Responding to them because they did it to us, isn't strategy, it's instinct.