Cyberwar: Is This The First Salvo?

Estonia claims that Russia launched a virtual attack this past month against government agencies, followed by cyberassaults on its newspapers and TV stations, schools and banks. If true, this would represent the first cyberattack by one nation on another. Should Americans and American business be concerned?

Two of the nation’s leading security experts, Ira Winkler and Alan Paller, spoke to Baseline this week and gave their perspectives.


Winkler: We’re Too Quick To React

Ira Winkler, one of the nation’s leading computer security experts, is the author of Zen and the Art of Information Security. He is also president of Internet Security Advisors Group, a security consultancy that specializes in vulnerability assessments and penetration testing services. He sits on the board of advisers at Securify, a computer monitoring and security company.

Winkler is also a one-time intelligence and computer systems analyst at the National Security Agency, the former technology director at the International Computer Security Association, and the former chief security strategist at Hewlett-Packard, a post from which he resigned in 2004.

He and John McCormick, editor-in-chief of Baseline and CIO Insight, exchanged e-mail about the news coming out of Estonia. This is an edited version:

What do you think about the events taking place in Estonia? Could this really be the first cyber battle between nations?
No, it demonstrates the effects that imbeciles have when organizations do a poor job protecting themselves. The attacks are due to people with too much time on their hands and are not a government-sponsored thing. Russia could have blown them off the Internet if they wanted to.It amazes me how people want to quickly attribute attacks to nation states, when any imbecile with connectivity and basic knowledge can accomplish such attacks.

Is the U.S. vulnerable to this type of attack? Could it happen here?
These types of attacks occur all the time in the U.S.. We just have a more resilient infrastructure to deal with the problems.

What things should we being doing as a country to protect ourselves?
As a country, we have shown that we are not vulnerable to these types of attacks. While there might be small outages every so often, we are too resilient. I think we should continue to provide bandwidth, but pass laws that require companies to enact basic security countermeasures so that they don’t enable such attacks against others and the country.

What three things should CIOs/CSOs being doing to protect their companies?

  1. Make sure that they have plans in place for DDoS [distributed denial of service] attacks.
  2. Enforce basic computer security policies
  3. Ensure that they have a robust infrastructure in place to minimize the impact of DDoS attacks.

Paller: There Are Attacks Every Day

Alan Paller, director of research for the SANS Institute, is an original member of President Bush’s National Infrastructure Advisory Council. He spoke with Baseline senior writer Deborah Gage.

How vulnerable are U.S. companies and government agencies to politically motivated cyberattacks like those that have been conducted against Estonia?
One of the lesser-known facts of the Internet is there are thousands of denial of service attacks every day. It all began in 1998 and 1999 with gangs of hackers attacking and disabling other hackers’ chat rooms because the first group felt “disrespected.” From there, it spread everywhere. There are DDoS (distributed denial of service) attacks-so called because they are attacks launched from many distributed (zombie) computers. Environmental groups attack companies they think are being careless with the environment; extortionists attack gambling sites (and many, many other types of sites) threatening to disable the site if its owners do not pay from $10,000 to $1,000,000. It has gotten so common that BusinessWeek did a story about the online gambling sites paying extortion to these attackers. Israelis and Palestinians launch DDoS, China and Taiwan launch DDoS. It’s huge.

What’s the best way to protect ourselves?
Every company is at risk. If you don’t plan for a defense, it is really hard to institute one once an attack starts. And you cannot defend yourself on your own network. There is one general solution. Contract with your ISP [Internet service provider] for a denial of service protection service. The ISP sets up a monitoring system for spikes of traffic attacking the customer and, when they see it, they block it as it comes into the ISP’s network so the target never actually gets disabled. Not perfect because with enough zombies even an ISP could be overwhelmed, but it works well enough.