I know that the military mind thinks differently than the civilian. I even understand how the total acceptance of authority has to be inculcated in the soldier leading to sometimes blind thinking. I am afraid that this author of the most bizarre call to arms ever has really missed the mark. Writing in the Armed Forces Journal, Colonel Charles W. Williamson III calls for the Airforce to create an offensive Distributed Denial of Service attack (ODDoS) capability. This is so off base it is scary. It demonstrates a sophomoric understanding of the threat, the attack mechanisms, jurisprudence, and fundamentally what the Internet is.
A quote from "Carpet bombing in cyberspace. Why America needs a military botnet"
America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. America needs the ability to carpet bomb in cyberspace to create the deterrent we lack.
Let me spell it out for those in the US military and those in the US Congress and Executive branch whose job it is to reign in the Military when they go nuts: The Internet is the highest evolution of shared commons that human society has created. The fact that it works at all is thanks to the trustworthy behavior of the majority of its users. The spammers, phishers, scam artists, and bot herders that abuse it are a noisome rabble that are containable with a little investment. Despite its early progenitors ARPAnet and the NSF the Internet is in no way under the jurisdiction of the US Government.
Using retaliatory measures on the Internet will violate the sanctity of a great human institution. Attacking individual targets with the proposed AF.MIL botnet will be tantamount to carpet bombing cities to root out petty criminals. The collateral damage will be worse than the original attack.
An article that draws on historical metaphor from Troy to World War II Belgium deserves as studied a response as the author put in to creating what amounts to a manifesto. In subsequent postings I will spell out why:
1. You do not need an AF.MIL botnet to counter the threat from DDoS attacks.
2. The proposed AF.MIL botnet is flawed in every way. It will not work.
3. Arming in cyber space will not create any sort of deterrent.
4. Unleashing a military Distributed Denial of Service attack against botnets is just stupid.
5. Unlike the first atom bomb that did not set the upper atmosphere on fire, a huge DDoS offense could burn the Internet down.
6. Metaphors are dangerous things. Walls and castles and trebuchets were designed for killing and defending. That is a lot different than protecting a web server from going down.
7. The military, maybe even the Airforce does have a viable mission in cyber space.
8. With the rush to a new arms race in cyber space it may be time to convene a group of countries to form a self imposed non-proliferation treaty.
As I have written before . This idea that the military should develop offensive cyber capability is insane, wrong, and dangerous. The military is effectively admitting that they doubt their own ability to defend themselves against the simplest types of attacks. Until they get the defensive side figured out I suggest they stay away from the idea of developing cyber weapons.
About Stiennon
Richard Stiennon is a security industry innovator. He is currently consulting, speaking and writing on all manner of security topics and has just announced the launch of Seccom Global, a Managed Security Service Provider focused on UTM. He was most recently chief marketing officer for Fortinet. He has served stints at PricewaterhouseCoopers, Gartner, and Netrex, the world's first managed security service provider.
|
|
I am in no way a computer
I am in no way a computer security expert, but it seems to me if number 2 above is correct (i.e. The proposed AF.MIL botnet is flawed in every way. It will not work.), then no one would have to worry about number 5 (i.e. Unlike the first atom bomb that did not set the upper atmosphere on fire, a huge DDoS offense could burn the Internet down.)
AF arye in Cyber Space
Having been in the AF I am sure there are things that you do not know about this project. certainly, like any military weapon, there is a potential for misuses. I think that what you said in your article is all true but the use of this weapon may be misunderstood.
US Air Farce has no mission
This is a complete joke!
The Air Farce has no mission, they are desparetly searching for one - having done two tours in Iraq - NOT ONCE did ever see an airmen - why is this?
Because they are nothing more than overpaid bus drivers -
The air farce thinking they manage, not LEAD space or Cyber defense is laughable :-)
Good thinking
But I mean by n0. 2 that the proposed botnet will do nothing to deter or stop attacks on the US while also disrupting the entire Internet.
The US Air Force Must Stand Down...
Hello stiennon:
What you fail to recognize (or acknowledge) is that foreign government sponsored DDoS attacks have already occurred against other states.
You also seem to lack a basic understanding of the role of the military in Threat Assessment. Even when the probability is low, it is still appropriate to identify it and describe operational counter measures. This subject is certainly not new to the military or Federal intelligence agency planners.
Frankly, there are foreign governments that are as actively involved (if not more so) in these endeavors than the United States. Think "China"
You sound suspiciously like a liberal democrat...
Stiennon couldn't be more
Stiennon couldn't be more clueless if he knew it. The distrubing part is that the Airforce admits they are clueless and don't have an offensive capability. Meanwhile in the real world 15 year olds, organized crime, and many other nation states have botnets and DDoS capabilities. The US gov is constantly under attack and defense is not a deterent no matter how good. Beware people like Stiennon that call themselves security innovators. He's a marketing wonk that believes his own press releases.
The Airforce
is demonstrating their cluelessness by a misinterpretation of the technology threat and appropriate response. You are demonstrating your own cluelessness by your evaluation of me. Do your homework next time you choose to attack someone personally from an anonymous identity.
Because we are susceptible to attack doesn't mean they are
What really seems to missing from the discussion is that the 'other countries do it' argument just doesn't hold up for why we should employ offensive DDoS capabilities as well. The situations are entirely different. The fact that we run a (mostly) open Internet with key pieces of infrastructure owned by a variety of different entities (service providers) and additionally have become increasingly dependent on the Internet for our economy and public safety doesn't mean the countries that are likely to attack us have those same weaknesses.
Lets say the US wanted to launch a retaliatory attack against China for some misdeed they did to us, well, their Internet is under the control of the government so it's pretty simple for them to throw up an ACL to drop all the hostile traffic. You don't win conflicts by attacking positions of strength (totalitarian control of their internet pipes) from positions of weakness (an open society with Internet provided by deregulated service providers). You certainly don't use the same techniques the enemy is using against you if the enemy doesn't have the same vulnerability profile you do.
Totally independent of the argument about whether it is right or wrong, it is just plain bad tactics to think that your opponents' weaknesses are the same as your own. The fact that the USAF Colonel doesn't see that is more damning of his military training than his technology training.
Right on
Great point!
Does not matter
The proposal is not to creat a first strike capability like Russia has used against Estonia and the Ukraine (by harnessing illegal botnets). It is to create a deterent using botnets. In future posts I will describe why this is so stupid. I will also describe why this is so scary it it represents the Airforce's ability at threat assessment becuase they have it so wrong.
While you may be insulting some liberal democrats with your jibe I can assure you that I am a radical right winger.