Why CyberWar is not possible

OECD has a good paper on why cyberwar is not a possibility (pdf). Excerpt: The authors have concluded that very few single cyber-related events have the capacity to cause a global shock. Governments nevertheless need to make detailed preparations to withstand and recover from a wide range of unwanted cyber events, both accidental and deliberate. There are significant and growing risks of localised misery and loss as a result of compromise of computer and telecommunications services. In addition, reliable Internet and other computer facilities are essential in recovering from most other large-scale disasters.

Just because you can doesn't mean you should. Or: legal always trumps technical.

Coreflood Botnet was taken down. Legally. In the security industry, researchers have often been able to infiltrate botnets. Yet, the next step has always been a big question mark. Now, defenders may have a new slate of options. The takedown of the Coreflood botnet marks the start of more aggressive stance against botnets, say security experts. Last week, the U.S. Department of Justice obtained a temporary restraining order forcing registrars to reroute requests from infected computers, not to Coreflood’s command-and-control servers, but to a substitute server managed by a non-profit group.

Cyber Europe 2010. Learnings the same to Cyber Storm II and Cyber Storm III

Fresh from the press comes ENISA’s final report & video clip on ‘Cyber Europe 2010’: the 1st pan- European cyber security exercise. The report underlines a need for: • more cyber security exercises in the future, • increased collaboration between the Member States, • the importance of the private sector in ensuring security. Largely the same findings as were found in Cyber Storm II (2008) and Cyber Storm III (2010). There is always a lot of talk about increased sharing of information, but the reality remains that in the current environment you cannot share information without having to sign a different non-disclosure agreement for different task forces and different special interest groups and different trusted information sharing committees and groups.

More on InfoWar skirmishes in Russia

InfoWar Monitor has a great summary of the recent skirmishes in the Russian information sphere: Attacks and Controls in RUNET Distributed Denial of Service (DDoS) attack on LiveJournal was well publicised, but what is less known is that the oppositional newspaper, Novaya Gazeta, was also similarly attacked.It was reported that the newspaper believes that the attack was carried out by those who attacked the Livejournal. The large scale DDoS attack was at one point sending 70,000 visit requests every 14 seconds.

Information Warfare in Russia

What we know about LiveJournal … - LiveJournal is extremely popular in Russia; - some of the opinions by Russian bloggers on LiveJournal aren’t to the liking of Putin’s “siloviki” (ex-KGB, now FSB people); - president Medvedev is an avid user of LiveJournal; and most importantly - whilst it seemed years ago that Medvedev is just a body keeping the presidential seat warm until Putin can return this doesn’t seem to be the case anymore. And that other news from Russia makes it clear that at least one side is positioning itself for information supremacy as part of overall supremacy.

Customary international law, cyberwar and the logic that is left behind

There’s a good article quoting Martin Libicki of RAND Corp. and his talk at the CyberFutures symposium. Political leaders do not grasp the concepts of cyberspace and cyberwar at a level to confidently write policies, he said. “Cyberwar is a lot of magic. Try talking to high-level folks and figuring out what they actually understand about it. The best of them don’t have a clue and the worst of them think of things that have no basis in reality. So when something happens, it’s always a head-scratching event.

And the veil of secrecy with RSA continues

So RSA still hasn’t learnt that secrecy does not work long-term, especially after your secret is already known to your adversary. A senior executive of RSA Security, has admitted it has required corporate customers to sign non-disclosure agreements to receive technical advice on how to plug possible new security holes arising from a hacking raid on the company. This is nothing unusual, nor anything new. Remember the ASN.1 issues all those years back? Yes, key people at global backbone providers knew about the problem way in advance and were given the means to patch their infrastructure before the issue became public.

Asymmetric warfare? Asymmetric definitely. Warfare? Too Early.

So we have A person, believed to be a man, entered the “sterile” area of the terminal at about 9:30am today via the exit doors from the baggage collection area. … [T]he man was spotted on closed circuit TV entering through the exit but security staff watching monitors lost track of him once inside the terminal. Thousands of people are now being cleared out of the terminal to be rescreened by security. … The breach exposes a gap in the terminal’s security for which Qantas is responsible, as there is no security officers permanently stationed at the “out” doors to watch passenger movements.

Don't confuse terms, it makes communication impossible

The below just hit a nerve. The second major deal to hand over European citizens’ information to the U.S. has proved equally controversial. The Terrorist Finance Tracking Program (or SWIFT) was criticized by European parliamentarians in February after a review of the agreement revealed that implementation was not thorough enough in protecting data privacy. From:eu-us_talks_data_exchange_start_amid_controversy Get your facts in order, please. SWIFT is an international interbank messaging system. Terrorist Finance Tracking Program it isn’t. via ScribeFire

Standards. They're not what you think they are.

I have had a number of design and architecture meetings over the past few months where standards are invoked every time a new approach is recommended. Sadly it seems that over the years people forgot what standards are for and how they come to be.Standards are documents describing current approved lowest common denominator and a baseline to build on. They describe bare minimum and generally (though not always) describe current state, not proposed and wanted future state. Standards are not holy writ.