When There Is No Price to be Paid the Hackers Win

Technology and Security New Technologies ^ | Dec 18 2014 | Stephen Bryen

[Ooh-Ah]

If there is one salient fact that emerges from the now infamous Sony hack it is that the bad guys won.  The bad guys won because there they paid no price for the damage inflicted.  In the Sony case the hackers are outside and beyond the law, so their backers and sponsors are encouraged to cause even more damage in future. To stop cyber attacks, particularly those sponsored by foreign governments, we need to respond to attacks now.

Sony is a movie company, a major cog in the entertainment industry.  Whether Sony rises or falls has little or nothing to do with national security.  There are plenty of other entertainment companies that can fill the gap if Sony drops out, something that Sony surely understands.

 

But the sort of intimidation attack suffered by Sony is non trivial, and presages similar attempts that surely will come by hostile actors to intimidate our government.  The Russians have used such attacks against at least three former Soviet Republics (Lithuania, Georgia and Ukraine), electronically hacking telecommunications, banking, government and military organizations. Newspapers have also been attacked by foreign hackers, signalling displeasure over certain stories. The North Koreans have also pummeled South Korea with cyber attacks, destroying hard drives and shutting down banking operations.  One South Korean bank was out of commission for more than two weeks.

 

Despite precautions, cyber attackers can often stay one step ahead of protection mechanisms.  Sony, of course, had little in the way of cyber security protections, making it an easy soft target for hackers.  But even better protected systems can be penetrated. 

 

Liran Tancman CEO of CyActive in Israel, quoted in the Times of Israel, says “Cyber-security is, for the most part, reactive, not proactive. A company will spend hundreds of thousands or millions of dollars to secure themselves against a major malware variant, fighting off a specific attack.”  But hackers can often get around better protected organizations. “All they have to do is insert some changes in their malware code, and they are in the clear. For $150, a cyber-criminal can hire a hacker to do $25 million of damage, and then do it again a few months later, making very minor changes to their malware code.”  (See http://www.timesofisrael.com/devastating-sony-hack-just-a-malware-rehash-say-experts/#ixzz3MHSN0IWV )

 

In the wake of the Sony attack, former Republican Speaker Of the House and presidential candidate Newt Gingrich says that we have lost our first cyber war.  Commenting on Twitter, Gingrich said “it wasn’t the hackers who won, it was the terrorists and almost certainly the North Korean dictatorship, this was an act of war.”

 

Gingrich begs the question: if a serious cyber attack is an act of war, how should America respond?

 

The Pentagon has set up Plan X supposedly to respond to cyber attacks by launching cyber assaults of its own as retaliatory strikes.  But nothing like that has happened. Russian, Chinese, North Korean, Iranian and Syrian hackers –all government backed– continue to operate unabated.  Is there a threshold that remains to be crossed, and when it is will the Pentagon launch a massive retaliatory cyber attack on the perpetrators, namely the governments that sponsor the hacks?  Plan X is a nice idea, but it is a wasted effort unless it is used.

 

Hacking is a cheap crime to commit unless there are costly consequences.

 

It is a bad idea to wait around until a massive cyber attack leads to costly consequences such as paralyzing our government and military, creating a run-away chain reaction cascade at a nuclear power plant, or wrecking our banking system.

 

A prudent policy is to start striking back when we are hit the first time, not the last time.  Only in that way can limits be set and warnings understood.  If the United States answered even one of the Chinese-Russian-Iranian-North Korean-Syrian attacks by a strong meaningful response, the bad guys would get the message.  Then the hackers would lose.

[Attention Surplus Disorder]

What I don’t understand is, relentless attacks from China have been going on for a rock solid decade. I know people with zero-value sites who have experienced hundreds of attacks on some days. Why there is no functional defense against this type of thing baffles me.

[E. Pluribus Unum]

I hope Kim Jong-un dies of gout. Yesterday.

[Billthedrill]

They won this one hands-down. Freedom: defend it or lose it.

[DonaldC]

“I know people with zero-value sites who have experienced hundreds of attacks on some days. Why there is no functional defense against this type of thing baffles me.”

I agree. I’m an IT worker and have my personal lab accessible from the internet and it is amazing how often somebody tries to beat down the virtual door. I’ve noticed quite an uptick in the last month or so. I hope those that manage the nations infrastructure are paying attention.

[Fledermaus]

I’d drop a nuke on them and say “hack this”.

[Excuse_My_Bellicosity]

It says a lot that this Sony hacking is considered a national security issue by the same govt. that didn’t give a crap when Lockheed was hacked and thousands of F-35 engineering drawings were stolen.

[Salgak]

I’ve worked Security Operations Centers (SOCs) for various networks.

Attacks are so numerous that you have to prioritize which ones you are going to fight, and which you ignore.

And it doesn’t help that a LOT of the attacks and footprinting are automated and botnet-based. So take down the attacking IP, and in minutes, it continues where it left off from a very different IP address. . .

[Attention Surplus Disorder]

I simply do not understand why there is no form of dynamic encryption that would utilize a Heddy-Lamar type “frequency-hopping” form of encoding-decoding that would completely foil any means of CRC check from a non-authorized source. Nor do I understand why a static password is a feature of any site that needs top-grade security. By the time your site sitting therem handling thousands of probes with no complaint whatsoever and no attempt to reverse flood such efforts, this is just waiting around for someone to beat down your door.