There has been much talk about whether the cyber espionage attacks should be considered acts of war, and about what can be done to prevent them. Retaliation being hard to justify because of the difficulties surrounding correct attack attribution in cyberspace, many experts have been mentioning the need for effective attack deterrence – whether the attacks have been linked to particular states or not.
I have yet to read about concrete proposals on ways to do it, so I asked several infosec pros to take a stab at it.
Amichai Shulman, CTO and Co-founder, Imperva
I don’t think that attributing massive cyber espionage campaigns to their source is much more difficult than attributing any commercial espionage (or any kind of espionage) campaign to its source. There are methods involving general analysis of the operations, specific attributes of the stolen information and who’s been using them and last but not least counter intelligence measures (yes, those that involve actual human beings).
Retaliation against espionage has been a dilemma for many years and the fact that governments of targeted countries has chosen NOT to retaliate (e.g. by retrieving their ambassadors, deporting the cultural attachÃ©, etc.) is merely a political choice and not the result of lack of evidence (which I’m quite certain they all have) or lack of retaliation options (I’ve mentioned those earlier).
Much the same way those targeted organizations and industries could have chosen their retaliation in the form of not doing any more business with those who presumably offend them (or at least take alleged infringers to court). However, ALL organizations have chosen NOT to take this action. So basically it’s a game of throwing the hot potato from one party to the other.
As long as they keep coming from state sponsored actors, there’s nothing but high visibility diplomatic actions that would really prevent them from scaling up. We must remember that espionage have always existed even between friendly nations. To some scale we must be willing to accept it as an inevitable evil (because our nations are probably doing the same).
However, to the scale and extent it is believed to be practiced today by the Chinese, there’s nothing but a blunt diplomatic action (or as I’ve mentioned, a large scale business boycott) that would deter the attack. There are always those who claim that if “we give them some of their own medicine” they’ll back off. However, since the main goal of the activity is industrial espionage, I can’t see western governments handing off massive quantities of stolen information to the hands of their resident corporations. Nations like the US may launch a massive infection and infiltration campaign as a “warning sign” against Chinese corporations but I think that at this point in time it is still very hard to justify this kind of expense and the exposure of capabilities involved in such operations.
Richard Stiennon, Founder and Chief Research Analyst, IT-Harvest
Spying and cyber espionage are not acts of war. Yet, espionage is an important tool for economic development, military preparedness, and political advantage. The best deterrence to cyber espionage is the historical response of diplomatic and ultimately economic reprisal.
If the blame for cyber espionage can be pinned on a particular country there are a range of actions from expelling an ambassador to applying economic sanctions. In the meantime it is in everyone’s best interest to beef up their defenses against targeted attacks.
In general the only deterrence option is to increase the required investment and expense for the attacker. Force them to use more sophisticated attacks and invest more time. Shunt them into a honeypot with lots of false / misleading data. Encrypt all critical data files. Use strong authentication for system access.
Leonid Shtilman, CEO, Viewfinity
Let us distinguish between just “computers” and “critical computers,” i.e. those which are responsible for the infrastructure. For example, preventive measures at Fort Knox are different from the preventive measures for community savings bank. I want to focus on critical computers since the measures below are probably too expensive to be widely implemented.
In addition to having antivirus, firewall and software that alerts suspicious behavior of executables, this is the list of measures:
1. You cannot prevent attacks by foreign intruders because you will not be able to associate IP address with the country. Since you will never know their IP addresses, a blacklist of IP addresses will not work – move to a whitelist firewall.
2. Remove admin rights from 99.9% of users. This can be done. At least one of the U.S.’s largest financial institutions has less than 1% of employees with administrative rights.
3. Impose a whitelist on applications – not only on IPs.
4. It will be difficult if not impossible to work with 2) and 3) above unless you use software that can handle both restrictive rights to system and restrictive rights to applications.
But if we’re talking about deterrence – the use of punishment as a threat to deter people from offending – the only way to do it is to have a collective punishments such as disconnecting country A from Google, and some other sources of information.
To implement this without a will of a vendor (e.g. Google) will require legislation. I believe that cutting a country (probably excluding China) from major sources of computer information (Google, Facebook and Wikipedia will be enough) may create public protests and even chaos. Another nightmare is the denial of GPS access for a particular country. This is the reason why Russians are implementing their own positioning system – GLONASS.