When I first read this article by Duncan B. Hollis and David G. Post, I snickered..ok so I laughed heavily. This is one of those that displays the true disconnect between the legal and technological arms of the industry. I applaud their efforts in writing this, but from both a technical and administrative perspective there is much further thought and guidance needed if something like this were to be implemented.
Do Cyber-Attacks Require a 'Duty to Assist'?
Let me begin by saying that you cannot use standard military operational tactics to address attacks with targeted count-attacks. Unlike the "real world" where we can deploy a small ground group to neutralize a hostile target, the same cannot be done on the internet. Relaying and swiveling through numerous hosts is a common tactic and to simply say we'll just neutralize all the intermediary points till we find the true source would be akin to deploying a FORECON DAP to terminate the dwellers of all residences where a hostile long range marksman temporarily resided until they determine his finale location.
While this would be an amusing approach, at least for me, to deal with internet based threat
[?]-sources in this manner of surgical disarmament, it is by no means realistic.
To begin to develop/create this type of international response, it must be realized first that this would imply that a simple portscan from a hostile national would be considered an act of war. Are we seriously considering to escalate to this type of required international response? I highly doubt it. And at what point does an internet based counter-attack transfer from an internet counter-attack in response to an SOS to the release of ground troops? Escalation always occurs, it's a matter of course. If people can't fix something one way..a group of men/women with heavy arms for easily resolve the issue.
Citing international law on SOS transmissions then comparing those to internet based "attacks" only shows a severe lack of technical understanding or comprehension of what various groups/nations/governments consider to be attacks. There is not, at this time, a definitive internationally accepted standard of what is or is not considered to be an attack. Nor are there internationally accepted standards on intrusion analysis, incident response or threat-based counter-attacks. As many of you are aware, every commercial and governmental agency in this country has their own definitive guide on what they consider to be attack as well as their own custom response guidelines and procedures in addressing those. And then there are the slew of others that have absolutely no response guidelines or procedures.
We as a country alone are still very fragmented in trying to address the internet based threats/risks within our own borders, our own governments and our own companies. I do not believe at this time this type of view should even be considered or entertained. Hell, we can even stop people from taking laptops out of sensitive facilities, transporting classified information, and leaving them in their vehicles for their laptops to be stolen while they "just left it alone for a second".
Here are some of the reasons I believe this type of dream is not realistic...
-There is a continued lack of proper training throughout the information security industry.
-A great percentage of the certifications and degree's do not create professionals, they simply create bookworms with pretty letters behind their names.
-There is a continued lack of policy, procedure and documentation of our infrastructures.
-I would be willing to wager that greater than 80% of the public facing firewalls deployed would not stop a motivated/funded attacker.
-Intrusion detection/prevention systems are typically misconfigured and perform no relevant function other than making pretty graphs.
-A large percentage of attacks go unnoticed, see my first sentence.
-There is a lack of executive understanding of the threats, as such, funding to correct some of these issues is mistakenly diverted to other area's that actually generate revenue.
-Managed Security Service Providers (MSSP's) for the most part do not effectively provide the needed services to their customers due to budgetary constraints on providing services to far too
numerous customers.
-MSSP's typically go for the cheapest possible alternative to retain the bottom line, this includes both personnel as well as hardware/software (they do however have cool tools that make pretty pictures).
-The previous two sentences also applies to many local/state/federal governments that retain their own internal security groups.
-We rely too much on anti-virus to save us. Anti-virus is simply a stop-gap technology with a proven track record for not being overly useful.
-Automated systems save us money, but they are just that automated. A perl script parsing a log file is not a human with 20 years of experience.
How does all this apply to the original authors article?
Unless there are standardized methods and procedures, there will be far too much fragmentation internationally for any type of globally accepted response to internet based attacks. Until there are globally accepted standards to address those few issues, which are only a few needing to be addressed, there could never be this type of response.
At least in the opinion of this security guy =)
