===== This is a short mailing-list thread around the ongoing news foofaraw over how Russia was being blamed for "cyber attacks" against various political sites and/or voting systems. It had gotten pretty ridiculous, with the news media clearly never stopping to wonder how foreign antagonists were able to so freely mess with domestic systems in the first place. The continuous reports of fearmongering finally hit my tolerance limit, and I had to rant into the thread. For the record, I've had working prototypes for the essence of what we need, in place and in continuous development, for over a decade. It has served me quite well. What some may call "balkanization", I call "best practice". ===== ### Sat, Oct 8, 2016, *Hobbit* : Subject: Re: US blames Russia for hacking political sites I really can't see any merit to all this flap, when the network community has !proudly! built the equivalent of six-lane superhighways running straight from potentially adversarial locales into the US without any kind of customs or border check, which then exit into a city where none of the stores, banks, or governmental offices have locks on the doors. It is astounding how badly they're missing the big picture. ### Sun, 9 Oct 2016, Dave Dittrich : Subject: Re: US blames Russia for hacking political sites While I agree that (from a technical perspective) this seems to be a useless act, and misses the point on the technical solution required, let me try to provide another perspective that may make a little more sense. Yes, the first thing to do is "protect", "detect" (and even "react") to get the information and information systems back into an assured state. In that context, these are technical forms of something we in this industry call "counter-measures" to breach. I share your (and PGN's) frustration that there are so many breaches for what (to us) seem to be stupid choices in design or implementation. There is a completely different definition of "countermeasures" under the international law context, however, that many (most?) technologists do not know. I had a paper rejected from CyCon a couple years ago, partly because I and my co-author used the word "countermeasures" in a vague way (with the meaning above) and got slammed for it *not* meeting the definition that the reviewers (many of whom were international humanitarian and "law of war" lawyers) had in their minds. Before a sovereign government can impose sanctions, embargoes, tariffs, or other acts designed to change the behavior of another sovereign government who is believed to be acting in a manner that is hostile or aggressive to other sovereigns, the accusing sovereign must make it publicly known to the hostile government that it should knock it the F* off ASAP. That is what are "countermeasures" under international law, and under those laws, you are supposed to do these first. Listen to this portion of Jay Healy's BlackHat talk: https://youtu.be/90kxsEOSZQ8?t=32m51s Or this talk by John Carlin at CSIS: https://www.csis.org/events/detect-disrupt-deter-whole-government-approach-national-security-cyber-threats Given that we are not only discussing technical flaws that allow systems to be breached, but also the criminal behavior of actors across international borders, we have to include the international legal context in both discussions and actions. To throw in a gratuitous self-reference on the topic: https://threatpost.com/misuse-of-language-cyber-when-war-is-not-a-war-and-a-weapon-is-not-a-weapon/119740/ Does that make sense? Dave ### Thu, 13 Oct 2016, *Hobbit* : Late-ish followup, was offline for a bit.. rant-warning, too: I finally got all the way through the Carlin "Detect, Disrupt, Deter" paper. There are several sections that seem to support some of my own philosophy on this stuff, in the vein of potentially applying a broader brush where it seems needed until a given set of problems gets mitigated, but at least apply *something* instead of just letting crap continue unabated. While this *is* desperately needed at global scale, regardless of anyone's objections, the general model under which I operate my own facilities could easily serve as a useful template here and there. I found this around the middle of the text: ... the end goal is the disruption of the threat and protecting the safety of the public, regardless of the particular legal tool employed. That may mean sharing intelligence with a foreign partner to take action (including but not limited to local prosecution), preventing travel, freezing or seizing assets, warning the public, applying diplomatic pressure, imposing UN and domestic sanctions, supporting designations of groups as terrorist organizations, deploying intelligence operations, or executing military action. Criminal law and its enforcement may not always be central to, or even a component of, using those tools. Sanctions could easily include denying certain connectivity paths, preceded by warning that not doing so is contingent on an ascertained source of a problem taking proactive measures to make it stop. An *informed* decision taking into account all the side-effect repercussions for both sides, with possible special-case accomodations. Not a simple mexican wall, but the effect of one if demanded tangible mitigation doesn't happen within a given timeframe. We have FAILED to take this sort of approach for far too long, and the obvious bad precedent is already in place: An understanding might develop that such behavior is, at least tacitly, acceptable. And if later we ever tried to challenge it, precedent would be against us. We would have granted our adversaries an easement of sorts -- not over our territory, but over our intellectual and economic capital. Bringing public charges is akin to installing a giant "no trespass sign" on our front yard: Get off our lawn. International law is a law of custom, and our response in such a regime is critically important. Sorry, guys, they've been littering our lawn for over a decade. Custom or not, if back in ~ 2001 or so the collective "we" had told the offshore entities who were openly barraging the US with phishing spam to knock it the hell off within 30 days or we'd simply disable their shiny new links and de-route all of their allocations until they shaped up, the *correct* precedent would have been set. Back then miscreants were not laundering their inbound paths nearly as much, and there weren't the thousands of VPS providers who now hand out international conduit to any yutz with a credit card. As I sat there watching the junk bounce off the various front ends under my control at the time, I really wondered why we weren't doing anything about this as a nation with all of the necessary cooperation needed from the private sector. The propensity of the US private sector to keep playing the hands-off "common carrier" card just royally pissed me off, because the big red switch was in THEIR hands. Their answer? "Don't regulate us, it stifles advancement", while all the duly diligent folks sending in abuse reports were rewarded with crickets. We could have collectively said "no" and made it stick, and we completely failed. Now look at us. And those links carrying the C&C are still up. _H* ===== A little later, there was a somewhat-related thread after another breathless article emerged along similar lines. I once again proposed an isolationist approach to the problem, however temporary. ===== ### Wed, 26 Oct 2016, *Hobbit* : Subject: Re: Media vulnerable to Election Night cyber attack So here's what is undoubtedly a rhetorical, but serious question. Likely far too late to arrange for by now, and would meet vigorous resistance from those who go out of their way to avoid such responsibility. But really, if the major concern is realtime meddling with the vote and tally systems, what if the entire US network infrastructure was simply turned into a walled garden for the duration of that day? As in, EO requiring all the major transit carriers to *down* any foreign links under their control for 24 or more hours with substantial penalties and sanctions for failure/refusal. Given what we appear to see most often in terms of ultimate control traffic origins, it seems like that would neuter the vast majority of adversarial paths, and make any remaining detected activity far easier to track and eliminate during the blackout. Something thorough enough that the internet couldn't "route around" the problem in any usable fashion. Even previously compromised systems would be able to function more or less normally if they're not being subjected to active interference. The rest of the world could certainly wait a day to catch up on the demise of democracy. Say what you want about the McCarthy-esque leanings I apply to my view of the internet, but I do know beyond any doubt that IT WORKS for my email filtering and is not particularly onerous to manage. Apply the same simple logic in a wider way, and the connection-laundering routes through compromised points and the sketchy VPS providers don't work either. The border temporarily gets sealed, the needed processes happen under far more controllable conditions, we get our firm results, and then we open up again for inspection. We wouldn't accept anything less than absolute environmental control during, say, a liver transplant; we should insist on the same for the lobotomy we're about to receive. _H* ### Thu Oct 27 2016, Kenneth Pfeil : Subject: Re: Media vulnerable to Election Night cyber attack Interesting food for thought. Serious damper on global logistical and economic systems, transportation, for starters. Maybe if they used PRISM for filtering known hostile traffic and address ranges instead of government entertainment and extortion it may be possible to some extent. Thinking out loud... ### Thu, 27 Oct 2016, *Hobbit* : Subject: Re: Media vulnerable to Election Night cyber attack It might also be a good exercise for *everyone*, dealing with "what if the internet went kaflooey someday". Total dependency on such a fragile thing makes all of us weak. _H*