Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Schneier Recommends Nuclear-Style Cyberwar Hotlines, Treaties

Soulskill posted more than 3 years ago | from the mr-president-tear-down-that-firewall dept.

Government 123

strawberryshakes writes "Cyberwar is the new nuclear war. Bruce Schneier says governments should establish hotlines and treaties outlining the protocol surrounding cyberwar, just as they would for any other war. He wrote in the Financial Times (paywalled, but available through Google), 'A first step would be a hotline between the world’s cyber commands, modelled after similar hotlines among nuclear commands. This would at least allow governments to talk to each other, rather than guess where an attack came from. More difficult, but more important, are new cyberwar treaties. These could stipulate a no first use policy, outlaw unaimed weapons, or mandate weapons that self-destruct at the end of hostilities. The Geneva Conventions need to be updated too. Cyber weapons beg to be used, so limits on stockpiles, and restrictions on tactics, are a logical end point. International banking, for instance, could be declared off-limits. Whatever the specifics, such agreements are badly needed.'"

Sorry! There are no comments related to the filter you selected.

posty frist (-1)

Anonymous Coward | more than 3 years ago | (#34436708)

lolol

Dear Bruce (0)

Anonymous Coward | more than 3 years ago | (#34439298)

I'd like to point out that nuclear war is much worse then cyber war. Ask the people of Japan if you'd like an opinion. In fact, some might say to draw such an analogy is godwin like.

YES !! NUEKE NK AND IR THE DAY BEFORE TOMORROW !! (-1)

Anonymous Coward | more than 3 years ago | (#34436722)

So, like today?

Oh boo hoo... (2, Insightful)

moosehooey (953907) | more than 3 years ago | (#34436728)

So what if the Chinese DDoS the internet for a while? OMG, twitter might go down!!~!eleventy!

I think the ISP's will be much more effective in fixing any problems, possibly by blocking all traffic from the offending country, if it comes down to that.

Re:Oh boo hoo... (1)

0racle (667029) | more than 3 years ago | (#34436974)

How would you prove it was the Chinese government? Unlike nuclear war, you don't have to be a government to carry out a 'cyber attack.'

Re:Oh boo hoo... (1)

Peach Rings (1782482) | more than 3 years ago | (#34437054)

And this is an incentive for the Chinese to implement such a hotline how?

Re:Oh boo hoo... (0)

Anonymous Coward | more than 3 years ago | (#34437284)

How would you prove it was the Chinese government? Unlike nuclear war, you don't have to be a government to carry out a 'cyber attack.'

"Made in China" written on every packet, duh.

Re:Oh boo hoo... (0)

Chapter80 (926879) | more than 3 years ago | (#34437006)

So what if the Chinese DDoS the internet for a while? OMG, twitter might go down!!~!eleventy!

Since most bank-to-fed and fed-to-bank transactions are via electronic networks, and much of the telephone communications go over electronic networks, and a huge segment of our economy is conducted via the internet, and email between customers and vendors is very common, I think the impact would be bigger than just twitter going down.

But Schneier (as much as anyone) should recognize that politicians are reactionary. This will get attention after the first cyber-attack.

Re:Oh boo hoo... (3, Interesting)

plover (150551) | more than 3 years ago | (#34437482)

I think the ISP's will be much more effective in fixing any problems, possibly by blocking all traffic from the offending country, if it comes down to that.

This is "cyberwar" (their word, not mine) we're talking about. General Hayden, the former Director of the NSA, spoke at Blackhat on the topic this summer. He said that the Internet today resembles a vast indefensible plain, and that an enemy attack can come from anywhere. He thought (hoped?) a kind of "geography" would eventually evolve on the internet, allowing for tactical maneuvering, permitting the kind of strategies warriors like to fight and defend from. You're alluding to a similar type of thinking, where if the attack comes from China, you pull the cable on the back of your router marked "From China".

It's that kind of thinking that's unfortunately going to fail at cyberwar.

If I'm attacking your country's systems, I'm not coming from China. I'm hopping hacked servers and networks from China to Estonia to Russia to France to London to New York. If it's a DDoS attack, I'm not commanding a million Chinese PCs to send you SYN packets, I'm sending one instruction to a command and control network to tell an army of zombies across the country and globe to send you SYN packets. Or I'm activating the hostile commands buried in my counterfeit Cisco routers spread across your country by cheapo eBay resellers.

The best defense against info-warfare is to have a good alternate strategy. Twitter may not need backups, but Wall Street does. Industrial plants and the electrical grid need air gaps (and obviously a lot more protection than they have today.) The armed services need an isolated network. So does the intelligence community. The first, second, and third jobs of cybercommand should be creation of these defense plans.

Re:Oh boo hoo... (1)

HTH NE1 (675604) | more than 3 years ago | (#34437918)

General Hayden, the former Director of the NSA, spoke at Blackhat on the topic this summer. He said that the Internet today resembles a vast indefensible plain, and that an enemy attack can come from anywhere. He thought (hoped?) a kind of "geography" would eventually evolve on the internet, allowing for tactical maneuvering, permitting the kind of strategies warriors like to fight and defend from.

Basically the Princes and Tribesmen want the Dwellers to plant a Forest in which they can fight their battles. It's only reasonable [aikiweb.com] .

1st - that doesn't sound like Schneier. (1)

khasim (1285) | more than 3 years ago | (#34438512)

He's usually a LOT more intelligent than that.

2nd - be proactive. Pass a law that requires that each ISP check the packets on their network and do NOT forward any packets that do not match the addresses they control. There, spoofing is pretty much dead.

3rd - whitelists, not blacklists. Know who you absolutely must have an Internet connection to and why. If someone is flooding your network, block everyone else. (yeah, this won't work for Amazon or eBay)

4th - it's the GOVERNMENT. Use your purchasing power to demand real improvements in security.

Stockpiles?...of cyber weapons? (4, Funny)

Last_Available_Usern (756093) | more than 3 years ago | (#34436732)

What exactly is a stockpile of cyber weapons? A room full of nerds and a case of Mountain Dew?

I would recommend one case *per nerd* (1)

moosehooey (953907) | more than 3 years ago | (#34436762)

If this is going to go on for a few days, they'd better stock up on the Dew!

Re:Stockpiles?...of cyber weapons? (-1)

Anonymous Coward | more than 3 years ago | (#34436806)

i haz 50,000 copies of Trojan.Verprud and will destroy 40,000 if you do the same ;)

Re:Stockpiles?...of cyber weapons? (4, Insightful)

Sarten-X (1102295) | more than 3 years ago | (#34436832)

Probably something along the lines of a number of botnets, zombies, secret 0-days vulnerabilities, etc.

It's pretty easy to picture governments building up large botnets of their own machines, ready to tear down any site they want. Limits on that would be good, I think.

Re:Stockpiles?...of cyber weapons? (1)

morgan_greywolf (835522) | more than 3 years ago | (#34437982)

Right, but that's still silly.

What's a botnet? What's a zombie? A botnet is, typically, a bunch of zombies. A zombie is simply a machine that can be remotely controlled using a some piece of software that's installed on it, which is typically injected by a Trojan horse, drive-by-download, e-mail virus, whatever.

Now if the government says "we'll take down 300,000 of our 1 million botnet nodes," how are you going to know they did it? How do you know they have a million botnet nodes? With nuclear missiles, it's pretty easy: spy satellites and reconnaissance aircraft can are used by world governments to detect nuclear weapons. But with botnets, it's not so easy. You basically have to take their word for it. The moment you have to the government's word for anything, you're hosed.

Re:Stockpiles?...of cyber weapons? (0)

Anonymous Coward | more than 3 years ago | (#34438834)

Like wikileaks, for example?

Re:Stockpiles?...of cyber weapons? (2)

KublaiKhan (522918) | more than 3 years ago | (#34436864)

That was my question.

Would the stockpile be counted MAFIAA-style, with each copy, download, and upload counting as a 'unit'?

Or would the stockpile be counted in lines of code? Perhaps in terms of algorithms used? Type of weapon?

Given the rate of development that "cyberweapons" undergo, I think that 'stockpiling' would, in reality, mostly refer to the archive room with a bunch of obselete software cluttering up DVDs.

Re:Stockpiles?...of cyber weapons? (1)

HTH NE1 (675604) | more than 3 years ago | (#34437038)

Limits on stockpiling that which can be infinitely replicated, would that not be DRMs on war?

Re:Stockpiles?...of cyber weapons? (1)

KublaiKhan (522918) | more than 3 years ago | (#34437116)

Oh, now wouldn't that be hilarious.

"I'm sorry, Sir, I can't launch the weapons. The licensing server's gone down again."

Re:Stockpiles?...of cyber weapons? (0)

Anonymous Coward | more than 3 years ago | (#34437866)

Software can be infinitely replicated, but the hardware it needs to run can't... although, to be fair, it would be much easier to replicate large amounts of computer hardware than something like nuclear weapons.

I solved the puzzle! (1)

Suki I (1546431) | more than 3 years ago | (#34437080)

The stockpiles are electrons to be limited by credits Countries with lots of electrons have to share them with countries that have fewer electrons.

Substitute smoke for electrons if that makes it more understandable and gives a better visual for the hotline idea.

Someone forgot to make a rule, that everybody will follow of course, not to mess with the IP phones used for the hotline. Can't mess with the networks they run on either!

Re:Stockpiles?...of cyber weapons? (1)

Zeek40 (1017978) | more than 3 years ago | (#34437112)

A stack of 5 1/4" floppies. Those things were the perfect combination of a Frisbee and a ninja throwing star.

Re:Stockpiles?...of cyber weapons? (1)

Xugumad (39311) | more than 3 years ago | (#34437168)

Presumable a variety of different cracking tools, worms, and related pieces of software. As much as the film/TV idea of people frantically tapping on keyboards during an attack is exciting, in reality it's normally about semi-automated systems attacking automated systems. A "cyberattack" from a government is most likely to involve pulling something suitable out of storage, giving it target details and clicking "Go", rather than trying to code something from scratch on demand.

Re:Stockpiles?...of floppy disks.. (1)

TiggertheMad (556308) | more than 3 years ago | (#34437384)

I find it interesting that Bruce, who is a pretty savvy guy, would suggest treaties for 'cyber warfare' that are analogous to those employed in conventional warfare. The problem is, as illustrated by the snarky remarks in this thread, is that the internet is so unlike anything else that such treaties would be pointless.

How are you going to verify that someone else is complying? Its one thing to be able to count missile silos or uranium mining operations, but how do you make sure that someone isn't researching methods for retasking criminal botnets for military purposes or preping viruses for targeted release? His suggestions are comically out of touch...

Re:Stockpiles?...of floppy disks.. (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34437892)

Or maybe Bruce is thinking ahead at what the Internet might be like a few years down the road.

If the governments had as much control over the internet as they wanted to, these treaties might be made under the assumption that each country keeps its house in order. Much like if a bunch of Canadians took up arms and started marching on American the Canadian Government would be in hot water trying to explain that one.

Same thing here - if you can't keep your own hackers and crackers in line than you pay the consequences. It would be entirely possible to expect that kind of control over their own segregrated parts of the internet. They keep bringing up this idea of an "Internet Killswitch" in the states. That could be used to stop both incomming and outgoing attacks.

Oh, please. (1)

Anonymous Coward | more than 3 years ago | (#34436750)

Cyberwar is the new nuclear war.

Gimme a break. When I see a hacker kill off 100,000 people, then I'll take that statement seriously.

Jesus Christ, hyperbole is becoming the norm these days.

Re:Oh, please. (1)

Altus (1034) | more than 3 years ago | (#34436936)

hyperbole is the new understatement!

Re:Oh, please. (3, Interesting)

memyselfandeye (1849868) | more than 3 years ago | (#34437344)

Gimme a break. When I see a hacker kill off 100,000 people, then I'll take that statement seriously.

Jesus Christ, hyperbole is becoming the norm these days.

QFT! Last time I checked a DDOS isn't capable of evaporating several hundred square miles like an ICBM with 6x600kT warheads. I think our leaders and 'thinkers' need to play around with a google maps mashup here [carloslabs.com] , and see some friggin' clarity!

Hotlines are useless without a web of trust (1)

Dr. Evil (3501) | more than 3 years ago | (#34436758)

How else could you trust the caller? Phones are just another form of IT.

Re:Hotlines are useless without a web of trust (1)

KublaiKhan (522918) | more than 3 years ago | (#34436888)

A worldwide certification system would be useful for many things besides cyberwarfare.

And, o'course, if universal encryption (and thus resistance to governmental or corporate eavesdropping) became practical as a result...

Re:Hotlines are useless without a web of trust (1)

Suki I (1546431) | more than 3 years ago | (#34437130)

I like the idea that the IP phone will keep working during the attack.

Re:Hotlines are useless without a web of trust (1)

maxume (22995) | more than 3 years ago | (#34437854)

A charitable definition of hotline includes some assurance as to the party it is connecting you to.

Whew. (1)

pclminion (145572) | more than 3 years ago | (#34436760)

My first reading of the headline was "Schneier recommends nuclear war." Would have been a more interesting article...

Wow (-1)

Anonymous Coward | more than 3 years ago | (#34436772)

This is really dumb

Re:Wow (-1, Flamebait)

MyLongNickName (822545) | more than 3 years ago | (#34436954)

Self-referential comment FTW!

Or (3, Insightful)

0123456 (636235) | more than 3 years ago | (#34436790)

We could just ban the use of Windows in critical IT infrastructure.

Re:Or (1)

KublaiKhan (522918) | more than 3 years ago | (#34436920)

That would just move the problem.

No OS is secure. There is -always- a way in, even if it's just social-engineering the guy with the passwords.

Moving to a non-Windows OS without addressing everything else at the same time would, in the end, have no real effect. ...besides, who uses windows on a router, anyway?

Re:Or (0)

Anonymous Coward | more than 3 years ago | (#34437246)

LMGTFY
http://www.home-network-help.com/ip-forwarding.html

Re:Or (2)

mangu (126918) | more than 3 years ago | (#34438060)

No OS is secure. There is -always- a way in, even if it's just social-engineering the guy with the passwords.

True. But I'd bet that the lock in the safe in my bank is more secure than the lock in my suitcase.

To say "No OS is secure" is very different than saying all OSes are equally insecure.

Re:Or (2)

KublaiKhan (522918) | more than 3 years ago | (#34438536)

True enough--but the point is that the sole action of switching OSs will not cause any real gains in security.

Gains in security can only be made with an organizational dedication to security from the top down--everyone involved must be made to realize the risks involved, and mitigations of these risks must be performed (and checked) at every level.

So if you switch over to Linux, great, good job. But if your secretary still opens every funny email that shows up, sooner or later you're going to get hit.

Re:Or (1)

Lord Ender (156273) | more than 3 years ago | (#34438466)

You seem to be a bit out-of-date in your thinking. Most of the bugs today are in the applications, on the platforms. SQL injection doesn't care about the operating system.

Lecture from the school of hard knocks (1)

trghpy (259589) | more than 3 years ago | (#34436810)

I have the feeling this will end up being better in theory than implementation.

bad analogy ! (4, Insightful)

JonySuede (1908576) | more than 3 years ago | (#34436824)

Cyberwar is the new nuclear war.

No it's not. it used to be that nuclear weapons were out of reach for a private entity. It is not the case with cyberweapons. How do you regulate the action of the mafia or the triads ? How do you apply a treaty onto an individual ? Treaty and regulation works for limited availability weapon but for something as easy to produce, I dont see how it could work.

Re:bad analogy ! (1)

Chapter80 (926879) | more than 3 years ago | (#34437044)

Cyberwar is the new nuclear war.

No it's not. it used to be that nuclear weapons were out of reach for a private entity. It is not the case with cyberweapons. How do you regulate the action of the mafia or the triads ? How do you apply a treaty onto an individual ? Treaty and regulation works for limited availability weapon but for something as easy to produce, I dont see how it could work.

If the world powers join to "pinch off" the threat, and the treaties and hotlines are in place to address that, then it has a chance of working.

Re:bad analogy ! (1)

plover (150551) | more than 3 years ago | (#34437652)

If the world powers join to "pinch off" the threat, and the treaties and hotlines are in place to address that, then it has a chance of working.

So the US, China and Russia all agree to not hack electrical power plants? BFD. Who's going to convince Iran, Iraq, North Korea, Israel, Nigeria, Chechnya, Lichtenstein and Morocco to not make secret plans? Who's going to convince the various organized criminal entities? Who's going to stop J. Random Hacker, who can download and modify a copy of Stuxnet from the comfort of his mother's basement?

Think about it: the best (most experienced) people to ask for advice on how to be effective at stopping hackers would be the RIAA. And if that image doesn't convince you how useless attempting it is, you're deliberately not paying attention.

Re:bad analogy ! (1)

maxume (22995) | more than 3 years ago | (#34437950)

The proposition in your second paragraph is insane.

I'm pretty sure that the group of serious hacker stoppers excludes purveyors of DRM simply by definition.

Re:bad analogy ! (1)

plover (150551) | more than 3 years ago | (#34438162)

It was intended to be laughable, but insane works for me, too. But the point is valid. Trying to defend stuff with DRM from determined hackers is similar in many ways to trying to defend anything else that can be found in the hands of determined hackers -- useless.

Re:bad analogy ! (0)

Anonymous Coward | more than 3 years ago | (#34438350)

I love the level of self delusion Slashdot seems to perpetuate. Stuxnet was a military developed piece of code (obviously) which drew on nuclear, chemical, exploit-coder, and software engineering brains to create. It was a clear example of what the world powers who oppose Iran are capable of. They understood the ASM that was being delivered to the controllers of SPECIFIC IRANIAN airgapped devices. The agency responsible was able to exfiltrate enough information regarding those devices that they could create a highly sophisticated operational "glitch" that would severly damage Layer 1 devices. That's worlds beyond someone knowing you have X phone with X version of firmware on your desk and not only hiding their presence but causing the device to melt itself to slag moments before you made an important call.

They had to know the specific opcode they were manipulating, the specific device type they were manipulating, the rotation cycle for seperating uranium isotopes int that rotation cycle etc etc. This was not some hackneyed piracy prevention tactic. Why do you think the private sector has a huge gap when it comes to InfoSec, the gov't can pay more or just tell you that you have to work for them.

Re:bad analogy ! (1)

Xugumad (39311) | more than 3 years ago | (#34437226)

Essentially, in agreeing a line that will not be crossed, with well reasoned arguments for not doing so, anyone crossing that line makes an enemy of a lot of people at once. It might be harder to regulate worm/cracking tool development, but that doesn't mean there's nothing that can be done.

Re:bad analogy ! (1)

Smidge207 (1278042) | more than 3 years ago | (#34437252)

I dont [sic] see how it could work.

I do. Please read this before judging: I was walking in town, it was around 10 pm, I was heading to a deli because I was dying of thirst, it was summer and it was very humid out for that time of night, and as I approached the deli, saw a friend sitting on one of the outside tables with a big ole brimmed hat on, the type they wore a long time ago--or still do in some places--to keep the sun out, around the brim was a wide red ribbon, it was the type of hat this friend wore a lot.

As I approached her, she got up and went into the deli, I entered the deli and asked where the person was that just entered thinking maybe she ran to the rest room or something. I was told no one had entered the deli for the past 15 min and I was the first person they say. I told them, no, there was a woman who had a big brimmed hat on that just entered the deli, they looked at me as if I had two heads. Rob Malda sucks cock. I bought the soda and guzzled it. I was so thirsty. I shrugged it off thinking they were playing a joke on me.

The next day, not thinking of anything I opened the paper and saw an obituary for my friend, she had attempted to take her life a month before and was lying in a coma from an overdose of pills. Rob Malda is a fag-got. He mother released her spirit by cutting off life support.

Re:bad analogy ! (1)

Monkeedude1212 (1560403) | more than 3 years ago | (#34437310)

Cyberwar is the new nuclear war.

No it's not. it used to be that nuclear weapons were out of reach for a private entity.

That posed an interesting Google search for me, probably put me at the top of the US Watchlist. "Is it illegal to Own Nuclear Weapons?"

Which hasn't given me anything like what I'm looking for. Its more like everyone asking if Iran has nuclear weapons, new policies set forth by treaties and such... Nothing about a regular joe citizen owning a nuclear warhead, something I'm now curious about.

So I go next down the list, its gotta be like other weapons of the same classification. I google "Is it illegal to own a bomb?"

Oddly enough the fourth result is the Wikipedia entry for 4chan.

So - does anyone know the policy on that? I mean, it looks like it varies on state to state what kind of weaponry you're allowed to be packing. There are laws against illicit manufacturing of firearms and explosives, but like, there must be a legal way to manufacture guns, someone does it for the US army - so maybe there's a legal way to manufacture bombs. In that case would you be restricted to who you could sell it to? Is there some kind of registration program?

Too many questions. Point is, in America, you can own a gun. Most laws involving guns include ammunition and explosives. So, in theory, you should be able to own explosives as well, and by that logic, you should be able to own nuclear warheads.

Re:bad analogy ! (1)

memyselfandeye (1849868) | more than 3 years ago | (#34437992)

It is illegal and regulated by BATF to own unlicensed explosives, such as c4. It is, however, legal to own materials that do not explode but defligrate, such as black powder, so I suppose you could own a 'dirty' bomb that burns instead of exploding. But I know you are also not allowed to own unlicensed radioactive sources over a certain, minuscule, vasltly smaller than the critical mass of uranium or plutonium isotopes.

So without any citation of specific laws that reads "no person shall be allowed to own a nuclear weapon of mass destruction," you still can't own them since you can not own the materials that compose them. And I'm fairly sure a person can't own a weapon of mass destruction period.

Minerals? (1)

mangu (126918) | more than 3 years ago | (#34438192)

I know you are also not allowed to own unlicensed radioactive sources over a certain, minuscule, vastly smaller than the critical mass of uranium or plutonium isotopes.

What about materials in the ground? Building materials?

I know this is nitpicking, but there is uranium in many rocks. If you own a big quarry, there could be a lot of uranium, certainly above the limit you are theoretically allowed to own, in those rocks.

Or what about real estate? In some places there's no distinction between soil and underground for ownership purposes. If you own a tract of land you own all that's between the surface and the center of the earth. There's certainly enough uranium to build a bomb in that 6378 km tall inverted pyramid of rock.

Re:bad analogy ! (1)

maxume (22995) | more than 3 years ago | (#34438004)

There are restrictions on the possession of radioactive materials.

Re:bad analogy ! (1)

theverylastperson (1208224) | more than 3 years ago | (#34438770)

I'm pretty sure if you owned a nuclear bomb you'd be able to negotiate to keep it.

Re:bad analogy ! (3, Insightful)

N0Man74 (1620447) | more than 3 years ago | (#34437558)

Exactly. Such an idea is rather worthless.

Threats to networks could come from governments, but they can also come from extremists, corporations, hobbyists, or a legion of meme-spewing 4-channers.

The targets can be just as varied. They might target corporate networks, government networks, utility infrastructures, or a website that happens to of highly political interest.

Even if governments agree to such treaties, how do we know that they won't operate secretly anyway, and just blame cyber criminals or rogue groups if they do launch an attack? It's not like data packets in cyber attacks carry flags.

Re:bad analogy ! (0)

Anonymous Coward | more than 3 years ago | (#34438198)

what about the olympic games? during the world hacking competition, all global players agree to stay out of foreign entities.

Re:bad analogy ! (1)

fahlesr1 (1910982) | more than 3 years ago | (#34438218)

How do you regulate the action of the mafia or the triads ? How do you apply a treaty onto an individual ?

Perhaps a clause guaranteeing the extradition of a private entity who engages in an activity that falls under whatever the parties to the treaty define as "cyber-warfare" would solve that problem. Perhaps not. Its definitely something that nations should be discussing.

Re:bad analogy ! (1)

blair1q (305137) | more than 3 years ago | (#34438654)

No, it's not, but you missed the obvious reasons:

A cyber-attack won't kill hundreds of thousands of people in a flash of light, then kill millions more from cancers and other after-effects of the blast and fallout.

It won't obliterate acres of infrastructure and render the area uninhabitable for decades or centuries.

It won't scare the shit out of an entire range of humanity from the simplest of folk to the most-informed on the subject.

Frankly, anyone who compares cyber-war to nuclear war is blowing smoke up the public's ass in order to get a panicky public to over-fund every cockamamie idea proposed to combat or prevent it.

Cyber weapons = Nuclear weapons (2, Interesting)

Fibe-Piper (1879824) | more than 3 years ago | (#34436848)

Look at the stuxnet attack on Iran last month. If that country had a more developed nuke program a hostile neighbor (country X) could have had the opportunity to co-opt their systems and launch against Israel. Israel would immediately engage in a retaliatory strike and country X would be the winner (assuming they are anti Iran and at least neutral in their relations with Israel).

Country X in this case just became a nuclear power without ever facing embargoes, or hostility from the US.

Re:Cyber weapons = Nuclear weapons (1)

deapbluesea (1842210) | more than 3 years ago | (#34437074)

Look at the stuxnet attack on Iran last month. If that country had a more developed nuke program a hostile neighbor (country X) could have had the opportunity to co-opt their systems and launch against Israel.

And fingers=bullets by the same logic. A cyber attack is not a nuclear attack, and a cyber attack that results in nuclear weapons exchange is still not a nuclear attack. An exchange of nuclear weapons is a nuclear attack. There have been fears of falsely attributed nuclear weapons launches since Russia's first nuclear test. The fact that spies could have (possibly) done the same thing doesn't make spying nuclear warfare. Neither is cyber warfare=nuclear warfare.

Re:Cyber weapons = Nuclear weapons (1)

Fibe-Piper (1879824) | more than 3 years ago | (#34437190)

Splitting hairs = splitting the atom?

Oh. My. God. (0)

Anonymous Coward | more than 3 years ago | (#34437158)

Look at the stuxnet attack on Iran last month. If that country had a more developed nuke program a hostile neighbor (country X) could have had the opportunity to co-opt their systems and launch against Israel. Israel would immediately engage in a retaliatory strike and country X would be the winner (assuming they are anti Iran and at least neutral in their relations with Israel).

Country X in this case just became a nuclear power without ever facing embargoes, or hostility from the US.

What?!? Complete nonsense. That was thought of back in the 50s.

The Stuxnet went after control systems in nuclear power plants. The only thing that happened was they couldn't run - BFD.

Nuclear weapons have human controls - nothing gets launched without a human being turning keys and pressing buttons.

Geeze!

Re:Oh. My. God. (1)

plover (150551) | more than 3 years ago | (#34438030)

The Stuxnet went after control systems in nuclear power plants. The only thing that happened was they couldn't run - BFD.

No, that's not the only thing that happened. Stuxnet physically damaged a number of centrifuges, it prevented them from successfully enriching uranium, and its second payload appears to have been designed to cause their nuclear reactor's steam turbine to destroy itself, which would have delayed their ability to create a nuclear bomb for years.

Nuclear weapons have human controls - nothing gets launched without a human being turning keys and pressing buttons.

Sure, we're told that American nuclear weapons have human controls. But do we really know that Pakistan's missile triggers aren't connected to a computer network? That the Pakistani president doesn't have an iNuke app on his phone, with a single big red button labeled "Mumbai" glowing in the middle of the screen? Or that North Korea's weapons are air-gapped, and not just hooked to a 300 baud modem in some back room?

Re:Cyber weapons = Nuclear weapons (0)

Anonymous Coward | more than 3 years ago | (#34437568)

'Israel would immediately engage in a retaliatory strike and country X would be the winner'.

Damn you, for publishing my plan.

Sheik X.

omg it's the cyercaust! (1)

hypergreatthing (254983) | more than 3 years ago | (#34436862)

Quick! pick up the red emergency phone and dial the 16 year old 3l33t hax0r general in charge so he can fire the scripts! For great lols!

Re:omg it's the cyercaust! (1)

Ltap (1572175) | more than 3 years ago | (#34437306)

16 years old? He's over the hill! Fire him and replace him with his 13-year-old subordinate!

Exaggeration (3, Insightful)

flyingfsck (986395) | more than 3 years ago | (#34436948)

Hmm, he seems to be seriously exaggerating the threat. Network attacks are very easy to defend against and the damage is negligible compared to a real military attack. So this is plain stupid.

Re:Exaggeration (1)

Ltap (1572175) | more than 3 years ago | (#34437348)

This seems to me like an attempt to head off intra-national attempts to regulate "cyber-weapons", applying rules to citizens that they don't apply to themselves. By drafting rules for countries they prevent (to some degree) the stopping of individuals and the ignoring of countries. By bringing it to the level of an international treaty, it gives it a level of seriousness that would stop countries from simply DDoS'ing each other on a whim or to put on political pressure, which would make Internet access in some countries sketchy at best.

Re:Exaggeration (1)

N0Man74 (1620447) | more than 3 years ago | (#34437438)

Tell that to those who have lost family members due to cyber attacks...

Re:Exaggeration (0)

Anonymous Coward | more than 3 years ago | (#34439302)

That router was like a brother to me...

Re:Exaggeration (0)

Anonymous Coward | more than 3 years ago | (#34437524)

He's also using the word "cyber", as in 'I don't know what I'm talking about, but it's some kind of important IT thing.'

Re:Exaggeration (1)

Securityemo (1407943) | more than 3 years ago | (#34437686)

Network attacks are very easy to defend against

Not really, not if you're not talking about just pulling the plug. And in any case you still need to take the measures necessary to do so. Remember that McKinnon got access to a subcontractor's (I think it was) internal network by using a password cracker and a public RAT. That's incompetence, you say. Fine, but regardless of it's form or shape it's still a security problem, period.

Re:Exaggeration (1)

hellkyng (1920978) | more than 3 years ago | (#34437742)

You assume that a network or "cyber" attack is negligible compared to a real military attack. What about when those attacks steal or reveal sensitive military information, compromise troop movements, or even better silently alter or changes plans? Or how about if malicious software were to cripple a nations infrastructure such as power and water? Or steal the information regarding the whereabouts of critical personnel in military branches? What if a nation were to conduct economic warfare, such as targeted pump and dump spam or hack into a nations banks and continually reveal customer information. A state player with large resources might be able to create a Heartland type data breach many times over, that could cause some serious chaos.

Malware like stuxnet could easily bring a nation to its knees if it was properly applied. The best thing we can do is to have a little foresight with regard to the true threat events like these pose especially where state actors are concerned.

Besides Schnier is one of the most level headed security people around.

http://online.wsj.com/article/SB124027491029837401.html [wsj.com] - DoD plans for jet fight stolen
http://www.theregister.co.uk/2008/03/06/pentagon_breach_assessment/ [theregister.co.uk] - Pentagon breached
http://datalossdb.org/incidents/2478 [datalossdb.org] - Records of 40,000 plus army personnel stolen

Re:Exaggeration (1)

mangu (126918) | more than 3 years ago | (#34438316)

What about when those attacks steal or reveal sensitive military information, compromise troop movements, or even better silently alter or changes plans? Or how about if malicious software were to cripple a nations infrastructure such as power and water? Or steal the information regarding the whereabouts of critical personnel in military branches?

You mean like when a spy watches the troops with binoculars and writes down what he sees? Like when someone follows a key military officer by foot?

What shall be subject to treaties and have hotlines next: binoculars, paper, pencil, or shoes?

Re:Exaggeration (1)

hellkyng (1920978) | more than 3 years ago | (#34438776)

There are already established guidelines for the things you describe ie rules of ware etc. The online equivalent of those items can have substantially more impact and scope then the in person. Hence it makes complete sense to at least establish some guidelines for how to go about those things. Right now online there is nothing to dictate what form warfare over the internet might take. If we have an opportunity to take proactive steps to limit those things in a sensible manner, we should do so.

slashdot=star trek ref (1)

turkeydance (1266624) | more than 3 years ago | (#34436986)

see: a taste of armageddon

Ol' boy's gone off the deep end this time (1)

countertrolling (1585477) | more than 3 years ago | (#34437018)

It's another case of doing everything but locking and securing a sufficiently resistant cockpit door.

Zonk OMG (1)

dakkon1024 (691790) | more than 3 years ago | (#34437030)

Can we make facebook a civilian target?

The Geneva Conventions... (2)

airdweller (1816958) | more than 3 years ago | (#34437086)

Will it mean hackers and the like will be considered enemy combatants if taken prisoners? Won't they have to wear uniforms to distinguish themselves from 'terrorists'?
Too bad the black berets are already taken by the USAF. How about black hoodies?
I'm also pretty sure some will insist on including dice, wands or xkcd quotes...

Cyberwar Hotline (4, Funny)

HTH NE1 (675604) | more than 3 years ago | (#34437126)

"Hello, cyberwar hotline. Have you tried turning it off and back on again?"

You'll get "Bob" from India... (0)

Anonymous Coward | more than 3 years ago | (#34437220)

Who will tell you to run the recovery CD.

General purpose hotline? (1)

igreaterthanu (1942456) | more than 3 years ago | (#34437234)

Aren't these just fancy encrypted telephones between superpowers? Why do they need different hotlines for different crises?

Re:General purpose hotline? (1)

maxwells_deamon (221474) | more than 3 years ago | (#34438382)

VOIP phones between the responce centers ;-)

The actual hot line was originally a teletype machine. It was a red phone only in the movies and on TV. Probably upgraded by now.

Re:General purpose hotline? (0)

Anonymous Coward | more than 3 years ago | (#34438764)

Nimrodism. All hail the Bruce.

ph34r (1)

dakkon1024 (691790) | more than 3 years ago | (#34437236)

all your FaceBook are belong to us

Missing the Point, entirely (2)

Haedrian (1676506) | more than 3 years ago | (#34437302)

"These could stipulate a no first use policy, outlaw unaimed weapons, or mandate weapons that self-destruct at the end of hostilities."

There are tons of major differences between a nuclear weapon and cyber-'weapons' .

Firstly, how do you work out who sent it? A nuclear warhead is pretty easy to track - but what about Stuxnet?

Also, civilians aren't generally capable enough to create their own nuclear weapons, they can make cyber-'weapons'.

What it'll end up with is everyone agreeing that cyber-weapons are bad and banned, then doing stuff in secret.

The solution is better security. Yes, its an impossible goal - but its still more realistic than having the president going- "Dammit! My facebook has been DDOSed. Someone get me the Kremlin!"

Re:Missing the Point, entirely (1)

tchdab1 (164848) | more than 3 years ago | (#34437548)

>>Firstly, how do you work out who sent it?

By tracing it.

Re:Missing the Point, entirely (1)

Minwee (522556) | more than 3 years ago | (#34437612)

Okay, now you know the shape of the weapon, but who are you going to show that picture to?

Re:Missing the Point, entirely (1)

lxs (131946) | more than 3 years ago | (#34438180)

Once you've backtraced it, do you call the cyber police?

Re:Missing the Point, entirely (1)

tombeard (126886) | more than 3 years ago | (#34439020)

ITYM "backtracing".

cyberwar isn't about nation-states! (3, Insightful)

strangelovian (1559111) | more than 3 years ago | (#34437370)

Schneier is assuming that in cyberwar the main actors are going to be nation-states. Look at Wikileaks; that's a form of cyberwarfare and I don't see how a hotline between the US president and the Chinese premier is going to help. We're entering a post-nation-state era, but Schneier sounds like he's using models from the 1960's.

Re:cyberwar isn't about nation-states! (1)

glwtta (532858) | more than 3 years ago | (#34438786)

Schneier is assuming that in cyberwar the main actors are going to be nation-states.

Actual cyberwar is a matter for nation-states. That whole "autistic 14 year old super hacker from Ukraine brings down all of US infrastructure with a push of a button" scenario should stay where it began: crappy 90s sci-fi.

And calling WikiLeaks "cyberwarfare" is just, well, Palinesque.

Re:cyberwar isn't about nation-states! (1)

strangelovian (1559111) | more than 3 years ago | (#34438966)

Wikileaks uses the power of the internet to undermine authoritarian or non-transparent governments around the world. I'd say that qualifies it as one of the most powerful cyber-attack we've seen so far. As Julian Assange and Osama bin Laden understand, the war for your mind is by far the most important kind of warfare -- taking down infrastructure is pretty trivial by comparison. And neither of these guys is going to be deterred by treaties or hotlines!

Cyber-conventions? (1)

HeckRuler (1369601) | more than 3 years ago | (#34437380)

Do you think the cyber-guerrillas will respect the Geneva convention? The international cyber-banks will be the first to go in a world-wide-cyber-war!
The cyber-dead will be strewn about the cyber-fields, and cyber-children will run in terror from cyber-napalm. WE'LL REVERT TO PRE-CYBER CIVILIZATION!
So... like today, but instead of cyber-dot, to complain about greedy corporations we'll have to go talk to our neighbors.

like the wikileaks war (1)

tchdab1 (164848) | more than 3 years ago | (#34437510)

Tell me that the attacks both visible (from idiots like Lieberman) and less visible (from so-called "hackers") are not the signs of cyberwarfare being directed against the power of free information via Wikileaks.

Oh my... (0)

Anonymous Coward | more than 3 years ago | (#34437550)

I guess the internet really IS serious business!

It makes sense, considering the following scenario (3, Insightful)

Securityemo (1407943) | more than 3 years ago | (#34438122)

*calls FSB major*

Yo! You don't know who I am, and I'm not sure how I got your number, but there's this thing going down in the internal networks of a few dozen hospitals here, and we're tracing it back to a site in your country. Our expert will soon be on it (god willing, assuming we can find them and brief them and give them access to the binaries) but the code obfuscation and anti-reversing features are like acts of god almighty, and amusingly treated as such by the insurance companies. Could you please help us catch these crazy bastards for interrogation about the stopping key... pulling the plug? That won't work, it's a self-contained virus, bricking shit like a startled soviet-era comedian. Talk to my boss? Well, I'm not sure he knows how to deal with this... or for that matter which one of my bosses I'm supposed to call...

As (potentially) opposed to:

*calls the kr3ml1n h4x0r bünk3r (actual official name) from the American Cyber Command (actual official name)*:
Hello, we've got a massive self-replicating attack on our internal networked hospital equipment, much like the scenario we discussed a few months ago. We can't break the obfuscation, and IDA Pro gets eaten up from the inside by trying to analyze it, but you guys might have more luck with the binaries we've managed to capture. Also, some versions of the code communicates with a site in Russia - it's probably botnet nodes, but the "scary men in helicopters" protocol you spoke about using internally might work anyway.

Not to talk about the difference in reaction speed between the two.

Nukes for everyone? (1)

munky99999 (781012) | more than 3 years ago | (#34439318)

Back in the day... who really could launch nukes? Hell even today how many people could build a nuke... friggen governments cant even do it. So yes you could get your dozen groups communicating and that stops it from happening. You are able to talk to everyone who can do it. Very diplomatic Today on the otherhand 23 year old guys control 500,000 zombie botnets. Computer security itself is terrible to the point basically a huge number of independants have the power to do the job. So what are governments doing to open communication with these people? They are trying to identify them in order to arrest or as the usa says "the Department of Defense is prepared, based on the authority of the President, to launch [...] an actual bombing of an attack source or a cyber counterattack." This isnt diplomatic at all.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?