I do a lot of presentations on the changing threats in cyberspace. I always start out by saying the economics of developing cyber-threats is very different than for physical threats or traditional warfare. Governments do not have an advantage in developing cyber-threats – that is why the vast majority of the most damaging attacks are first seen in financially motivated attacks, then later against government agencies and political targets.
Inevitably, talk of unstoppable state sponsored attacks always comes from either government agencies jockeying for responsibility and budget, or from security programs that aren’t at due diligence looking for excuses.
Don’t get me wrong – governments will use cyberspace as an attack path for warfare, just as every other technology gets used. But stopping an Internet-carried attack created and launched by a government is no different, and not even more difficult, than stopping an attack launched by organized crime or identity thieves. It all comes down to closing the vulnerability – block the hole and the attacks does not succeed.
I think the early DDoS attacks caused a lot of this “unstoppable state-sponsored attack” myth to develop. There was a misconception that no one could stop an enormous brute force DDoS attack and only governments would have the resources to launch an effective one. Of course, both of those have already been proven false:
- Many large ecommerce and Internet infrastructure companies routinely stop DDoS attacks that are over 10 Gbs and are launched from tens of thousands of machines.
- The biggest DDoS attacks have not had government sponsorship.
It reminds me of back in the 1980s and early 1990s when it was thought that only governments had the resources to develop hardware to break cryptography through brute force – but then most of the advances in breaking crypto came from informal peer-to-peer networking of commercial PCs and servers.
In physical warfare, governments can develop weapons that no business can protect itself against. No Wall Street firm has strong enough physical security to stop a tank. In cyber-warfare, a different story. Every time an attack over the Internet succeeds, it means there was a failure in vulnerability management and intrusion prevention. Now, very often the vulnerabilities are in the people – systems aren’t administered right or users fall for tricks and scams.
These are actually the areas where governments can attack IT systems differently – they can and do go after people using traditional methods. If you are really worried about state sponsored attacks, after you get your vulnerability management and intrusion prevention programs up to snuff, focus on people vetting.
Category: Uncategorized Tags: