He ends with a rather poignant phrase: It’s war, gentlemen, and it’s time our agencies got cracking.
I’m not so sure it’s war–even less sure we should get the government involved.
If he calls the attacks by Malaysians on Pinoy websites (and vice-versa) a war, then what’s currently going on with the DAP website is a sign of not just war–but a digital civil war, with internal actors, attacking local sites.
TheStar last week reported that the:
DAP has claimed that its websites have been attacked and forced to shut down since last Friday.
National publicity secretary Tony Pua (pix)said the party’s official website, dapmalaysia.org, and its Malay portal, roketkini.com, were incapacitated by denial of service attacks (DDOS) on March 8, 10 and 13.
While TheStar doesn’t report it, but other newsportals claim Pua was blaming political foes for the attack. For the most part this is quite common, we’ve seen Malaysiakini go down a few times, and various other pro-opposition blogs have taken some hits. This of course is even more interesting because Krebsonsecurity.com blogged that he was a victim of not just a DDOS attack but Swatting as well.
What the hell is Swatting…you ask.
That’s when tricks the emergency services (including the Police and the SWAT team) to come a calling in your home. This tactic has been gaining some traction in the US and let’s just hope it never reaches our shores.Having a SWAT team break down your door and handcuff you is something I wouldn’t want to experience, and just to go off-tanget for a while, some of you may make fun of the Police service but I can personally attest, that I only had to call the Police once in my life–and on that occasion they came within 5 minutes. So Swatting could potentially be an attack tactic in Malaysia as well.
Anyway, Krebs problems started when he wrote about a web service called absoboot.com that was a paid-service you could hire to perform a DDOS attack on a website of your choice. For as low as USD15 you could buy the service to put-down or at least constantly attack a website for 5 hours straight. In fact absoboot.com is not the only service available, there are hundreds of these guys all over the place, and if you visit the hack forums you’d be able to probably find a whole lot more, varying in quality and price.
The reality now is that, anyone with deep enough pockets can buy the technical skills necessary to perform things like DDOS attacks on sites for cheap. In fact USD15 for 5 hours is not exactly high-street prices–and that translates to roughly USD90 a day. That’s peanuts to most people.
Fortunately though–there are remedies.
In the same way you can hire guns to attack sites–you can just as easily (probably easier) hire guns to ‘protect’ your website. Prolexic (which protects krebsonsecurity.com) , offers DDOS mitigation services for companies and organizations. Organizations like the DAP.
Of course protection is far more difficult than attack and therefore probably cost more, however if you’ve got something to protect–you should protect it. The cost is asymmetric, but that’s also a matter of economics–the defender usually has a lot more money than the attacker, and we have a whole bunch of techically savvy people offering protection services to big websites that need to up 24/7 and are big targets due to economics or politics.
Which of course brings us full circle to whether governments should be involved in this war. On the high level, there is a war–the question is of course are we involved in it?
Bruce Scheneir has been writing a sleuth of post focusing nationalism on the internet, and how “we’ve started to see increased concern about the country of origin of IT products and services; U.S. companies are worried about hardware from China; European companies are worried about cloud services in the U.S; no one is sure whether to trust hardware and software from Israel; Russia and China might each be building their own operating systems out of concern about using foreign ones”
All of this of course leads to an arms race. Where each country is unsure of how their technical capability compares with the enemy. The fear of being left behind causes governments to spend more, which in turn causes the other side to spend even more–eventually the only people to profit are the suppliers of the security and attack products, because everyone is spending more than they should. Eventually what ends up in the hands of governments are ridiculously powerful tools and weapons, which they can unleash on their enemies–or even on their own citizens.
Just last week we had a inaccurately written article by the Malaysian Insider that the Malaysian government was using Spyware on it’s own citizens. That article of course has been debunked–by me. However, the comments and news around the article clearly suggest Malaysians don’t trust our government, and rightly so. If we start getting involved in cyber-wars and start diverting parts of our defense budget to cyber protection–that might not be such a bad thing, but who then ensures that the tools and talents procured as part of our cyber-defense are never used against our own citizens?
It might be war, but then again, should be government be in charge of protecting the website of private universities…isn’t that a step too far? Is the Government responsible for the security of Malaysian websites–it’s a stretch to say it is, and I’d like to keep it that way. In the past, we’ve seen non-governments like the hacktivist community Anonymous get involved in cyber-threats against real governments like Israel–so whose to say, citizens can’t protect citizens?
It’s still war though.
picture courtesy of http://www.flickr.com/photos/shellysblogger/2113838057/sizes/m/in/photostream/