Lessons from the Hindu Kush, in cyberspace
The U.S. government should take a page from its playbook in dealing with the Taliban and apply it to attacks in cyberspace, a congressional panel was told Thursday.
Before the Sept. 11 attacks, Michael Sheehan, the U.S. ambassador at large for counterterrorism, delivered "a stern message to the Taliban," warning that if there was an attack on the United States by al-Qaeda, which was being given safe harbor by the Taliban, "we will hold you responsible," Robert K. Knake, an international affairs fellow at the Council on Foreign Relations, told a panel of the House Science and Technology Committee.
And after the terrorist attacks, the United States made good on Sheehan's word, he said.
That concept of "sovereign responsibility" ought to be applied in the world of computer network intrusions, Knake told the panel, which was exploring the esoteric but important issue of cyber attack attribution -- basically figuring out who's behind a cyber attack.
Proving who's responsible for an attack, however, is difficult because attackers can mask their identities or deflect or deny responsibility, Knake and other experts noted.
The government can build into computer systems ways to identify users to make it easier to single out attackers, but doing so could threaten freedom of expression, they said.
Edward J. Giorgio, a former NSA official-turned-consultant, noted that discovering who's attacking us is not enough to deter adversaries from carrying further attacks. Consider the recent attacks on Google. "There is little doubt that these were perpetrated by a state-sponsored actor in China," Giorgio wrote in prepared testimony, "but has the attendant publicity done anything to reduce the number of cyber attacks coming from China?"
He also noted that even if the U.S. government has "irrefutable" proof on an attacker, that proof is "rarely releasable beyond government circles" because it would compromise privileged information or intelligence assets.
Ultimately, he said, U.S. policy should require some "authorized (and transparent) monitoring of our information and telecommunications systems, while at the same time, embracing really strong mechanisms to protect privacy and anonymity" with oversight by a "trusted third party."
Privacy advocate Marc Rotenberg warned that any government effort to require identification on the Internet would likely violate the Constitution. He noted that while detection methods can, say, help pinpoint a pedophile trying to distribute images on the Internet, they can also be used to identify a political dissident in a country hostile to that person's views. "It's not a simple problem," he said.
The comments to this entry are closed.