Should a targeted country strike back at the cyber attackers?

Should a targeted country strike back at the cyber attackers?

Summary: Should a targeted country retaliate over cyber attacks using kinetic weapons, or offensive cyber warfare capabilities? Common sense says 'yes', the dynamics of cyber warfare say 'think twice' before doing it, or you may easily end up attacking the wrong country, perhaps even your own infrastructure.

TOPICS: Security

On a regular basis, political sentiments over the use of kinetic/nuclear weapons or offensive cyber warfare capabilities against cyber adversaries, reemerge internationally, as a desperate response to the threat, largely based on the outdated situational awareness of the person making them.

The situation becomes even worse when these people are either directly participating in the chain of command for a particular country, or have political bargaining power that can undermine the common sense brought in by those in the trenches of cyber operations.

Excluding the political sentiments, attempting to use a kinetic force against a physical targeted believed to be the location of the cyber attacker, as well as Denial of Service (DoS) attacks, is a very bad idea.

Let's discuss some of the key trends in the market for offensive cyber warfare tools, as well as two fully realistic scenarios, undermining the the effectiveness of frontal cyber warfare engagement tactics.

The commercialization of offensive cyber warfare tools

Like in any other market, demand always meets supply. In the case of offensive cyber warfare, the supply is largely driven by a military principle known as the "necessity and proportionality", combined with a particular government's interest in doing the single most logical thing a targeted country thinks it should do - should it strike back at the cyber attackers, and what kind of tools should it rely on?

In 2004, a risk metrics company started promoting, perhaps for the first time ever, a commercial offensive cyber warfare solution, described as:

The first IT security solution that can both repel hostile attacks on enterprise networks and accurately identify the malicious attackers in order to plan and execute appropriate countermeasures – effectively fighting fire with fire. “While other companies offer only passive defense barriers, Symbiot provides the equivalent of an active missile defense system.

According to their press release, the product development was undertaken, following the anticipation of this emerging market segment. Years later, another vendor introduced a mainstream offensive cyber warfare platform. Rsignia's CyWarfius CyberScope:

The CyWarfius CyberScope is an offensive capable cyber weapon specifically designed to address the unique requirements of the cyber warrior.  With the ability to conduct a surgical offensive strike on a specific target, the CyberScope is the first offensive tool of its kind to provide pseudo-kinetic countermeasures against cyber threats.

These commercial, off-the-shelf propositions, are a also a direct response to public statements, and comments made in regard to the use of kinetic/offensive made by U.S defense officials throughout the years.

With more countries showing interest in the practice, due to the high volume of cyber attacks hitting their infrastructures experience on a daily basis, it's important to highlight some of the scenarios that have the power to undermine such offensive doctrines.

Compromised legitimate infrastructure acts as a "virtual human shield"

Assuming that a target country decides to strike back at the cyber attacker's infrastructure used in the attack, the fact that it may well be striking back at legitimate infrastructure, is fully realistic one, since in 2009, 71 percent of the Web sites with malicious code were legitimate.

Moreover, throughout the entire 2009, cybercriminals once again demonstrated the same "virtual human shield" concept, by blending legitimate infrastructure into the malicious mix, with notable examples including the abuse of legitimate services such as, Twitter, Google Groups, Facebook as command and control servers, as well as Amazon’s EC2 as a backend.

The problem with striking this infrastructure, is that from a military perspective, it's a civilian target. The use of "human shields" in this case a "virtual human shield", has been a major legal and ethical consideration in every conventional military conflict where such tactics were used.

And even if the direct impact on a third country's compromised infrastructure is legally considered as a collateral damage, the existence of this practice leads to the establishment of  the foundations for launching false flag cyber operations.

False flag cyber operations impersonating a particular country

Remember the infamous "On the Internet, nobody knows you're a dog" cartoon? Or the War Games movie?

In the context of cyber warfare, in 2010 nobody knows you're Burkina Faso online, and yes, even North Korea. In the wake of the Google-China cyber espionage saga, everyone put the spotlight on China due to its internationally recognized cyber espionage doctrine throughout the past couple of years.

However, no attention was brought to the fact, that the campaign, including many of the ones that were profiled at a larget stage, could have been false flag cyber operations, launched by another country, or even an individual/group of individuals, engineering cyber warfare tensions relying on the negative reputation of the "usual suspects".

The concept of false flag cyber operations is anything but a new one. Since the early appearance of botnets, the people behind them realized that they could easily hijack a country's online reputation, by exclusively using only infected hosts within that country for launching attacks, or anonymizing their activities by using them as "stepping stones", a practice also known as "island hopping".

In Google-China's cyber espionage campaign, the smoking gun was a hacked server based in Taiwan, including several other based in the U.S. And even though there was to direct connection between the campaign and China's infrastructure, the fact that as I'm posting this article, several hundred Chinese government subdomains are compromised, and serve client-side exploits to their visitors, easily turns them into playground's for a foreign intelligence agency, or anyone else wanting to impersonate the country online.

From a CYBERINT (cyber intelligence) perspective, given that enough international cooperation is taking place, the Internet can be a pretty small place for every attacker or cybercriminal in general. However, in terms of attributing the real source of a cyber attack, the evidence obtained may be exactly the evidence a third-party may want you to see.

Therefore, attempting to launch offensive cyber warfare tactics, or increasing the political pressure against the adversary a particular country is tricked into believing is responsible for the attacks, is clearly what a third country may want to achieve.

Cyber warfare tactics undermining the offensive cyber warfare capabilities of the targeted country

Two of the many cyber warfare tactics made possible these due to the maturity of cybercrime concept into today's Crimeware-as-a-Service (CaaS) business model, can easily turn offensive cyber warfare capabilities such as counter strike DDoS attacks, completely obsolete. For instance:

  • Country A (Russia) knows that country B (United States) would DDoS back anyone. It hates country C (China), so it rents bots within country C (China) to DDoS country B (United States). Ultimately, B (United States) DDoS-es C (China) - This tactic demonstrates the problem with publicly acknowledging your ambitions to strike back at cyber attackers,  theoretically even nuke them. And although, connections to known cybercrime-friendly groups were established for their participating in renting botnets to some of the high-profile cyber attacks (Russia vs Georgia as an example), the people behind these services closely monitor the attribution patterns applied by the community. This proactively monitoring of mitigation strategies, helped them embrace the so called "aggregate-and-forget" botnets, where a certain botnet is uniquely aggregated, in order to make harder, if not virtually impossible to trace it back to a particular group.
  • Country A (China) wants to undermine the offensive DDoS capabilities of country B (Russia). It DDoS-es from bots located within country B (Russia). If B (Russia) starts DDoS-ing back the cyber attackers, it would ultimately end up DDoS-ing its own infrastructure - One of the most interesting questions that this tactic leaves unanswered is - how is a targeted country going to respond to a large scale denial of service attack, which is coming from malware-infected hosts within the targeted country itself? One of the most recent examples of this concept, was the "Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites" campaign, which was so successful in terms of the internal traffic generated by the protesters, that discussions to stop the DoS attacks in order to allow the upload of user generated content started taking place. Basically, the Iranian government was heavily hit by the same tool that it was using to spread it's own "version of the story". Taking it offline in order to prevent the leak of disturbing material to the rest of world, means denying themselves the ability to influence foreign opinion as well.

What do you think?

How should a targeted country threat the infrastructure used by the cyber attackers, even if it's a compromised third country's servers they are using? Should a targeted country use its offensive cyber warfare capabilities as a bargaining power against a particular cybercrime-tolerant country, even through the attacks are launched by someone else?

Also, how would a targeted country strike back at a country that has virtually no Internet infrastructure at all?

TalkBack, and share your opinion.

Images courtesy of GameSpot "World of Conflict", U.S Air Force Cyber Command (Provisional) Public Affairs, and War Games, the movie.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: This is way too deep an article for the average person to comment on ..

    But, I will try. Let's use a real life example. How about something that was reported by ZDNet a few years ago. Specifically, "...Coordinated Russia vs Georgia cyber attack in progress|ZDNet"<br><br>Russia attacked Georgia and although the cost to Georgia was economically significant the real intent was political and to demonstrate that the will and ability to paralyze the Georgia IT infrastructure was a current Russian capability. It was slightly more than a "warning shot across the bow" but far less than a declared intent to permanently interfere with a sovereign state.<br><br>It was, in fact, a twenty first century equivalent of sending soviet tanks into 1956 Hungry (for a few days or so.)<br><br>Your question really is, not that cyber warfare should be stopped or responded to, since the capability is available to do so between governments, companies and/or individuals but rather, should there be a world wide treaty forbidding such acts of cyber warfare. Is cyber warfare at the same level as biological , chemical or nuclear warfare is? (Note: There is no international treat in effect or proposed banning nuclear warfare as there is against biological or chemical warfare even though preventing a country from using biological or chemical agents is just as impossible as preventing a country from using nuclear weapons. Its just a political statement of will.)<br><br>Personally, I would wish to see an international treaty endorsed outlawing cyber warfare. How and what forms of punishment could be used against transgressions is best left to persons much wiser than myself. <br>Mike
  • It's really quite simple;

    You can't know with certainty who is behind an "attack" when the alleged "warfare" consists of nameless computers sending bits back and forth, so don't go bombing somebody just because some computer in their network happened to send too many packets (possibly without its owner's knowledge).

    Also, using something within the letter of the law should never be considered "attacking" it, anyways. If somebody makes software for a type of computer, and this software was made (on purpose or by mistake) to accept random commands from strangers, and you install it, and somebody takes advantage of this to delete all your stuff, that's not an attack. It's his computer telling yours something. There's virtually no way to prove who was actually responsible short of guessing (which is all too common, in some countries)..
    • RE: Should a targeted country strike back at the cyber attackers?

      @AzuMao I agree completely with your reasoning. In fact, I would take it to the next level and argue that if somebody builds a city that cannot withstand a nuclear explosion, they are fair game for anybody with the appropriate weapons.
    • RE: Should a targeted country strike back at the cyber attackers?

      All we will about a propos that is go by a minute ago like to facilitate afterwards achieve drawn change for the better
      <a href="">Adipex</a> / <a href="">buy phentermine</a>
      cheap phentermine 37.5
  • A server or network that falls to cyber attack is insufficiently robust.

    The Internet started as a military project, forhexsake. Defend your network. Don't come crying to... whoever... if a nasty big boy breaks it.
    Robert Carnegie 2009
    • And what a track record that is!

      @Robert Carnegie 2009

      Military "projects" are often broken at launch to the blinkers worn by multiple (often upper-echelon) players, or by budget changes after the fact which disallow continued maintenance.

      Besides, there is still continued debate as to whether or not the military can even claim credit as the father of the internet... not even going to pitch a side on that one!
  • Great post Dancho

    I think it's inevitable that a targeted country tries to strike back, the only thing missing is the capability. However, the unintended consequences loom large. Overall, I think it's just a matter of time and the next big war is likely to start on the cyber front first. Kind of like air cover before you bring in the ground troops. Cyber, air, soldiers on the ground is the progression of the future.
    Larry Dignan
    • RE: Should a targeted country strike back at the cyber attackers?

      @Larry Dignan Thanks Larry.

      The main message is that "the rush must be tempered with wisdom" since escalation of any conflict sometimes happens much faster, than originally anticipated. Especially when you're striking back at the wrong party.
  • Should a targeted country strike back at the cyber attackers?

    The employment and distribution of EMP weapons to take out attacking countries should be sufficient to take down bot nets or other cyber attacks. It should deal a hard enough blow, taking down their power grids and sending them back a few decades or hundreds of years until they crawl out without totally realizing how they totally screwed up.
  • RE: Cyber warfare tactics

    In the first scenario you block traffic from entering your network once you identify the offensive machines. This can be done by a straight block or installing an intermediary router to become the new recipient of offending traffic. Then, you hack into the offensive machines from another network to get traffic logs to track down the real offenders. This is target validation. Then, you can respond against the correct target. Or, you can do the same and rent a bot net in another country to DDoS those who tried to DDoS you.<br><br>The second scenario isn't really too different from the first. Once you positively identify which computers are being trouble within your network, you tell the router(s) closest to that device to block the device on both an IP tag or MAC address tag and flag internal routers to block blacklisted MAC addresses. Sure, you can spoof your MAC address but it's a way to respond without generating more traffic within your network.<br><br>There are no rules in place on the internet that says machine A MUST be allowed to connect to machine B ESPECIALLY in a cyberwarfare scenario.
    • RE: Should a targeted country strike back at the cyber attackers?

      @hoagsie "Then, you hack into the offensive machines from another network to get traffic logs to track down the real offenders."

      Are you telling a joke? Just following along in your universe here .... Logs will say whatever they intended for them to say. "hacking" is not some automatic thing, either they left themselves open, or they didn't. If they did, and you are going to read the 'logs' that they wrote, with intention of acting on those you say in your next thought, you then launch a DDoS attack on "those" people you discovered in the "logs" that you got by "hacking".

      How easy is it to manipulate you?

      I agree with the earlier poster, if you install a computer, and it has particular characteristics, such as it accepts communications on such and such a port, and if it has commands such as "delete"...and you wake up one morning and all your files are deleted, that is entirely your fault.

      Your computer, that you installed, worked as designed.

      You never have any right to do a DDoS attack, period.
      • RE: Should a targeted country strike back at the cyber attackers?

        @rdupuy11 I was kinda being facetious, yes. The article presented things in a things-just-happen sort of way so I replied in kind.
      • RE: Should a targeted country strike back at the cyber attackers?

        @rdupuy11 following yours and the earlier posts line of thought......

        You hire me to setup an alarm and lock system in your house. I provide you and your family access to disable the alarm and unlock the house, but hey, I have the ability to disarm and unlock your house too.

        When you wake up in the morning all of your stuff is in my garage and it is entirely your fault.

        The alarm and lock worked as it was designed.

        I am really tired of all of the liberalist crap that is spouted about "oh we can't possibly do that...", "someone might get offended", "we can't stop people from doing something, even though they are the criminals". Please grow a freaking spine.

        If country A (Russia) rents a botnet out of country C (China) to attack country A(USA), then country A has every right to lay waste to the botnet in country C. When country C has lost millions in revenue, maybe they will pop their heads out of their backsides, clean up their infected systems, and bring down the house on the owners of the damn botnets.
  • Change your whole language

    The problem here is that you've gotten technical issues lumped together with romanticized military gobbledy-gook lingo.

    You really sound moronic, as do those adverts.

    Take some time to understand what a denial of service, actually means.

    If you have any type of automatic response - and if you create a denial of service scenario, then you are the tool that will be used. I guess "tool" has a double meaning in this sentence.
  • Rule Number 1

    Never punish the innocent.
  • RE: Should a targeted country strike back at the cyber attackers?

    It is always good to consider when we think we would bomb someone else. How about if "they" trace a cyber attack to the US and bombs start falling? How do we feel about that? Of if Chinese commandos blow up some US business on US soil?
    I am all for blowing things up. But let us thinks about it all the way through before we take a piece of that gorilla cookie.
  • What future conflicts?

    I thought The Obama was going to cure all that.
    Hatestone Johnson
  • yes, i agree, offensive countermeasures are a crapshoot.

    The best thing is to absorb the hits, deny them access one by one until network traffic normalizes. Ya, the routers cost alot and there is some programming, but its probably the best way to deal with it.

    Another facit of this is that some companies might also do the same agaisnt each other. Say i wanted Apple to attack MS, so i use MAC machines located on the apple networks to attack MS.
  • Redesign parts of the internet

    The problems discussed in the article are problems caused by network infrastructure that was made to be too trusting and too easily spoofed. There are silly little problems like information being redirected by errant information on servers and routers or deliborate high jacking of information by exploiting vulnerablities of the infrastructure.
  • Need a packaged approach

    One question that needs to be addressed is the problem of anonimity. How to make it riskier for the attacker (s) to carry out an attack? Mr. Kaspersky a while back called for the creation of an "Interpol for the Internet". Seems like a good idea. The international level of cooperation combined
    together with a good intelligence gathering and sharing capability can do a lot to raise the risk of being punished for the perpetrators.