Should a targeted country strike back at the cyber attackers?
Should a targeted country retaliate over cyber attacks using kinetic weapons, or offensive cyber warfare capabilities? Common sense says 'yes', the dynamics of cyber warfare say 'think twice' before doing it, or you may easily end up attacking the wrong country, perhaps even your own infrastructure.
The situation becomes even worse when these people are either directly participating in the chain of command for a particular country, or have political bargaining power that can undermine the common sense brought in by those in the trenches of cyber operations.
Excluding the political sentiments, attempting to use a kinetic force against a physical targeted believed to be the location of the cyber attacker, as well as Denial of Service (DoS) attacks, is a very bad idea.
Let's discuss some of the key trends in the market for offensive cyber warfare tools, as well as two fully realistic scenarios, undermining the the effectiveness of frontal cyber warfare engagement tactics.
The commercialization of offensive cyber warfare tools
Like in any other market, demand always meets supply. In the case of offensive cyber warfare, the supply is largely driven by a military principle known as the "necessity and proportionality", combined with a particular government's interest in doing the single most logical thing a targeted country thinks it should do - should it strike back at the cyber attackers, and what kind of tools should it rely on?
The first IT security solution that can both repel hostile attacks on enterprise networks and accurately identify the malicious attackers in order to plan and execute appropriate countermeasures – effectively fighting fire with fire. “While other companies offer only passive defense barriers, Symbiot provides the equivalent of an active missile defense system.
The CyWarfius CyberScope is an offensive capable cyber weapon specifically designed to address the unique requirements of the cyber warrior. With the ability to conduct a surgical offensive strike on a specific target, the CyberScope is the first offensive tool of its kind to provide pseudo-kinetic countermeasures against cyber threats.
With more countries showing interest in the practice, due to the high volume of cyber attacks hitting their infrastructures experience on a daily basis, it's important to highlight some of the scenarios that have the power to undermine such offensive doctrines.
Compromised legitimate infrastructure acts as a "virtual human shield"
And even if the direct impact on a third country's compromised infrastructure is legally considered as a collateral damage, the existence of this practice leads to the establishment of the foundations for launching false flag cyber operations.
False flag cyber operations impersonating a particular country
In the context of cyber warfare, in 2010 nobody knows you're Burkina Faso online, and yes, even North Korea. In the wake of the Google-China cyber espionage saga, everyone put the spotlight on China due to its internationally recognized cyber espionage doctrine throughout the past couple of years.
However, no attention was brought to the fact, that the campaign, including many of the ones that were profiled at a larget stage, could have been false flag cyber operations, launched by another country, or even an individual/group of individuals, engineering cyber warfare tensions relying on the negative reputation of the "usual suspects".
The concept of false flag cyber operations is anything but a new one. Since the early appearance of botnets, the people behind them realized that they could easily hijack a country's online reputation, by exclusively using only infected hosts within that country for launching attacks, or anonymizing their activities by using them as "stepping stones", a practice also known as "island hopping".
In Google-China's cyber espionage campaign, the smoking gun was a hacked server based in Taiwan, including several other based in the U.S. And even though there was to direct connection between the campaign and China's infrastructure, the fact that as I'm posting this article, several hundred Chinese government subdomains are compromised, and serve client-side exploits to their visitors, easily turns them into playground's for a foreign intelligence agency, or anyone else wanting to impersonate the country online.
From a CYBERINT (cyber intelligence) perspective, given that enough international cooperation is taking place, the Internet can be a pretty small place for every attacker or cybercriminal in general. However, in terms of attributing the real source of a cyber attack, the evidence obtained may be exactly the evidence a third-party may want you to see.
Therefore, attempting to launch offensive cyber warfare tactics, or increasing the political pressure against the adversary a particular country is tricked into believing is responsible for the attacks, is clearly what a third country may want to achieve.
Cyber warfare tactics undermining the offensive cyber warfare capabilities of the targeted country
Two of the many cyber warfare tactics made possible these due to the maturity of cybercrime concept into today's Crimeware-as-a-Service (CaaS) business model, can easily turn offensive cyber warfare capabilities such as counter strike DDoS attacks, completely obsolete. For instance:
Country A (Russia) knows that country B (United States) would DDoS back anyone. It hates country C (China), so it rents bots within country C (China) to DDoS country B (United States). Ultimately, B (United States) DDoS-es C (China) - This tactic demonstrates the problem with publicly acknowledging your ambitions to strike back at cyber attackers, theoretically even nuke them. And although, connections to known cybercrime-friendly groups were established for their participating in renting botnets to some of the high-profile cyber attacks (Russia vs Georgia as an example), the people behind these services closely monitor the attribution patterns applied by the community. This proactively monitoring of mitigation strategies, helped them embrace the so called "aggregate-and-forget" botnets, where a certain botnet is uniquely aggregated, in order to make harder, if not virtually impossible to trace it back to a particular group.
Country A (China) wants to undermine the offensive DDoS capabilities of country B (Russia). It DDoS-es from bots located within country B (Russia). If B (Russia) starts DDoS-ing back the cyber attackers, it would ultimately end up DDoS-ing its own infrastructure - One of the most interesting questions that this tactic leaves unanswered is - how is a targeted country going to respond to a large scale denial of service attack, which is coming from malware-infected hosts within the targeted country itself? One of the most recent examples of this concept, was the "Iranian opposition launches organized cyber attack against pro-Ahmadinejad sites" campaign, which was so successful in terms of the internal traffic generated by the protesters, that discussions to stop the DoS attacks in order to allow the upload of user generated content started taking place. Basically, the Iranian government was heavily hit by the same tool that it was using to spread it's own "version of the story". Taking it offline in order to prevent the leak of disturbing material to the rest of world, means denying themselves the ability to influence foreign opinion as well.
What do you think?
How should a targeted country threat the infrastructure used by the cyber attackers, even if it's a compromised third country's servers they are using? Should a targeted country use its offensive cyber warfare capabilities as a bargaining power against a particular cybercrime-tolerant country, even through the attacks are launched by someone else?
Also, how would a targeted country strike back at a country that has virtually no Internet infrastructure at all?