Monthly Archives: May 2005

Simulated Assymetric Cyberwarfare

The first question that occured to me when I read this story, “CIA Overseeing Three-Day War Game To Mimic Response To Crippling Internet Attack” By Ted Bridis May 26, 2005, was why wasn’t Homeland Security doing this, instead of the CIA?

Then I remembered the Homeland Security Partnering Conference of last month, in which I was reminded that a bit more than one percent of DHS’s funding goes to Cyber Security, and about the same amount to Critical Infrastructure Protection; if you rummage about on DHS’s web pages, you’ll find pie charts about this. The conference attendance reflected DHS’s real priorities. The attendees were heavily from national laboratories and large research universities. The talks were mostly about nuclear, chemical, and biological threats. All real concerns, and ones DHS should be dealing with.

Still, I was troubled by a question from a law enforcement attendee at lunch, which was more or less why is there anything here at all about the Internet; you can’t do terrorism through the Internet!

It’s true it’s hard to kill people directly through the Internet, and I’m glad of that. However, it’s not so hard to disrupt systems through the Internet, as phishers are demonstrating. A well-timed pharming attack on financial services DNS servers could create quite a bit of disruption.

Plus increasing amounts of the electrical power grid’s SCADA (Supervisory Control and Data Acquisition) system runs on top of the Internet, and from what I’ve heard with minimal security. We saw only a couple of years ago the kind of cascade failure a single accidental malfunction caused in the Northeast power outage.

Sceptics will note that few people died in the northeast power outage, and indeed we were fortunate. But terrorism isn’t really about killing: it is about achieving political ends. It’s worth reading what John Robb has been writing about petroleum pipeline and electrical outages related to the Chechen situation. If Robb is right, a few carefully placed explosions that killed nobody are near accomplishing what many years of bloody warfare did not.

Back to the the article about war games:

“"Livewire," an earlier cyberterrorism exercise for the Homeland Security Department and other federal agencies, concluded there were serious questions about government’s role during a cyberattack, depending on who was identified as the culprit — terrorists, a foreign government or bored teenagers.

“It also questioned whether the U.S. government would be able to detect the early stages of such an attack without significant help from private technology companies.”

Private companies are already having to deal with systems disruption such as phishing and pharming and spam and DDoS attacks. More robust and diverse private methods and players dealing with such problems would make government’s job a lot easier, by doing a lot of it already.

One could well argue that government will never be able to do the job alone, because of the worldwide, distributed, open source nature of the perpetrators. Only a similar array of worldwide, distributed, and diverse countermeasures can succeed. Private industry is already having to produce such countermeasures for problems such as phishing, where law enforcement, much less homeland security or intelligence agencies or military, have not yet become engaged.

The catch is that nobody wants to pay for such a large set of projects. Government can play a role by seed funding innovation; after all, that’s how the Internet got started. Then the trick is to make the new projects pay for themselves. Private industry is already working on that, too.


Tailored Long Tail

I happened to run across two articles yesterday that mesh in an odd sort of way.

Chris Anderson writes in his blog: Is the Long Tail Full of Crap? Chris has for a while now been writing about the long tail of distribution. Take movies, for example.  Traditionally, there are only so many movie screens and so much shelf space in video stores.  Movies that are popular enough to draw a mass audience get on the screens and on the shelves.  A movie doesn’t have to be as popular to get on the shelves as on the screen, but the idea is the same: beyond the fat head of distributed movies there’s a long tail of movies that fewer people want to see and that don’t get on the shelves. Yet many movies in the back catalog are high quality, and some people would want to see them if they could get them, as for example Netflix has demonstrated. The total value of the long tail is probably as high as that of the short head. Chris’s current post is largely about filters to pick out of the long tail what a given potential audience would consider quality.

Meanwhile, Clay Shirky in his blog writes about Situated Software. He gives examples of how throwing away the Web School virtues of scalability, generality, and completeness lets Internet product designers take advantage of small groups as testers, customers, and reputation systems, thus building small products fast that make their small group customers very happy.

It seems to me that Clay Shirky is talking about building quality products for the long tail; quality products that are already filtered for their target customers.

What does all this have to do with Internet business risk management? Maybe one way of dealing with risks outside the firewall is to tailor an enterprise’s (or customer’s) Internet connection for maximal utility and least risk for that particular customer, maybe by selecting the best-fitting connection, and maybe by constructing an insurance policy to cover problems that are likely to occur, especially where it doesn’t fit so well. Maybe the best way to build Internet insurance isn’t to make a few big policies; maybe it’s better to tailor a policy for each customer’s Internet situation.

Now tailoring has connotations of handmade, and there probably would be a professional services aspect to this. But what if that aspect consisted largely of presenting a few automatically-generated tailored policies for the customer to choose from?


Phish Zoom

Phishing is a big problem these days: those annoying messages in your electronic inbox that  say your Ebay or Paypal account or your online bank login need updating, but which actually direct you to a fake web page that steals your identity so as to steal your money; or just to steal your identity for later use.

Visualizing the topological and performance relations of phishing servers and zooming in on each one permits discovering patterns such as several in the same hosting center or ones pretending to be in one country when they’re actually in another.