Exposing Hackers as a Deterrent
Two researchers propose a novel form of “arms control” at a conference in Germany.
Cyber attacks can come from governments, terrorists, thieves, or bored high school students. This makes the cyber security equivalent of “arms control” difficult to achieve. But a pair of researchers yesterday proposed methods of deterrence that they believe could work in cyberspace.
“There has been a lot of discussion lately about the analogy of cyber warfare to nuclear warfare. But it is not a good analogy in some ways–the technology should drive us in different directions,” said Tom Wingfield, a law professor at the George C. Marshall European Center for Security Studies in Garmisch-Partenkirchen, Germany, at a cyber security conference organized by Russian researchers.
Wingfield and James Bret Michael, a computer scientist at the Naval Postgraduate School in Monterey, CA, argue that surveillance on computer networks and other forms of intelligence can often provide the clues needed to expose a potential hacker, and this exposure may often serve as enough of a deterrent.
“With public deterrence, you shine a light on a malefactor before he attacks or soon after–so it’s visible to the press and the public and his own people. In some cases that’s the right answer,” Michael said. “In others, you can use a nonpublic approach.”
“Sometimes just being identified is enough to prevent an attack from taking place, because hackers depend on anonymity and surprise to succeed,” Michael says. And such methods can work no matter how the underlying attack technologies advance.
The conference was sponsored by the Institute of Information Security Issues at Russia’s leading university, Moscow State University. At the event, Vladislav Sherstuyuk, a retired four-star Russian general who heads the Institute, also announced a new research collaboration that includes government officials from Russia and China and academic institutions including the Indian Institute of Information Technology, Allahabad, and the State University of New York at Albany.
The agreement will “undertake common research on international information security,” he said. While the collaboration was partly symbolic, it reflects increased concern worldwide over the potential for computer attacks to wreak havoc. “It’s clear that cyber security has risen to the top tier of security issues around the world,” said Greg Rattray, chief internet security advisor to ICANN, the U.S. based organization that assigns Internet names.
In another sign that multinational talks are expanding on cyber security, the attendees at the conference included a delegation from the Chinese government as well as the White House senior director for cyber security, Chris Painter. Painter declined to be interviewed.
Russia, along with China and India, is a major source of cyber crime, and the U.S. has been trying to get Russia to allow law enforcement access to Russian networks to investigate crimes like bank fraud. Russia wants to forge an agreement akin to a nuclear arms treaty, but favors stopping short of law enforcement access.
While the stalemate was not broken yesterday, the gathering was a step forward in terms of forging ties. “The U.S. needs to work with Russia because it is one of the hotbeds of crime and hacker activity,” said Sanjay Goel, a computer scientist at the SUNY Albany, who runs a computer forensics lab and who signed on with the Russian research collaboration. “You need to engage with the people who are in a position to be able to fight cyber crime.”
Wingfield noted that countries who want to defend themselves face high hurdles. The threat of a cyber attack can be enormous, but might not be defined under international law as an “armed attack,” which would allow for an armed response. Clearing up the law in this area will provide a further means of deterrence, he said. But forging international agreements will take years and will require a progressive set of technical and diplomatic discussions, said John Mallery, a research scientist at MIT’s computer science and artificial intelligence laboratory.
“There is no international code of conduct for cyberspace,” said Charles Barry, a senior research fellow at the Center for Technology and National Security Policy at National Defense University, in Washington, DC. “Coalescing common rules will be long and arduous, requiring continuous dialogue among nations, the private sector, and international stakeholders.”
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today