The most recent attacks on numerous Cyber infrastructure targets have once again raised issues of the vulnerability of the US to this sort of attack. It is back on the front pages of newspapers, and back in the first few minutes on broadcast news. Several details of the attacks are illustrative and hopefully instructive.
First, was the magnitude of the attacks. One expert said that just one of the targeted agencies had been swamped with a DDoS attack of one million hits per second per attack vector. That added up to over 4 billion hits simultaneously. He went on to say that it would take somewhere between 30,000 and 60, 000 computers to generate that sort of brute force. Who has that sort of “Cyber Army” at its disposal? Clearly, the danger of botnets comes to the fore again. How can we track and disable these threats that are in the hands of several nations, and several criminal syndicates? Right now we cannot.
Next is the issue of who was behind the attacks. Several news stories point to North Korea. One, servers in North Korea were used, two the Republic of South Korea was also a target, and three, North Korea seems to like to poke us around Independence Day. However, Philip Reitner of the Department of Homeland Security correctly said that we actually do not know for sure. The North Korea servers might in fact also be “victims” of some other perpetrator.
Thirdly, the unevenness of the US defensive posture was highlighted. The Department of Defense and the White House seemed to weather the attacks with little problem. Several other Federal Agencies took big hits, and were down for several days. The fact that our ability to defend ourselves is so different between agencies is an inherent weakness. We must develop a consistent level of protection across the government.
This situation is another reminder that did not “cost” us too much. But the need to fix our cyber defenses fast and well are truly apparently. We cannot deter what we cannot identify. We must improve our forensic capabilities now. The level of defensive capability that the Department of Defense displayed is heartening, but is still not enough, and needs to be shared across the government. Lastly, we need to recognize that cyber is the ultimate asymmetrical means of attack. Sure, it might be “easier” for a nation state to pull off, but it is also within the capability of anyone who can hire a criminal botnet.
The US is moving in the right direction, but not fast enough. We need even greater leadership, more emphasis, and greater cooperation between the public and private sectors. The next attack may do more than bring down websites and clog communications channels. We need to be ready, and presently we are not.