This is a post from my blog, which I have long since stopped maintaining. The page has been preserved in case its content is of any interest. Please go back to the homepage to see the current contents of this site.
In a press conference at the RSA Conference yesterday, Michael Chertoff, former Secretary of the US Department of Homeland Security, suggested that the principles of “cyber-war” could be influenced by those of nuclear deterrence.
“An attack on the US or its allies with a nuclear weapon would be responded to with overwhelming force. …countries should be able to respond to cyberattacks ‘with overwhelming force’.” [ZDNet]
In my humble opinion, this ranks pretty high up there on the list of Worst Ideas Ever.
Nuclear deterrents are reasonably easy to secure (so long as you’re not Pakistan). A nuclear warhead is a giant chunk of metal, too big to carry, stuck in a silo or an Air Force base or a submarine under the Arctic circle – no-one’s going to make off with that. You can be sure that if a nuclear strike happens, it is launched by a nation state with a target chosen by that state.
Not so the cyber-WMD. While we can assume that for now, government agencies probably have the best tech around for launching and countering network-based attacks, what the government has today, a 13-year-old script kiddie will have tomorrow. Whatever form these defensive online weapons take, they’re just software. They can be stolen, hundreds of thousands of copies fitting in a spy’s pocket. They can be reverse-engineered, manipulated in the wild, copied and spread around. They can be placed to guard a network from which an attack on US online interests is launched, pitting one bit of software against the other until no bystanders are left.
To say nothing of the fact that most sustained attacks originate from botnets, leaving the government the choice of going after the central control servers, leaving the bots themselves to carry on, or nuking some of their own citizens off the internet. Add to that the complication of using this technology against foreign citizens, and it becomes an unholy mess.
No, I believe cyber defence should learn from immunology, not nuclear deterrence. Do the minimum possible to fix the problem, because sooner or later, something will attack you that’s immune to your fix. If you’ve deployed your H-bomb and it hasn’t killed everything – and in the online world, it never will – the next thing that hits you will be H-bomb proof. And then you’re screwed.