The government's announcement last week that it will set up
hacker teams to fight cyber attackers is the first public
acknowledgment that crime on the internet is running out of
control.
Robert Hannigan, the prime minister's security adviser, says the
government can no longer rely on defensive measures alone to
protect itself against cyber attacks, especially when it suspects
that some attacks are sponsored by other governments.
The move coincides with a similar project in the US, where the
US military plans a special unit to develop cyber-weapons to defend
military networks and help safeguard civilian systems.
But the idea of launching counter attacks breaks new legal
ground. In the past, UK law enforcement agencies have worked with
the FBI on sting operations, such as Dark Market, which trapped
hundreds of would-be hackers. Hannigan declined to speculate on
other tactics that might be used.
Robert Carolina, a lawyer who has specialised in cyber law,
says, "It was probably inevitable that governments would develop an
offensive capacity in cyberspace." The problem is how the UK can do
it without violating the Computer Misuse Act, he says.
Some practical steps, such as making firewalls query suspect
servers in a reverse distributed denial of service attack would be
illegal if those servers were on UK soil. Law enforcement officers
would have to develop relationships with offshore jurisdictions
that would permit such counter-attacks or even pre-emptive attacks,
says Carolina.
Those are not the only problems. The government recognises that
identifying a hostile attacker is difficult.
The problem, says penetration tester Peter Wood, is that most
attackers hide behind networks of compromised PCs, known as
botnets. These are sometimes made-up of thousands of PCs, usually
home-based, that have been turned into "zombies" by malware
collected while visiting compromised websites.
Wood says few people have the time or skills to protect their
home PCs adequately. "There is nothing wrong with commercial
anti-virus and firewalls, but they do not protect against internal
threats such as Trojans. Most people would find it hard to set up a
firewall that gave good protection."
Wood is concerned that retaliation could result in "collateral
damage" to innocent computer users. But Philip Virgo, spokesman for
Eurim, the parliamentary/industry group which has been lobbying for
the government to take action against computer criminals, was more
sanguine.
He says the world would tolerate "internet brown-outs" if some
compromised servers were taken off the net to preserve its overall
well-being. "This has been the elephant in the room. Now it is out
in the open we can start to tackle it in earnest."
The new Cyber Security Operations Centre (CSOC) is to be housed
at the government's electronic surveillance centre at GCHQ. Wood
says he hopes it will provide the public with better information on
how to do more to protect their home PCs, especially against
sophisticated "blended attacks".
"And it's not just PCs," he says. "Apple and Linux machines are
just as much at risk."
Website owners are also to blame. "Too many of them are sloppy
[with security]," he says. This allows criminals to compromise them
and then to infect unsuspecting visitors to the site.