Feral Jundi

Friday, March 16, 2012

Technology: Dr. Regina Dugan Speaks At DARPA Cyber Colloquium, Sam Quint Reponds….

Boy, after listening to this, I am wondering if DARPA is reading the blog? I have talked about the Cyber Lance in the past, as well as Cyber Privateering and the issuance of the Letter of Marque, and the language I am hearing in this talk sounds a lot like Offense Industry talk to me. All I know is she really wanted to emphasize the complexity of the commons called cyber space, and that ‘capability’ must be explored for the defense and offense in such an environment.

I say offense industry because DARPA has been really exploring the possibilities for bounties. They also use rewards for contests as a prize for innovation. I know they are aware of the Letter of Marque concept because Michael Hayden brought it up in a speech, and myself and the Morgan Doctrine have been bringing it up in posts.

What is really interesting is that Dr. Dugan is heading off to work for Google. Google would be a fantastic place to work at, to truly explore the various ways to combat cyber criminals and enemies. She would also get an inside view as to what Google thinks is the answer.

As to my commentary on the whole thing?  I think I will let Sam Quint speak for me below…. lol –Matt

 

 

The honorable Sam Quint replies….

 

Tuesday, June 21, 2011

Letter Of Marque: Inching Closer To A World Of Cyber Privateering

Lately, there has been an increased intensity of hacking attacks on government and business. Of course, government is doing all it can to keep up and stop these hackers. And like the piracy problem on the high seas, hackers in the commons called cyber space are operating with virtual impunity.

To me, there are several areas of weakness that today’s hackers are exploiting. One is the shear enormity of the internet and cyber space, and all the potential targets that a hacker can attack. Like with the pirates of Somalia, hackers have plenty of ocean and are constantly searching for new hunting grounds and weaknesses to exploit.

Their rewards can be immense. Hack into a bank, steal information from a technology firm, or hack a government website and exploit that information. Or they do it because of the ‘lulz’ or the hell of it, just to prove they are the best. Or worse, they attack individuals. (companies or the government has done nothing to protect the little guys– like this blog, from attacks)  And these hackers can do it all from a terminal at some random location in the world.

The other thing at play here is scale. Once folks see for themselves how successful one group or individual is, then others will copy them. They will borrow brilliance and follow a model of operation that works, all to achieve a goal. And like today’s example of piracy, hacking spreads because it is inspired by the success of others and by the rewards of the risk taking.

It also spreads when money or organizational influence comes into play. China or a cartel from Mexico can easily do things to add fire to the world of hacking and cyber warfare. All nations add to scale of such things. Just wait until ‘plomo o plata‘ comes to the world of hacking, and then that is when cyber lances will really become essential.

Which brings me to the point of this post. Because this problem is only growing, there must be measures that equal the size and scale of this global deluge. Legal tools like the LoM must be considered to even the scale between black hat and the company use of white hat hackers. Of course it would be nice if government and it’s law enforcement apparatus could be large enough enough to apply the rule of law to all corners of the cyber universe. But like with today’s modern day scourge of piracy, government cannot be everywhere and at all times.

So here is where I like to take the next step forward.  Companies need the legal authority to effectively combat black hat hackers. That legal authority can and should come in the form of a Letter of Marque and Reprisal.  Or maybe a government can come up with a different title for this license.  But either way, by giving companies the legal authority to do what they need to do to combat the problem, they in essence help to put ‘the armed guards on boats’. (another analogy with today’s piracy problem)

Here is some more food for thought. If the targets of hackers are companies, then is the government the best tool to use to protect all of these companies out there?  Who would have more interest and incentive to protect a company’s infrastructure–a government or the the company itself?  Of course a company would love for someone to do it for free, but the problem here is that there is too much at stake to put the security of a company simply in the hands of a burdensome, bureaucratic and highly inefficient  government organizations. Government does not have the resources to watch over every company, and it does not have the personal motivation to defend a company’s assets to the fullest degree.

Yet again, the piracy analogy works for this example. All of the navies in the world have not stopped piracy, and if anything, the problem has grown. Likewise, the US government was not able to protect Sony, Google or Lockheed Martin from vicious hacking attacks, even though the government has cyber warfare units and tons of agencies tasked with monitoring cyber related activities.

So what is the solution?  I say government should listen to what the companies have to say about how best to help them. The government would also have to re-evaluate what ‘help’ really means, in the context of this problem. If a company says it is legally constrained when trying to defend against black hat hackers, then what is the logical solution?  Do you put the government’s police forces in charge of a company’s security anti-hacking units, or do we license a company to combat this problem?  To me, issuing a license to companies so they can actually compete with these black hat hackers, is the equivalent of putting ‘armed guards on boats’ to defend against Somali Pirates. It makes sense, and it answers the problem of scale.

It also sounds like this is the natural progression anyways?  The new DIB Cyber Pilot program sounds like another step towards empowering companies. With companies like Lockheed Martin, it behooves the government to help them because this company is very much a part of our national security.  So will licensing companies be the next ‘natural progression’ as an answer to this world wide scourge? I know myself, and the Morgan Doctrine blog will be following this stuff, and we will see….-Matt

 

 

Tuesday, May 31, 2011

Military News: Cyber Combat–Act Of War

To supplement my cyber lance post, this news, along with the attacks on L3 and Lockheed Martin or the Stuxnet attack on Iran’s nuclear facilities, all point to how important and dangerous this stuff really is. I will let the article speak for itself.

Also check out the Morgan Doctrine’s opinion about this story. The MD is a blog that promotes the concept of cyber privateers and tracks the world of cyber warfare and crime. –Matt

Cyber Combat: Act of War
MAY 31, 2011
Pentagon Sets Stage for U.S. to Respond to Computer Sabotage With Military Force
By SIOBHAN GORMAN And JULIAN E. BARNES
WASHINGTON—The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force.
WSJ’s Siobhan Gorman has the exclusive story of the Pentagon classifying cyber attacks by foreign nations acts of war. – News Hub
The Pentagon’s first formal cyber strategy, unclassified portions of which are expected to become public next month, represents an early attempt to grapple with a changing world in which a hacker could pose as significant a threat to U.S. nuclear reactors, subways or pipelines as a hostile country’s military.
In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. “If you shut down our power grid, maybe we will put a missile down one of your smokestacks,” said a military official.

(more…)

Wednesday, October 27, 2010

Letter Of Marque: The Morgan Doctrine–A Blog Dedicated To Exploring The Cyber Privateer Concept

     This is neat. A couple of days ago, Rick Bennet popped up on the blog to discuss the Letter of Marque and cyber privateering and I thought it was cool that he had a blog dedicated to exploring the concepts. This is good because we need more folks with a different eye to pick this stuff apart. Be sure to also check out Rick’s book and I have provided the link below.

     His recent post on Australia and the potential of them issuing a LoM is interesting, and I made the comment that the individual states there are free to structure their constitutions to allow things like ‘bills of attainder‘ . So a state setting up a Letter of Marque might not be a stretch. The Declaration of Paris comes into play as well, but if bills of attainder could be done, I don’t see how a LoM would be a bridge too far? So with that said, here is the link to his blog. –Matt

The Morgan Doctrine

By Rick Bennett

Author of Destroying Angel

     CYBER PRIVATEERS could be the new, effective, and highly paid army of swashbucklers. The Monroe Doctrine stated any attack in the Americas would be considered an attack on the United States. THE MORGAN DOCTRINE (after my fictional Morgan Rapier) asserts that any foreign cyber attack on US-based computers is an act of war, and retaliation (ie, looting) may take place on the perpetrator of that attack, wherever he/she/it may be located. Good policy or just a good novel?

Background: Welcome black hats, white hats and cyber swashbucklers

     The Revolutionary War was fought, financed, and pretty well WON by bonded privateers, legalized pirates who were given Letters of Marque and Reprisal by the Continental Congress and authorized to attack, capture and monetize British ships. The purpose of this site is to explore the possibility of a modern-day doctrine much like the Monroe Doctrine, by means of which the U.S. government could legally and, more importantly, effectively stop international hackers. Current cybercrime law is not only ineffective, but downright stupid. My Linux servers are attacked hundreds of times a day (mostly from China and former USSR domains), yet if I retaliate against those servers with some creative technology at my disposal (I know some VERY smart guys), then I am in violation of federal law and subject to some onerous penalties. We need more than a new law. We need a new international doctrine. I call it The Morgan Doctrine, named after Morgan Rapier, a fictional character I’ve created (hey, this is my way of establishing ownership of the concept, should it ever see the light of day).

     Why a new international doctrine? Simply, nothing else will work. Introduced on December 2, 1823, the Monroe Doctrine told the world to keep their hands off the Americas. Combine this with current legal thinking on “hot pursuit” of fugitives. In 1917 the US Army went into Mexico after Pancho Villa. More recently, in 1960 Israeli Mossad agents abducted Adolf Eichmann from Argentina. Granted, much of the world regards the Eichmann advanture as a violation of international law. I don’t share that opinion and therefore use it as the third leg of my Monroe-Pancho-Aldof platform for The Morgan Doctrine.

     If someone comes into your home and attacks or attempts to rob you, you may shoot them dead. You may do so as long as they expire on your property. But what about cyber criminals? They attack you in your home from their homes. Retaliate in kind, and you go to jail. The Morgan Doctrine states simply that if you attack my computers (or my banking assets held in US-based computers), then under a certain set of well-defined conditions, a licensed and bonded “cyber privateer” may attack you in your home country and split the proceeds with the U.S. government. For the sake of argument, let’s call it a 50-50 split (heh heh).

     Right now, American law enforcement is completely unequipped to deal with the sheer number international cyber hackers. Sure, I could report each of the thousand daily attacks to the FBI, as could the millions of other attackees in the USA. But the volume of such reports would make any meaningful resolution laughable. Not to mention that the FBI has no jurisdiction outside the USA. Yet to make such “enforcement” profitable to recognized (ie, “bonded” “deputized”) privateers, as Heath Ledger’s Joker said in his last role, “Now you’re talking!” You raid our bank accounts, we raid yours. You make money from off-shore child pornography, we’re going to loot your bank accounts and, with some REALLY creative black hat operations, you will be taken off the grid worldwide to the extent that you’ll not even complete a cell phone conversation for the remainder of your miserable depraved life. Okay, that last part probably won’t fly, but you get my drift.

     The purpose of this site is to explore the mechanics, legalities and practicality of The Morgan Doctrine.

     And I will be the sole arbiter of whether or not your comments get posted. As Mel Brooks wrote, “It’s good to be king.”

Link to blog here.

Powered by WordPress