According to an Associated Press report, the director of the National Security Agency told Congress the U.S. should respond in force to computer-based attacks -- even when the attacker is not known. Is that possible, and is it a good idea?

Gadi Evron, CEO & Founder, Cymmetria, head of Israeli CERT, Chairman, Cyber Threat Intelligence Alliance

April 15, 2010

2 Min Read

According to an Associated Press report, the director of the National Security Agency told Congress the U.S. should respond in force to computer-based attacks -- even when the attacker is not known. Is that possible, and is it a good idea?He also suggested the option of preemptive cyber offensives: "Lt. Gen. Keith Alexander, who is the Obama administration's nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyberattacks." Whether a country should respond to computer attacks is a question for policy makers and diplomats -- not unlike any other decision to employ force on behalf of a nation. A much more important question is what he means when he says a counterattack should be launched even when the offender isn't known.

The nature of information warfare (or cyberwarfare, if you prefer) is that you may know who your rivals or enemies are, but have no actual idea who is attacking you. An attacker can hide behind the Internet's inherent anonymity or even pretend to be someone else entirely.

Before launching an attack, we may want to know where to aim it, which requires intelligence.

"In cyberspace, he said, it is difficult to deliver an effective response if the attacker's identity is not known."

But commanders have clear rights to self-defense, he said. He added that while "this right has not been specifically established by legal precedent to apply to attacks in cyberspace, it is reasonable to assume that returning fire in cyberspace, as long as it complied with law of war principles ... would be lawful."

Senators noted, in their questions, that police officers don't have to know the identity of a shooter in order to shoot back. In cyberspace, the U.S. may be able to counter a threat, rebuff an electronic probe or disable a malicious network without knowing who is behind the attack.

The senators' analogy is a false one. When shooting back at a mugger, even if you don't know him, you are likely to hit your attacker.

On the Internet, when you shoot back you are likely to hit an innocent bystander, with a lot of collateral damage to boot.

I believe what Gen. Alexander was referring to is the legal ability to both:

  • 1. Shoot back when the identity is in fact known.

About the Author(s)

Gadi Evron

CEO & Founder, Cymmetria, head of Israeli CERT, Chairman, Cyber Threat Intelligence Alliance

Gadi is CEO and founder of Cymmetria, a cyber deception startup and chairman of the Israeli CERT. Previously, he was vice president of cybersecurity strategy for Kaspersky Lab and led PwC's Cyber Security Center of Excellence, located in Israel. He is widely recognized for his work in Internet security and global incident response, and considered the first botnet expert. Gadi was CISO for the Israeli government Internet operation, founder of the Israeli Government CERT and a research fellow at Tel Aviv University, working on cyber warfare projects. Gadi authored two books on information security, organizes global professional working groups, chairs worldwide conferences, and is a frequent lecturer.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights