Spam, Identity and Cyberwarfare

We don't know if any of our readers have been following the Cyberwar in Estonia over the last few weeks, its been hard to get a complete account about what has been happening (essentially a Distributed Denial of Serices - DDOS - via spam triggered botnets) but there is a good precis in the Economist this week. To quote:

At full tilt, the onslaught on Estonia was also of a sophistication not seen before, with tactics shifting as weaknesses emerged. “Particular 'ports' of particular mission-critical computers in, for example, the telephone exchanges were targeted. Packet 'bombs' of hundreds of megabytes in size would be sent first to one address, then another,” says Linnar Viik, Estonia's top internet guru. Such efforts exceed the skills of individual activists or even organised crime; they require the co-operation of a state and a large telecoms firm, he says. The effects could have been life-threatening. The emergency number used to call ambulances and the fire service was out of action for more than an hour.

This has of course been predicted for some time by 'net security experts, sci fi writers and even the odd consultant who dabbles in IP security

However, it is still concerning now that it has happened, partly because of the point made above - that it probably required the collaboration of a part of a state and/or a large telecoms company, but also partly because the average net user (as well as many innocent social nets, special interest groups etc) is unaware of even the basic requirements for protection, and it is not clear what most of the major B2C players are doing to protect their customers data (or themselves) in the event of such massive targeting.

We noted last year that we thought 2007 would be the year that the first serious abuse of the broadband 'net would come, but we never thought it would be like this. We expected (and still do expect) the main attack to be on 'net consumers' deeply detailed identities that can be collated by the likes of Google, Facebook etc - the potential value is so high that its hard to see any one company being able to prevent a concerted attempt.

In a small way it was brought home via the spam on my new OpenCoffee account - I haven't had something like that for awhile from an eGroup, but it shows the number of people willing to disrupt the net is very large, and willing to go after relatively small beer (or coffee....) - and they keep on popping up if not kept under constant surveillance.

As Bruce Shneier puts it:

“It is easier to come up with a new attack than with a new defence,”

So what to do...you can't really build fully secure networks nor watch all the people on the net.

There is a way to go with the "speedbump" solutions - do basic things that are are pretty 80/20, that raise the bar so that the attack has to come from a fairly savvy quarter. The strongest defence, says Frank Cilluffo (quoted in the Economist), may be resilience: “the ability to reconstitute quickly, recover and absorb.”

But how to do that as a small business, or even a large one.....the resource needs are probably more than any one company can muster?

Its a problem...and an opportunity no doubt

At any rate, its probably a very, very good time to start thinking about it - and the related area of privacy - both as a customer and a service provider. This stuff, like spam before it, will only get more prevalent. The potential returns are too high today.

Postscript....in a parallel development, Google has just bought a virtual malware startup