Home / Blogs

Time to Play Offense

The United States is under cyber-attack. An article in Time magazine titled “The Invasion of the Chinese Cyberspies” discusses a computer-network security official for Sandia National Laboratories who had been “tirelessly pursuing a group of suspected Chinese cyberspies all over the world.”

The article notes that the cyberespionage ring, known to US investigators as Titan Rain, has been “penetrating secure computer networks at the country’s most sensitive military bases, defense contractors and aerospace companies.” It should be noted that a recent Washington Post front page story on Titan Rain stated there is a dispute among US analysts as to whether “the attacks constitute a coordinated Chinese government campaign to penetrate U.S. networks and spy on government databanks…” or are “the work of other hackers simply using Chinese networks to disguise the origins of the attacks.”

Time magazine claims they obtained a Pentagon alert “that raises the concern that Titan Rain could be a point patrol for more serious assaults that could shut down or even take over a number of U.S. military networks.” A DOD official was quoted as saying “When we have breaches of our networks, it puts lives at stake.” U.S. allies have also been attacked. Britain’s National Infrastructure Security Co-Ordination Center warned that these “electronic attacks have been under way for a significant period of time, with a recent increase in sophistication.”

However, the Time article explains that “Federal rules prohibit military-intelligence officers from working with U.S. civilians…” and that U.S law forbids Americans from to hacking into foreign computers. Thus, the Sandia employee investigating Titan Rain was fired and stripped of his security clearance. The Department of Energy said that the official’s “after-hours sleuthing…was an inappropriate use of confidential information he had gathered at his day job” even though he was working with the FBI and other federal officials.

“Titan Rain presents a severe test for the patchwork of agencies digging into the problem,” according to Time. “The FBI would need high-level diplomatic and Department of Justice authorization to do what” the former Sandia official “did in sneaking into foreign computers.” Furthermore, “if any U.S. agency got caught, it could spark an international incident.”

Although a robust defensive is essential for protecting national cybersecurity, the US also needs to play offense. Going of the offensive does not mean taking rash actions or sanctioning rogue or illegal operations. Instead, a good offense will require sober, thoughtful and creative analysis. However, playing offense does mean recognizing that passive defense alone will likely prove insufficient to protect national security.

Filed Under


Fergie  –  Aug 30, 2005 7:00 PM

Very nicely articulated.

- ferg

Jonathan Rubin  –  Sep 9, 2005 6:04 PM

The Department of Justice has produced written documentation available in the public domain stating both the Russian and Chinese have Cyber Warfare directorates in their respective military.  Consequently, this should be of no surprise to the FBI, since the pamphlet I have was provided at a public forum by a Special Agent that used to run the Chicago InfraGard chapter (http://www.infragard.net/).

As for our offensive capacity, I would be dismayed if our assorted intelligence and military alphabet soups weren’t on top of it.  Hopefully, that we have no definitive evidence of our offensive capacity and activity is a result of their skills, as opposed to their lack of existence.

Matthew Elvey  –  Sep 9, 2005 8:35 PM

Interesting stuff.  Certainly sounds like a mess; reminds me of two recent issues:
1) the American who rotted in Iraqi jail for around 2 months because no one in the military was willing to make a decision.  (Interviewed on one of those 1 hour news programs on one of the networks.)
2)The Patriot Act.  (It was justified largely as making cooperation possible where it had previously been illegal, but research showed that the cooperation had generally already been possible.)
I wonder if the rule that the employee broke was a rule that would require legislative or Presidential action to change.
Certainly, the article leaves me wanting more information.  Too bad we’ll never see the other side of the argument for his termination - it seems totally unjustified.  “Federal rules prohibit…” is so unclear.

Matthew Elvey  –  Sep 9, 2005 8:42 PM

I wonder if there is any malware out there that only attacks, or avoids attacking, IPs based on the believed location of the IP.  It would be exceedingly easy.  I believe malware already exists that only attacks allocated IP space.

Warning: conspiracy theory ahead!
Isn’t it odd that there are many very virulent virues and many very destructive viruses, but no very virulent virues, very destructive viruses?  If I worked for such an agency, I’d be releasing virulent, non-destructive virueses.  They do a good job finding, identifying, and encouraging the closure of security holes.

Fergie  –  Sep 9, 2005 8:50 PM

RE:Matthew Elvey’s conspiracy theory comment about non-destructive viruses.

They exist—they’re called botnets. They install crimeware, some thay use keyloggers.

I suppose, however, that one could classify wiping out one’s bank account as destructuve, though. :-)

- ferg

Jonathan Rubin  –  Sep 9, 2005 9:27 PM

Mathew, there have been such viruses.  One actually attempted to install the patch.  Another attempted to seek and destroy a bad virus.

The difficulty lies with several issues.  The first, there are so many variables involved; a well intentioned virus could easily cause problems.  There are a variety of programs that prove incompatible with certain patches, hot fixes and service packs.  Consequently, many I.T. departments can’t implement them until those conflicts are resolved.  Sometimes, the conflict cannot be resolved.  If this is the case and the software is mission critical and too complex, expensive or not supported, the I.T. department may decide not to allow an update to the OS.

Second, it’s much easier to destroy than it is to create - particularly in a complex environment with so many variables.

Third, many people wouldn’t want that control taken from them.  The fact is, most of us really don’t know what’s happening when we install a patch, or a program or even run a wizard.  We take it on faith that the outcome will most likely be positive.  To not even have approval capability would be frightening to users with any concerns about privacy and/or security.

As for IP ?attackware? - the problem is IP addresses can be spoofed, can be generated from zombies, can be rotated, etc.  However, what you describe is a distributed denial-of-service attack (DDoS).  DDoS is a common outcome of some of the well known viruses.  There?s entirely too much that can go wrong and cause much more damage than good.

Remember, PCs penetrated the consumer marketplace more rapidly than any other major purchase.  Faster than color television, even faster than VCRs.  PCs are infinitely more complex than either of those items.  If someone doesn?t want to learn how to program a VCR, they miss a show.  If they don?t want to learn how (or hire someone) to maintain their PC, they can ruin the PC, be a danger to national security, expose themselves to a variety of unpleasantness.  However, that?s their choice to forgo that responsibility.  There are people that don?t maintain and/or lock their car and they often pay the price as well.

Some companies, SBC/Yahoo and AOL for instance offer security suites as part of the product.  It?s a great idea.  I think the marketing and execution could see some improvement, but it?s much better than nothing at all.  It?s the same with Microsoft?s Security Center in XP.  However, if someone is resistant to upgrading, as many are, they must take responsibility for that decision.

It comes down to culture.  As people who were born prior to 1970 die, I expect to see more cyber responsible behavior, because people will have grown up with a cyber centric environment.  Patching, etc. will be second nature to them.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API


Sponsored byVerisign

Domain Names

Sponsored byVerisign