Originally Posted by Chris Kirsch
"Prost Neujahr!" That's what we say for "Happy New Year" in Germany, where I just spent a few days with my family to relax and get away from work. A futile attempt, since the Bundesamt für Verfassungsschutz (Federal Office for the Protection of the Constitution, or BfV for short) decided to publish new statistics about cyber attacks. (And, yes, Germans love long words.)
According to the BfV's department for counter-espionage, the number of attacks on German government agencies has almost doubled - from 900 to 1,600 in the first nine months of 2010 compared to the previous year. The attackers are targeting political, military and economic organizations. According to the agency, a large majority of the attacks originate from government agencies in China. It's not surprising that this is the case. However, what's surprising is that the German government publicly calls the Chinese government out for these attacks. According to the BfV, China's attacks are getting more and more sophisticated and often use emails that contain malicious attachments - a simple attack, which seems to work just fine.
To protect against this new threat, Germany is founding the National Cyber Defense Center, a joint venture of the BSI, BfV, BND, and other agencies. A political solution to a political problem, but unlikely one that will reduce the effectiveness of these social engineering attacks, unless they focus on training the users (see blog post).
NATO already identified cyber warfare as a potential attack vector that could invoke the alliance. Fanned by the Stuxnet debate, NATO's general secretary Anders Fogh Rasmussen is debating whether computer viruses and tanks should be viewed at equal footing from a legal perspective. This sounds like the dark ages of cryptography where many countries placed strong cryptography under export control or even outlawed its use.
Applying the laws of physical weapons to the online world did not work then and is unlikely to work now. In 2007, Germany introduced a "no hacking tools" law that makes the publication of vulnerabilities or the distribution of hacking tools unlawful. This is hampering the work of white hat hackers because they can no longer legitimate find and warn about security issues, but it doesn't deter the criminals. Just think: Should we outlaw hammers because someone used one as a murder weapon? Outlaw murder, not the hammer. Otherwise, you are deterring the good guys from doing legitimate work. Also, Germany is effectively crippling its domestic talent pool to train experts in penetration testing to defend its network or, if we are intellectually honest, to launch counter-attacks.
Stopping China's attacks is far from easy, but there are better approaches. With the West being so dependent on China, a war with China is out of the question, and tariffs on Chinese goods would fuel domestic inflation. If hacking attacks are state-sponsored, the West must exert diplomatic pressures on China to stop the hacking attacks, threatening to favor investment in other countries such as India. If attacks are not state-sponsored but instead originate from organized crime, regular laws regarding financial crime or sabotage can be applied and criminals can be extradited and persecuted.
Have a safe and sane 2011! Prost Neujahr!