Panel Looks at Potential Collateral Damage

The Cyber 1.3 meeting on April 8, included a panel discussion entitled Collateral Damage in Cyber Operations, which discussed potential collateral damage from cyber attacks.

Moderated by Brendan Curry, vice president – Washington operations, Space Foundation, the panel featured remarks from Kurt Baumgartner, senior security researcher, Americas, Global Research and Analysis Team, Kaspersky Lab (pictured, right), and Douglas DePeppe, principal, i2 Information Security; co-founder, Western Cyber Exchange (pictured, left).

Highlights of Comments

Baumgartner:

The quintessential example of collateral damage is Stuxnet, in which poor coding has delivered at least 100K infections and it continues to spread two years later; the reason it was uncovered because customers saw machines crashing and going into endless loops … A recent trend is “watering hole” attacks (strategic web compromises) where, to get after a target, the attacker goes go after sites its target frequently visits … Attribution is difficult; it can be difficult to determine who is being attacked and it is not the industry’s job to identify exactly who they are defending from … every software design must have robustness, timeliness and quality of code; security must another become important factor in making tradeoffs, but the general public values features over security .. Stringent security can suffocate the free flow of information; so, secure operating systems are desirable for some functions, but that can be handled privately rather than globally … Cyber warfare weapons have possibility of serious collateral damage.

DePeppe:

We are in a period of revolutionary change that causes an imbalance that must be corrected to create law and order … The ubiquity of high-speed Internet has made an advantageous environment for cyber crime … We need to understand the frameworks in which we must respond; the current frameworks are civil society and military … in both areas, you generally have to know who is responsible before you go after the bad actor or you could have some serious consequences … the possibility of collateral damage should affect deterrence strategies, for example, licensing cyber hackback authorities can be a slippery slope and must be carefully handled … The Internet registration process has systemic deficiencies so it is difficult to stop bad actors without harming the innocent .. Asking users to protect themselves is not a viable approach; it must come from a higher-level authority and we must provide mechanisms for law enforcement to take action globally … We haven’t defined the cyber security, so we haven’t defined the problem we are trying to solve …The West is most at risk because we have much to lose and we are most open.

See More

See video here.

See photos here.