Showing posts with label pirates. Show all posts
Showing posts with label pirates. Show all posts

Wednesday, July 27, 2011

Noah Shachtman’s Pirates of the ISPs

Two posts in one day? I'm on fire! It's easy to blog when something interesting happens, and I can talk about it.

I wanted to mention the publication of Pirates of the ISPs: Tactics for Turning Online Crooks Into International Pariahs by Noah Shachtman, acting in his capacity as a Nonresident Fellow for Foreign Policy in the 21st Century Defense Initiative at The Brookings Institution. I read and commented on an earlier draft, and I think you will find Noah's paper interesting. From the introduction:

Cybercrime today seems like a nearly insoluble problem, much like piracy was centuries ago. There are steps, however, that can be taken to curb cybercrime’s growth—and perhaps begin to marginalize the people behind it.

Some of the methods used to sideline piracy provide a useful, if incomplete, template for how to get it done. Shutting down the markets for stolen treasure cut off the pirates’ financial lifeblood; similar pushes could be made against the companies that support online criminals.

Piracy was eventually brought to heel when nations took responsibility for what went on within its borders. Based on this precedent, cybercrime will only begin to be curbed when greater authority—and accountability—is exercised over the networks that form the sea on which these modern pirates sail.

I agree with this. My original comments to Noah emphasized that not all malicious activity on the Internet is crime, nor is it conducted by criminals. For example, I wince whenever I see the term APT in the same sentence as crime or criminals (never mind seeing the "cyber" prefix). As long as you keep Noah's emphasis on true crime in mind while you read the paper, I think you will find it compelling. Great work Noah!

Saturday, December 13, 2008

Indian Navy Demonstrates that Offense Stops Pirates

Clearly the Indian Navy doesn't understand vulnerability-centric security. If they did, they wouldn't have captured 23 pirates "who tried to take over a merchant vessel in the Gulf of Aden, between the Horn of Africa and the Arabian Peninsula." They also wouldn't have "exchanged fire with a pirate "mother vessel" off the hijacking-plagued Horn of Africa, leaving the ship ablaze." Someone needs to teach these Indian sailors that the best way to stop pirates is to "build security in" when merchants construct ships!

I guess the Indians read my Offense Kills Pirates post. Maybe they decided to Take the Fight to the Enemy. Whatever the reason, good for them. Instead of commercial shippers being the only party suffering higher costs in this piracy environment (due to losses, higher insurance, increased salaries, etc.), now it's more expensive for pirates too.

Yo ho ho, pirates. We're coming for you soon. When will we take the same attitude to cyber pirates?*

*Note: I don't mean those the RIAA/MPAA calls "pirates."

Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

Friday, May 16, 2008

Offense Kills Pirates

I just finished watching a great program on my favorite channel (The History Channel) called True Caribbean Pirates. It traces the story of piracy in the Caribbean from the 16th through the early 18th centuries. I was mostly interested in learning how the great powers of the day dealt with this problem, since I blogged about modern Pirates in the Malacca Strait and 18th and 19th century pirates off the Barbary Coast.

If many modern information security practitioners had been tasked with protecting commerce in the face of piracy, they would probably have bought ever more elaborate but largely ineffective defensive measures.

Instead, the royal navies of the area decided to hunt down pirates and hang them. Sure, the pirates continued their raids for a long time, but eventually the main players (England, France, Spain, Holland) stopped warring amongst themselves and directed their offensives against the pirates.

We're not going to see any fundamental changes in information security until those we elect to protect our rights rise to the task and go on the offensive. Private companies (especially modern ones) aren't in a position to "strike back" against threats -- that's the role for the police and militaries of the world. It's time to kill some pirates, not leave "critical infrastructure protection" to the "private sector."

For related thoughts please see last year's post Taking the Fight to the Enemy Revisited.

Sunday, April 13, 2008

Aaron Turner and Michael Assante on Freedom of the Cyber Seas

Thanks to Nick Selby I learned of a sequel to the great historical security paper Infrastructure Protection in the Ancient World. Michael Assante is back, joined by another security vet, Aaron Turner, discussing Freedom of the Cyber Seas. The authors compare the threat of naval piracy during the Jefferson administration with the current digital threat. Prior to Jefferson, US policy was to pay protection money to stop pirates seizing US goods.

Opposing John Adams' pirate payment policy, Jefferson championed the slogan coined by U.S. Representative Robert Goodloe Harper in 1789: "Millions for defense, not one cent for tribute." Jefferson was also a proponent of the Mare Liberum or "Freedom of the seas" doctrine first documented in international law by Dutch jurist Hugo Grotius in 1609. Freedom of the seas was of supreme importance to the success of the United States. If America could not deliver its goods and conduct free trade, the country could not survive economically.

Following his inauguration in 1801, Jefferson translated his anti-tribute rhetoric into policy by refusing to meet the Bashaw's demand for $225,000 from the new administration. The Bashaw declared war on the United States and cut down the flagpole flying the Stars and Stripes in front of the U.S. Consulate in Tripoli. Jefferson responded by sending a group of American warships to defend U.S. interests in the Mediterranean. From 1801 to 1805, U.S. Navy and Marine units engaged Barbary forces on both land and sea.

This is a great victory for the anti-piracy movement, and in theory I agree that there are lessons for digital security. I wrote about modern pirates in my post Pirates in the Malacca Strait because I believe in Taking the Fight to the Enemy. However, the way Jefferson's war ended will not work for digital security:

Finally, four years of hostilities culminated in the Battle of Derna, during which American forces routed the Tripolitans and forced the Barbary States to agree to a peace treaty, which was signed in Tripoli on June 10, 1805. The First Barbary War was the debut of American military forces' capability to project a U.S. president's policy beyond his own borders. (emphasis added)

This campaign worked because Jefferson got a set of state actors to sign a peace treaty. I don't see how we can do that with digital threats, from criminals to economic spies to nation state actors. Prosecutors have been fighting organized crime in the US for over a century. Companies have always competed in plain sight and in hidden areas. Intelligence actions have also been a constant throughout history.

To have a chance at success, I think our strategy needs to differentiate according to the threat. We'll have to pursuing an anti-crime strategy for the criminals, a counter-business intelligence strategy for the economic spies, and a counter-intelligence strategy for the foreign intel services.

I agree with the following:

The first step would be for the United States to develop a consistent policy that articulates America's commitment to assuring the free navigation of the "cyber seas." Perhaps most critical to the success of that policy will be a future president's support for efforts that translate rhetoric to actions--developing initiatives to thwart cyber criminals, protecting U.S. technological sovereignty, and balancing any defensive actions to avoid violating U.S. citizens' constitutional rights. Clearly articulated policy and consistent actions will assure a stable and predictable environment where electronic commerce can thrive, continuing to drive U.S. economic growth and avoiding the possibility of the U.S. becoming a cyber-colony subject to the whims of organized criminal efforts on the Internet.

It would be ironic if the Air Force Cyber Command became the force that patrolled and defended the "cyber seas". The Navy is too busy taking over the traditional Joint world from the Army to be able to counter the Air Force's cyber march.

Thursday, April 19, 2007

Pirates in the Malacca Strait

Given my recent post Taking the Fight to the Enemy Revisted, does this AP report sound familiar?

Countries lining the Malacca Strait have vastly improved security in the strategic shipping route over the last five years, the top U.S. commander in the Pacific said on Monday...

Attacks in the Malacca Strait have been on the decline with only 11 cases last year compared to 18 in 2005 and 38 in 2004, according to the International Maritime Bureau, a martime watchdog...

Indonesia, Malaysia and Singapore began stepping up their surveillance by coordinating sea patrols in 2004 and following with air patrols a year later.

Last August, the British insurance market Lloyd's lifted its "war-risk" rating for the waterway, saying the safety of the 550-mile-long strait had improved due to long-term security measures.
(emphasis added)

Despite this development, Malaysia is looking for alternatives to shipping when transporting oil, according to this article:

A proposed oil pipeline project to pump oil across northern Malaysia could lower transportation costs and avoid risks of pirate attacks on tankers.

The US$14.2-billion project would involve building a 320-kilometre pipeline across northern Malaysia, linking ports on the two coasts, officials in northern Kedah state announced...

Crude oil would be refined in Kedah, pumped through the pipe to Kelantan on the east coast and then loaded onto tankers bound for Japan, China and South Korea, completely bypassing Singapore and the Malacca Strait, which lies off peninsular Malaysia’s west coast.

The strait, which carries half the world’s oil and more than one-third of its commerce, is shared by Malaysia, Indonesia and Singapore. It is notorious for robberies and kidnappings by pirates, but attacks have fallen following increased security patrols in 2005.
(emphasis added)

I see two lessons here. First, shipping companies did not try to "patch" their way out of this problem. There is no way to address all of the vulnerabilities associated with transporting oil by tanker. A two-pronged approach was taken. First, to protect ships, governments increased security patrols to deter and repel pirates. Ships did not get equipped with Yamato-size deck guns and battleship armor. Second, an alternative means to transport oil is being considered. This is a form of backup or redundancy to ensure oil still flows if the Strait becomes too dangerous.

I think these stories have plenty of lessons for digital security. Of course the next step would be going after the pirates directly, before they ever reach friendly ships. Consider the history of the US Navy:

Operations Against West Indian Pirates 1822-1830s

By the second decade of the 19th Century, pirates increasingly infested the Caribbean and Gulf of Mexico, and by the early 1820's nearly 3,000 attacks had been made on merchant ships. Financial loss was great; murder and torture were common.

Under the leadership of Commodores James Biddle, David Porter and Lewis Warrington, the U.S. Navy's West India Squadron, created in 1822, crushed the pirates. The outlaws were relentlessly ferreted out from uncharted bays and lagoons by sailors manning open boats for extended periods through storm and intense heat. To the danger of close-quarter combat was added the constant exposure to yellow fever and malaria in the arduous tropical duty.

The Navy's persistent and aggressive assault against the freebooters achieved the desired results. Within 10 years, Caribbean piracy was all but extinguished, and an invaluable service had been rendered to humanity and the shipping interests of all nations.

That's what I'm talking about.

Thanks to geek00l and mboman for discussing pirates in #snort-gui for inspiring this post.