When does a cyber attack by another nation cross the line and become an official act of war?
I suspect that I wasn't the only person who asked himself that question this week -- and I hope that some of those people were at the highest levels of the federal government.
As I'm sure you read or saw on the news, beginning on the Fourth of July and continuing well into the week, government and private company Web sites in the United States and South Korea were attacked by unidentified hackers who tried to crash them. Target institutions in the U.S. included the departments of Transportation, State and Treasury, the White House (reportedly), the New York Stock Exchange, Yahoo and the Federal Trade Commission.
The type of attack was a so-called "distributed denial of service," a classic hack that attempts to overwhelm targeted sites with massive amounts of data -- and thus freezes out access by anyone else.
In this case, the vehicle appears to have been a well-known software "worm" that was reprogrammed -- and not particularly well, it seems -- for the task. Still, for all of its crudeness, the attack did work. In the U.S., some sites were down for as much as 24 hours. In South Korea, some remained crashed Thursday.
There have been reports that officials in both countries say the attacks appear to have been launched from inside North Korea but refuse to place the blame any more precisely.
Yeah, right. As if all of those millions of middle-class teenaged private owners of broadband connected laptops all over that electricity black hole called the People's Republic of North Korea spontaneously decided to hack the Web sites of another country's government and largest corporations.
We all know why Washington (and to a lesser degree, Seoul) doesn't want to point fingers. After all, once you fix blame for an act of aggression, you're then supposed to do something about it. And, the reasoning goes, you don't want to make Pyongyang angry because those guys are a bit, well ... unpredictable. They could do anything, like maybe aim twice as many missiles at Hawaii next time, or put two freighters filled with weapons to sea.
So instead, we resort to our usual response to these kinds of cyber attacks: We blame ourselves. And that's why, right on schedule, the feds, security experts, and bloggers all shook their heads in dismay and in unison decried the obvious failure of our security programs to protect our vital online information. Once again, we sat back, waited for another attack -- and when it succeeded, at least partially, we wrung our hands and asked why we can't defend ourselves better.
I think the real question we should be asking ourselves is: Why do we continue to see defense as our only option? After all, if there is one thing every cop and security expert knows, it is that given enough time, a burglar can break into any home, no matter how tightly locked, and a robber can crack any safe, no matter how elaborate. So, why have we convinced ourselves that our online property can remain safe behind an electronic Maginot Line, no matter how tall and thick?