If I say it over an over again, it must be true …

By On · Add Comment · In Cyberwar, Security, Resiliency, and Scaling Blog, SP Security, Uncategorized

“Keeping to your message, repeat it many many time, and ignore the criticism” are key principles of success in Washington DC policy work. It does not matter if the message is true, based on facts, or have any empirical data to support your assertion. The point is the “message” is a tool to support the policy agenda. Ignore the collateral damage from the message’s consequences, just keep driving the message. This approach is having a dire effect on the cyber security posture of all global telecommunications and the Internet. It diverts attention from the real issues to the “message of the week” that supports some other policy agenda.

Lets look at an example from James Clapper, the director of National Intelligence, to the Senate Armed Services Committee. In this case the asserted “message” is communicated to Kevin Fogarty at IT WORLD:

On April 8, 2010, network administrators at the state-owned China Telecom threw a switch that rerouted “massive volumes” of data from other countries through Chinese networks rather than the more secure paths they were supposed to take, according to the U.S. spy chief.

China Telecom routers stopped advertising real Internet routes in favor of fake ones that caused huge chunks of the Internet to believe the road to China was the route actually their regular route, for 17 minutes.

The re-routed traffic, which could have been captured, compromised or copied with no one being the wiser, put huge amounts of potentially sensitive U.S. military and corporate data at risk, according to James Clapper, director of National Intelligence, to the Senate Armed Services Committee yesterday.

The incident was just one of a series of attacks, exploits and intelligence-gathering efforts launched by an increasingly well-equipped and effective Chinese cyberwar effort that was part of a “dramatic increase in malicious cyber-activity targeting U.S. computers and networks,” during 2010, he said.

- From “Cyberwar is coming, spy chief warns, but offers no help” by by Kevin Fogarty

The “message” being asserted is that the network incident on April 8th 2010 was intentional.

The problem with this assertion is that it is not based on the data. As Craig Labovitz points out in a series of blog post:

Both at the time of the incident in April and prior to my posting of this China hijack blog, I had private conversations with operations staff at several of AS23724′s upstreams, network operators around the world, collaborators in other security companies, and Arbor’s own resident engineers in the region. All of these private discussions reflect the sentiment espoused in public engineering forums that the China hijack had modest to minimal impact on Internet traffic volumes, including this RIPE statement, NANOG discussion thread and even the BGPMon blog at the heart of the controversy.

I will add to this data. In my “cybersecurity” capacity at the time of the incident, working as a key Operational Security member of the community, and a accountable party responsible for security incidents at the company I worked at on April 8, 2010, I contacted my peers in side China. This issues was expressed as a operational goof. These “operational goofs” are normal. We see them all the time in the Internet. They are considered to be operationally impacting, but not intentional. Just human error.

Yet,  when the people who design, build, and operation the Internet say “April 8, 2010 was not a security incident,”  policy makers chooses to ignore the experts. Why? Because the facts to not align with the “message.” :-(

To add more data to the inaccuracies of the “message,” look at the following:

Possible Cause
I have not spoken with engineers from AS23724, so I can only speculate. Given the large number of prefixes and short interval I don’t believe this is an intentional hijack.
Most likely it’s because of configuration issue, i.e. fat fingers. But again, this is just speculation.

- From BGPMon Blog – one of the major transparency tools we use to monitor all of the Internet.

 

Ok, now we’re getting somewhere. So, did the April 8th event target the US Government?No, almost certainly not.

On April 8th, starting at 15:50 UTC, China Telecom incorrectly asserted ownership of more than 50,000 different blocks of IP addresses. This is the source of the “15% of the Internet” factoid that you’ll hear floating around. One small part of China Telecom (autonomous system number 23724, used for operations in Beijing, not their primary countrywide ASN 4134) made this assertion, and nobody disbelieved them. Within a few minutes, they “grew” to more than 1,000 times their normal size, and started to receive some of the traffic bound for these 50,000 networks.

The media have reported that the hijacked addresses included victims in the US Government, sites in .mil, and so forth. Which is true.

In fact, it was such a broad shotgun blast of address space that it included networks from 170 different countries, including 16,000 from the USA. It also included 11,500 hijacked networks… from China! Asian networks were disproportionately affected (China, Korea, India, Australia, Japan), because they were closer to the source. Several different governments had networks among the victims, as you’d expect by pure chance, out of such a large sample.In summary, the scattershot nature of the hijack suggests a random mistake, not a deliberate attack on anyone in particular. Of course, it’s impossible to know for sure.

- From Renesys Blog James Cowie – a company who specialty is to monitor the entire Internet for resiliency and stability (so a company can pay someone to insure their network does not get hijacked).

 

Here we have three major sources of data that point out that April 8, 2010 was not a “China Hijacking incident using BGP.” Do the facts from the experts matter to the Washington “message?” No. Is this fixation on the “message” a problem with the security of the Internet? YES!

Why is this normal policy approach a security threat to the Internet? The message supports a policy agenda. The policy agenda is not stated nor linked to the facts. The facts are what we use to build better networks. It is engineering 101. It is science 101. Ye, when a the facts counter a policy agenda that policy agenda will override the good engineering and science for some other goal. A goal that is not necessariyly moving towards a more security Internet. A goal that will increase the cybersecurity risk.

BGP Hijacking is a threat. As you can see in a NANOG video presentation “Hijacking Mitigation: Something is Better Than Nothing,” the feasibility to perform BGP Hijacking is real. The community who operate the Internet have some tools we use today to monitor, alert, and mitigate BGP Hijacking. The community also has developments that will improve the BGP security on the Internet. But this work can be disrupted by conflicting “policy agendas.”

If you are a reporter writing about “Cyberwar” and getting quotes from government policy makers, ask hard questions. Do your homework. The Internet Operations community is not shy on stating the real facts. The good, the bad, and the ugly Internet data is usually there to validate or disprove the “message.”

Tagged with →  
Share →