At Black Hat, a search for the best response to China

ARLINGTON, Va. -- Google's revelation last month that attacks out of China resulted in the theft of some of its data drew attention to the broader question at the Black Hat conference here over what can be done to the villains.

Cyberattacks give rise to anger and a very human desire to strike back, but pursuing attackers in ways that matter isn't accomplishing much. The number of people who are arrested and convicted for any of the phishing attacks, intrusions and thefts is tiny.

Several countries, Russia and China in particular, don't want to cooperate on cybersecurity enforcement, said Andrew Fried, a security researcher at the Internet Systems Consortium, a nonprofit group, and a former special agent at the U.S. Treasury Department. "The reality is they don't want to do squat to help anybody," he said, on a panel at the cybersecurity conference today.

After an attack, such as the China- Google incident, there's always interest in establishing "attribution" - identifying the source of the attack. But Jeff Moss, the founder of Black Hat and director of the conference, questioned whether too much emphasis is placed on that effort. Moss also serves on the Department of Homeland Security's security advisory council.

"We should be spending more energy on dealing with the containment of an attack, reducing the effects of an attack," Moss said. "I don't think we will ever be able to stop the attack."

Techies can argue over the source of the Google attack, Moss said, but "is China ever going to extradite anybody? No," he said. "Are we going to go to war over it? No. So we should probably have a mechanism, a strategy in place, for mitigating, minimizing these attacks."

Last month, Google said it was considering pulling out of China after revealing the attacks.

Secretary of State Hillary Clinton, in a recent speech on Internet freedom , offered an impassioned defense for the "freedom to connect." But Moss questioned whether Clinton was proposing a U.S. policy for the Internet akin to the "freedom of seas model."

"The U.S. Navy spent a lot of time beating up pirates," Moss said. "Is that a call for us to go police the cyber seas ... or does it mean something else, because I don't think that we've got the capability [to defend] the world's cyberspace and keep it free."

Google's battle with China in some ways is little more than sideshow compared with what some companies are dealing with. Take GoDaddy, for instance, the world's largest domain registrar with more than 38 million domain names. Ben Butler, director of network abuse at GoDaddy, said his department's 19-member staff conducted 232,000 investigations last year over a range of abuses, including spam, phishing and copyright enforcement.

For its trouble, GoDaddy is sued 30 to 40 times a day over the actions it takes, such as suspending a domain, but despite those attempts, "nobody has been successful in suing us yet," said Butler, who was also on a panel.

Among the multitude of security issues, spam is high on the list. Although most spam is caught in traps, there's enough that gets by to prompt Richard Cox, the CIO of The Spamhaus Project Ltd., a U.K. nonprofit group that tracks spam senders and services, to offer what may be a novel theory as to one of the enablers of the housing bubble. He claimed that spam contributed significantly in the selling of subprime mortgages.

But Cox was particularly harsh on the U.S. efforts to address security issues. Air travelers may be screened and searched for explosives, but foreign entities can easily establish a server foothold with co-location providers. "You wouldn't let it happen at the airport, so why would you let the ISPs do it? That's effectively what you are doing," he said on a conference panel.

In another panel, Nicholas Percoco, senior vice president of SpiderLabs at Trustwave, highlighted the need for more focus on protection. His company's research has found that the lapse between initial breach and detection in an organization's security systems is about 156 days.

"Attackers basically know that they have unlimited amounts of time once they get into an environment," he said.

The conference keynote speaker, Gregory Schaffer, DHS assistant secretary of the Office of Cybersecurity and Communications, was asked by one attendee about the U.S. responsibility to defend against attacks launched in other countries.

"I think the DHS role, at this point, is to defend the federal civilian executive branch networks," Schaffer said. "We have a leadership role in assisting with the .com space," he said, referring to the commercial sector.

Patrick Thibodeau covers SaaS and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld . Follow Patrick on Twitter at @DCgov , send e-mail to or subscribe to Patrick's RSS feed .

Read more about security in Computerworld's Security Knowledge Center.

Copyright © 2010 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon