Written byShaun Waterman
Phil Quade, formerly the NSA’s top cyber official and White House liaison, calls himself “an Apollo guy” — a big fan of the huge Saturn V rockets which took Americans to the moon in the 1960s. So he rears back when people use the term “moonshot” to lend credibility to a vague idea like “making the internet safe.”
“You have to define it,” he says, echoing other critics who’ve suggested that the term “cyber moonshot” lacks the clarity and simplicity of the original lunar mission — to get a man to the moon and bring him back safely.
But Quade’s own moonshot — one of a couple of ideas he and other White House staff developed in the waning days of the Obama administration — is very clear and simple, he says: To build a national capacity to counter distributed denial-of-service (DDoS) attacks.
“You need to get the carriers, the solution providers and the Department of Defense together … [in a] public-private partnership,” he said. “It’s a light-touch governance model.”
DDoS attacks, which flood their targets with junk data in order to knock them offline, have grown larger and more powerful every year since the teenage hacker MafiaBoy ushered in the year 2000 with an online assault which took down then-nascent e-commerce sites like Amazon, eBay and Yahoo.
That attack, and most DDoSes since, was carried out by botnets, huge networks of computers infected —unbeknownst to their innocent and unwitting owners — with malicious software which allows hackers to control them remotely. But last year, attention began to focus on a new breed of botnet, one powered not by traditional computers but by internet-connected smart devices like surveillance cameras.
Mirai was the most notorious of these internet of things botnets, 100,000 devices strong at its apogee. Just over a year ago, on Oct. 21, 2016, it took internet infrastructure provider Dyn offline — causing internet outages, particularly on the east coast. But that attack was also attributed — with “medium confidence” by threat intelligence outfit Flashpoint — to a MafiaBoy-type “script kiddie.”
Much more alarming is the possible construction of massive botnets by adversary nations like Iran, which is thought to have been behind a series of DDoS attacks against major U.S. banks in 2012.
Nation states might have the resources and the personnel to sustain a Dyn-style attack over weeks or months — crippling a U.S. economy which now relies on the internet.
The problem, says Quade, is that, when it comes to DDoS attacks, the private sector — even those, like banks, that are vital to national survival — are on their own.
“Each individual company in the U.S. is expected to be able to withstand a [DDoS] attack by Russia or China or North Korea,” said Quade, now an executive with cybersecurity company Fortinet.
“Rather than have each individual company take on the DDoS problem, what if we developed a national counter-DDoS capability that could be leveraged by those who need it” as they come under attack, he told CyberScoop.
The public-private partnership he envisages would “take advantage of the different expertise and authorities” inside and outside the federal government.
A possible role for the government agency most capable in the cyber realm is complicated by public perception and legal issues, he noted. “You not going to say, ‘Let’s put the NSA on everyone’s desktop (computer.)’ It just doesn’t make sense.”
There are three capabilities needed, said Quade:
- Bandwidth: “One way to counter a DDoS attack is to throw bandwidth at it. The private sector’s really good at providing bandwidth … so maybe you should have all the [big internet traffic] carriers involved to be able to quickly [ramp up] bandwidth to stop the bleeding” when an attack happens.
- Segmentation: “Separating out the assets [under attack]” or sinkholing the attack traffic — figuring out which data packets come from the botnet and just not delivering them. “It’s another commercially available solution.”
- Upstream Mitigation: “You don’t want these companies hacking back [against the perpetrators] so maybe you invoke U.S. Cyber Command, which is both authorized and capable of carrying out foreign operations” to get back at the attackers and stop the assault at its source.
“The idea,” explained Quade, “is to get each of these capabilities pre-planned and pre-costed, in place now before a crisis so that they can be invoked in time of need.”
Quade said he was pleased that the Trump administration appeared to be taking the idea of a national counter-DDoS capacity seriously, although he said he hadn’t followed the consultation process launched by the president’s National Telecommunications and Information Administration, an agency with the Department of Commerce.
In a May executive order, President Trump directed the NTIA, along with the Department of Homeland Security, to “lead an open and transparent process to identify and promote action by appropriate stakeholders” with the goal of “dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”
After analyzing initial public comments, NTIA said in September that it’s draft report on the issue will be released for public comment on Jan. 5 next year. Following a 30-day comment period, NTIA will stage a workshop to discuss the plan of action and the final report, which is due to the White House on May 11, 2018.