Tag Archives: sanctions

Latest cyber lunacy: we are going to sanction the rest of the world!

In the latest example of the bureaucracy’s detachment from reality, the White House has just announced an executive order to sanction cyber attackers. Not to mention the checkered record of effectiveness of other sanctions, cyber sanctions are very difficult even to fathom.
For starters, who are we going to sanction? The whole history of cyber attacks clearly shows that determining the real source of cyber attacks with any degree of certainty is extremely difficult. Out of the thousands of attackers around the world we are able to identify only a handful in a year. Furthermore, those identified are not the most dangerous ones. The best we can do is to say that an attack came from a certain country.
So, who are we going to sanction — and how?
An individual attacker? Most of the identified hackers are not the most dangerous ones, often just scrip kiddies. But even then, how are we going to sanction them? Prohibit a teenager from the Ukraine to enter the United States? He doesn’t have the money to come here anyway. Bar him from McDonalds? He’ll find another place to get a hamburger. Prohibit a cyber dude from Nigeria from exporting oil? He’s unlikely to have any. Deny a sale of an F-16 to a company in Croatia? They probably don’t have a hangar to keep it in anyway.
A country? Unlikely. It’s a well known fact that most of the attacks, and definitely the most damaging ones, are “bounced” many times through “innocent” computers in other countries before being sent to the target. Given that, we’ll rapidly end up sanctioning the rest of the world. While this would become perpetual fodder for the press, it would be unlikely to have any real impact on cyber attacks. If anything, it would even increase them, when they start sanctioning us in retaliation. And chances are their sanctions would be more damaging than ours.
Besides, cyber attacks are already a felony anyway. That should be sanction enough — though it doesn’t seem to work.
The big question is, do we really understand what we’re doing in cybersecurity? It doesn’t seem so.
A better solution may be to sanction our own bureaucracy.