[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Your counsel on defeating DDOS Attacks

Pascal Meunier wrote:
> The policy-setters of the US should realize that if the
> internet is going to be an infrastructure of the economy,
> then it should be treated with the care, resources and law
> enforcement power that other infrastructures get.

Mike Prosser wrote:
> Who is going to set these standards, enforce them....I don't
> know the answer to that one.  Do we have "big government"
> set the standards?  That's how BS7799 is being driven in
> Britian, but how would that fly elsewhere?  Do we make the
> standards voluntary? Anyone who wants to abide by them can,
> those that don't won't....no teeth, how do you enforce
> those? Somewhere in between is my best guess.


The comments by Pascal and Mike have sparked some good discussions
here at MITRE.  While this may be too late for Alan's deadline,
here is my take on those discussions.  Consider this as a
potential caveat to all of the good technical suggestions that
have already been offered.

Dave Mann


As responsible technologists, we must always be aware of the
limitations of what technology can accomplish. To that end,
we must be careful to not perpetrate the myth that the
information security problem and its solutions are purely
technological.  In particular, there are important legal and
political issues that must be addressed for real change to
take effect.

Until the legal landscape of cyberspace becomes better
defined and until issues surrounding liability, criminality
and jurisdiction are decided, we are doomed to an
ineffectual game of technological cat and mouse with
cyber-criminals. Definitions of responsibility and liability
must be determined, and meaningful consequences must be
established for all who are involved with the internet in
any way.

While the government is a critical part of the solution, we
also recognize that there are good reasons for the broader
community to shape and define as much of this landscape as
possible, especially in the early phases.  The establishment
of the internet (like the establishment of other technologies
such as the automobile, the telephone, electric power,
railroads and others) is fundamentally altering how we live
and conduct business.  It is difficult to determine issues
of legality during those times when new infrastructures are
being established.

However, eventually citizens demand the rule of law to
protect the rights of the individual, and business demands
the rule of law to protect commerce.  The ultimate solution for
preventing or mitigating the distributed denial of service
attacks of the future will necessarily involve both technological
advances and the creation of a larger legal framework that
will allow those who are responsible to be held


David Mann                     ||  phone: (781) 271 - 2252
INFOSEC Engineer/Scientist, Sr ||
Enterprise Security Solutions  ||    fax: (781) 271 - 3957
The MITRE Corporation          ||
Bedford, Mass 01730            || e-mail: damann@mitre.org

Page Last Updated or Reviewed: May 22, 2007