At Black Hat, a search for the best response to China

Finding cybervillains in the middle of a war may not be worth the effort

ARLINGTON, Va. -- Google's revelation last month that attacks out of China resulted in the theft of some of its data drew attention to the broader question at the Black Hat conference here over what can be done to the villains.

Cyberattacks give rise to anger and a very human desire to strike back, but pursuing attackers in ways that matter isn't accomplishing much. The number of people who are arrested and convicted for any of the phishing attacks, intrusions and thefts is tiny.

Several countries, Russia and China in particular, don't want to cooperate on cybersecurity enforcement, said Andrew Fried, a security researcher at the Internet Systems Consortium, a nonprofit group, and a former special agent at the U.S. Treasury Department. "The reality is they don't want to do squat to help anybody," he said, on a panel at the cybersecurity conference today.

After an attack, such as the China- Google incident, there's always interest in establishing "attribution" - identifying the source of the attack. But Jeff Moss, the founder of Black Hat and director of the conference, questioned whether too much emphasis is placed on that effort. Moss also serves on the Department of Homeland Security's security advisory council.

"We should be spending more energy on dealing with the containment of an attack, reducing the effects of an attack," Moss said. "I don't think we will ever be able to stop the attack."

Techies can argue over the source of the Google attack, Moss said, but "is China ever going to extradite anybody? No," he said. "Are we going to go to war over it? No. So we should probably have a mechanism, a strategy in place, for mitigating, minimizing these attacks."

Last month, Google said it was considering pulling out of China after revealing the attacks.

Secretary of State Hillary Clinton, in a recent speech on Internet freedom , offered an impassioned defense for the "freedom to connect." But Moss questioned whether Clinton was proposing a U.S. policy for the Internet akin to the "freedom of seas model."

"The U.S. Navy spent a lot of time beating up pirates," Moss said. "Is that a call for us to go police the cyber seas ... or does it mean something else, because I don't think that we've got the capability [to defend] the world's cyberspace and keep it free."

Google's battle with China in some ways is little more than sideshow compared with what some companies are dealing with. Take GoDaddy, for instance, the world's largest domain registrar with more than 38 million domain names. Ben Butler, director of network abuse at GoDaddy, said his department's 19-member staff conducted 232,000 investigations last year over a range of abuses, including spam, phishing and copyright enforcement.

For its trouble, GoDaddy is sued 30 to 40 times a day over the actions it takes, such as suspending a domain, but despite those attempts, "nobody has been successful in suing us yet," said Butler, who was also on a panel.

Among the multitude of security issues, spam is high on the list. Although most spam is caught in traps, there's enough that gets by to prompt Richard Cox, the CIO of The Spamhaus Project Ltd., a U.K. nonprofit group that tracks spam senders and services, to offer what may be a novel theory as to one of the enablers of the housing bubble. He claimed that spam contributed significantly in the selling of subprime mortgages.

But Cox was particularly harsh on the U.S. efforts to address security issues. Air travelers may be screened and searched for explosives, but foreign entities can easily establish a server foothold with co-location providers. "You wouldn't let it happen at the airport, so why would you let the ISPs do it? That's effectively what you are doing," he said on a conference panel.

In another panel, Nicholas Percoco, senior vice president of SpiderLabs at Trustwave, highlighted the need for more focus on protection. His company's research has found that the lapse between initial breach and detection in an organization's security systems is about 156 days.

"Attackers basically know that they have unlimited amounts of time once they get into an environment," he said.

The conference keynote speaker, Gregory Schaffer, DHS assistant secretary of the Office of Cybersecurity and Communications, was asked by one attendee about the U.S. responsibility to defend against attacks launched in other countries.

"I think the DHS role, at this point, is to defend the federal civilian executive branch networks," Schaffer said. "We have a leadership role in assisting with the .com space," he said, referring to the commercial sector.

Patrick Thibodeau covers SaaS and enterprise applications, outsourcing, government IT policies, data centers and IT workforce issues for Computerworld . Follow Patrick on Twitter at @DCgov , send e-mail to or subscribe to Patrick's RSS feed .

Read more about security in Computerworld's Security Knowledge Center.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Chinablack hat

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Patrick Thibodeau

Computerworld (US)
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?