US can launch automated cyber-attacks, says Snowden

Problems with attribution mean that automated responses to say DDoS attacks could hit those spoofed or used for routing attacks.

Edward Snowden appearing via video link at SXSW
Edward Snowden appearing via video link at SXSW

Former NSA system admin and Dell/CIA IT specialist Edward Snowden claims that the pro-active approach the US government takes with its automated cyber-attack reaction technology could cause severe problems for intermediate nations.

The problem stems from the routing of internet access via third-party countries, using a technique known as IP spoofing.

Put simply, if China launches a DDoS flood attack against a US server, but routes/spoofs the origin IP address as, for example, Norway, then a retaliatory automated attack could end downing elements of Norway's internet infrastructure, rather than those of China.

Whilst IP spoofing has been known about since the late 1980s and used since the early 1990s, Snowden says the use of automated retaliation by the US government - using an NSA system known as MonsterMind - could have severe consequences for almost any country where the servers are being spoofed.

In his latest interview with Wired, Snowden asserts that MonsterMind could damage countries caught in the middle.

"These attacks can be spoofed," Snowden told the magazine. "You could have someone sitting in China, for example, making it appear that one of these attacks is originating in Russia. And then we end up shooting back at a Russian hospital. What happens next?"

Snowden says that MonsterMind has significant potential for problems, since it needs access to nearly all private communications coming into the US in order to work.

"If we're analysing all traffic flows, that means we have to be intercepting all traffic flows. That means violating the Fourth Amendment, seizing private communications without a warrant, without probable cause or even a suspicion of wrongdoing. For everyone, all the time," he explained.

Interestingly, the NSA - whilst not commenting directly on the existence of MonsterMind to Wired - does seem to back up Snowden's comments, with a spokesperson telling the magazine that, "if Mr Snowden wants to discuss his activities, that conversation should be held with the US Department of Justice. He needs to return to the United States to face the charges against him.”

According to digital forensics specialist Professor Peter Sommer, the issue of cyber-attacks going wrong and causing unwanted damage on deployers and their allies was one that he raised in an OECD report of three years ago.

"The larger the desired impact the greater the chance that the attacked system triggers effects on other dependent systems and causes a cascade," he said.

Professor Sommer - a Visiting Professor with de Montfort University - explained that automated responses to supposed intrusions are incredibly dangerous and stupid.

"Firstly, this is because intrusion detection systems are themselves prone to false positives which require human interpretation as well as false attribution of possible attacker. And secondly, because any cyber-attack requires careful research to assess actual impact," he explained.

Professor John Walker, a Visiting Professor with the Nottingham Trent University's School of Science and Technology, meanwhile, said that - regardless of your personal opinion of Snowden - there is little doubt that his assertions have revealed some key issues with the US government's approach to national and allied areas of US security.

"I remember talking to Howard Schmidt [cyber-security coordinator for the Obama Administration until May 2012] that he would never entertain having a hacker present at an ISACA event, but he later changed that stance. I think that the IT security industry is still very divided when it comes to a whistle blower like Snowden, but the good that he has revealed definitely outweighs the negative aspects of his actions," he said.

"The bottom line with Snowden's assertions are that he has undoubtedly made people - in all the right places - sit up and take notice of their security shortcomings. In this instance, what he says makes a lot of sense, and it is highly likely that the automated attack process of MonsterMind could cause problems for intermediate nations," he added.