Cyber Commander Says It's 'Not Realistic' To Shut Down Internet (washingtonexaminer.com) 123
An anonymous reader links to a report on Washington Examiner: It simply would not be possible to shut down areas of the Internet that terrorists use to conduct malicious activity, the head of U.S. Cyber Command told a Senate panel on Tuesday. "In a very simplistic way, people ask why can't we shut down that part of the Internet. ... Why are we not able to infiltrate that more?" Sen. Joe Manchin, D-W.Va., asked Cyber Command leader Adm. Mike Rogers during a hearing on the agency's budget for fiscal 2017. Manchin maintained it was a common question from his constituents. "I've had people ask me, can't you just stop it from that area of the world where all the problems are coming, be it Syria or in parts of Iraq or Iran," he said. "I'm not just trying to find an answer, because that question is asked like shut her down, like you do your telephone, but it doesn't work that way," Manchin concluded.
Yes it is (Score:1)
Resilient by design (Score:5, Informative)
Knuckleheads. ARPAnet and MilNet were designed to be resilient against centralized attack and outages.
"THE INTERNET IS DOWN!! THE INTERNET IS DOWN!!"
Re: (Score:2)
centralized attack and outages.
On network infrastructure. I'm not sure they envisioned such wildly insecure and widespread endpoints, even within government (and military!) walls. They envisioned bombs taking out data-centers. They clearly didn't envision the low orbit ion cannon.
Re: (Score:1)
On network infrastructure. I'm not sure they envisioned such wildly insecure and widespread endpoints, even within government (and military!) walls.
Considering that the original version of the internet had your computer hooked directly to the backbone or pretty close to it with no security features at all as firewalls etc hadn't been developed yet, I'd say they couldn't have envisioned anything else. LAN/MAN/WAN etc were just descriptions of how degraded your connectivity became (across a LAN it was OK, WAN could be a 12Kbps link)
Re: (Score:2)
Re:Resilient by design (Score:5, Interesting)
No we don't. The Internet considers censoring as damage and routes around it. Each country has telephone lines and satellite communications. If you shut down the "Internet" from routing through it's common carriers (fiber etc) someone can hang a few thousand 56k modems on their phone systems and call in to their neighbors or even through the censoring country and connect all their traffic that way. Same goes for satellite, just bounce it around a few times and it can come from anywhere.
That's how Syrians and Iranians were still able to connect after their countries shut down their internets.
Re: (Score:2)
WiFi is good for a LONG way, and a lot of bandwidth, too, especially if you use an old big-ugly-dish satellite antenna reflector at one or both ends.
(Then there's OpenBTS and the like for bringing up cellphones - and bridging them to VoIP - when the government has spiked that network...)
Re: (Score:3)
You can still "turn off the internet" for a country you don't like, but it will require bombs to be thorough. Or for an island nation, there will be few enough cables to cut.
Obviously, TFA was distinguishing between a routing-only solution and military action, but I'm, not sure how legitimate that is. At some point (as dependence on the internet increases) taking a nation off the internet becomes just as much an act of war as sending your navy to blockade trade, at which point you might as well include so
Re: (Score:2)
How would that effect the sat connections, or even wifi connection that could be setup to route around the damaged undersea cables? I have worked with people doing 25 mile 802.11 hops using a pizza box antenna, it is quite doable. So, unless the country is Australia, I think it won't be an issue getting linkups through your blockade.
Re: (Score:2)
Nice one. Never heard that before.
One, that should be "its". Two, "common carrier" doesn't mean what you think it does.
Right. Personal satellite ownership is almost universal in those countries.
Re: (Score:2)
Actually personal satellite dishes and even 2 way transponders for satellites are quite common in the Middle East. That's the primary way that people there get TV and the more rich also get data and phone communication that way. Al Jazeera for example is primarily satellite based broadcasting.
Re: (Score:1)
I think he was referring to personal satellites.
Re: (Score:2)
No we don't. The Internet considers censoring as damage and routes around it
Not so much anymore.
Even I had a 100Mbp connections and my neighbor across the border had the same, and we decided to connect them, we'd be able to cross browse, but the internet at large would still be pretty much down because we can't advertise the route.
And even if we could, the amount of traffic that might try to come through might overwhelm and render the link so saturated as to be useless for all but the simplest tasks. (e.g. anything that needed a tcp connection would suffer too much packet loss to w
Re: (Score:2)
No we don't. The Internet considers censoring as damage and routes around it
Not so much anymore.
Even I had a 100Mbp connections and my neighbor across the border had the same, and we decided to connect them, we'd be able to cross browse, but the internet at large would still be pretty much down because we can't advertise the route.
So Country A blocks Country B; Country B then gets to Country A via Country C, or via C-D-E-F.
The option is basically to block everything outside your borders - in which case the Internet becomes an Intranet - or allow everything because if even one Allowed external entity has a route to someone you don't want to have access then that someone can get access to your network.
And that's not taking into account hopping via Sat-Com or Modems, etc as mentioned in the thread, which is yet another way to dial
Re: (Score:2)
So Country A blocks Country B; Country B then gets to Country A via Country C, or via C-D-E-F.
You are attacking the wrong problem. Country A doesn't want to block traffic from country B reaching country A. Country A wants to take country B off the internet entirely; and country A is already engaged militarily with B so it has options that include doing stuff IN country B.
So country A physically destroys the big fiber optic bundles at the borders and disables the satellite uplinks of country B by military force.
Country B is now pretty effectively cut off from A, C, D, E, F...
Re: (Score:2)
So Country A blocks Country B; Country B then gets to Country A via Country C, or via C-D-E-F.
You are attacking the wrong problem. Country A doesn't want to block traffic from country B reaching country A. Country A wants to take country B off the internet entirely; and country A is already engaged militarily with B so it has options that include doing stuff IN country B.
So country A physically destroys the big fiber optic bundles at the borders and disables the satellite uplinks of country B by military force.
Country B is now pretty effectively cut off from A, C, D, E, F...
Except Country A cannot necessarily or even practically prevent Country B from having connections with any other Country (C, D, E, F). Country A can sever connections between Country A and Country B, but that will not prevent connections between Country B and Country C, D, E, or F. Country A can realistically only isolate itself.
A good example of how this really plays out and how difficult it is to really maintain such an enforcement is the Great Firewall of China. Now they're 99% of the example in that
Re: (Score:2)
Except Country A cannot necessarily or even practically prevent Country B from having connections with any other Country (C, D, E, F).
We simply aren't talking about the same thing.
You are trying to deny internet access to individuals in country B. And yes, that is extremely difficult to do.
I am talking about denying internet access to the country at large. And that is relatively easy to do. Because those few individuals near the border with satellites that didn't get bombed, or within cellular coverage range (perhaps via custom antenna configurations) they are JUST getting access for themselves and an extremely small local group. They are
Re: (Score:2)
Except Country A cannot necessarily or even practically prevent Country B from having connections with any other Country (C, D, E, F).
We simply aren't talking about the same thing.
You are trying to deny internet access to individuals in country B. And yes, that is extremely difficult to do.
I am talking about denying internet access to the country at large. And that is relatively easy to do. Because those few individuals near the border with satellites that didn't get bombed, or within cellular coverage range (perhaps via custom antenna configurations) they are JUST getting access for themselves and an extremely small local group. They aren't restoring the "internet" to that country.
Says who? They could set that up and have a connection running to be a provider for the country at large. Heck, the government could do it and provide internet to everyone. I didn't say a thing about *who* did it, just that it could be done - meaning *anyone* could do it, and thus restore connectivity.
Or take Mesh Networking into account (802.11s), and again it's accessible to anyone within range of the mesh network - hence the country at large, even if the country at large is routing through a couple Me
Re: (Score:2)
I didn't say a thing about *who* did it, just that it could be done - meaning *anyone* could do it
That's a really weird definition of 'anyone' can do it. Most people CANNOT do it, and the people who can do it all belong to very specific organizations. That is pretty much the opposite of 'anyone'.
Further, even if they've got the ability to advertise new routes locally, good luck being able to get whatever entity they are connected to wirelessly to advertise the route. Best case, the small number of people who might be able to get the domestic internet to route packets along adhoc routes still aren't goin
Re: (Score:2)
I didn't say a thing about *who* did it, just that it could be done - meaning *anyone* could do it
That's a really weird definition of 'anyone' can do it. Most people CANNOT do it, and the people who can do it all belong to very specific organizations. That is pretty much the opposite of 'anyone'.
Further, even if they've got the ability to advertise new routes locally, good luck being able to get whatever entity they are connected to wirelessly to advertise the route. Best case, the small number of people who might be able to get the domestic internet to route packets along adhoc routes still aren't going to be able to get their foreign counterparts to advertise those ad hoc routs, so no packets are coming back.
If you want to go there, then you obviously missed the headlines last year that a lot of the Internet infrastructure is open to attack simply because it's extremely trusting that when someone advertises a route they actually own that route. Don't recall if that was fixed or not, but it was actually used to subvert some routes IIRC.
Again, it's just a matter of *who* is doing it. If the Country wanted to provide the service, they'll find a way to provide the service, even if it's just for government use
Providing individuals internet service really has nothing to do with the internet's ability to route around damage though.
Actually it does because the routes that allow one to from A to B to C may be able to be comprised of A->D->C or A->B->D->E->C. The route may not be the most ef
Re: (Score:2)
Actually it does because the routes that allow one to from A to B to C may be able to be comprised of A->D->C or A->B->D->E->C
I can't tell if I'm not explaining it well, or if you are just being dense. Lets try again, with a specific example.
Lets say your home is on Comcast cable for internet.
Lets say ALL of comcasts perring links get cut. Everyone on comcast loses their internet. You're internet goes down. Your still getting an ip address from comcast, you can ping other comcast users, but you can't reach anything outside the comcast network. With me so far?
Lets say *I* happen to have both comcast cable and verizon wireless inter
Re: (Score:2)
Actually it does because the routes that allow one to from A to B to C may be able to be comprised of A->D->C or A->B->D->E->C
I can't tell if I'm not explaining it well, or if you are just being dense. Lets try again, with a specific example.
Lets say your home is on Comcast cable for internet. Lets say ALL of comcasts perring links get cut. Everyone on comcast loses their internet. You're internet goes down. Your still getting an ip address from comcast, you can ping other comcast users, but you can't reach anything outside the comcast network. With me so far?
Lets say *I* happen to have both comcast cable and verizon wireless internet. So I still have internet.
There is absolutely nothing I can do to share that link back to comcast and give all those comcast users internet. I simply cannot configure my gear to automagically let comcast know that hey I've still got internet, feel free to route some packets through me; so that suddenly you and all comcasts customers have some internet access again.
If comcast has a million customers, and 100,000 of them have random other connections, dialup, sateliite,ceullar, whatever, they all can get internet access, their really is no practical way for them bring *comcast* back 'online' by somehow 'sharing' those links.
Well, depends on the policies - namely around whether you have a public IP or and ability to run as a server; most ISPs allow people to run as servers primarily to please gamers. It's actually easier now to get a public IP and server allowance for consumers than it has generally been in the past. And so technically yes you can. That doesn't mean Comcast would be happy about it, but then for your scenario - they'll probably be wanting to talk to improve things because they won't be happy about not being ab
Re: (Score:2)
So it simply needs a core change in internet protocols, a design changed from all allowed and only some blocked to all blocked and only some allowed. Pretty much what it needs to be to be considered as suitable as an internet for minors, this versus an internet for adults. Basically with an all blocked and only some allowed network, unless it is verified, checked and audited, it's traffic is blocked by default at routers, this means you can not route around that block because you only can route to other blo
Re: (Score:2)
You're talking about creating a trusted network, and that will never work. Never, ever, ever. It will never work because all you have to do to compromise it is exploit a trusted host, and that is guaranteed to happen.
Re: (Score:2)
The internet you use may be walled gardens. I like my TCP/IP though, perhaps I'm one of the few that still remembers that we still have an Internet without Facebook and Google.
Re: (Score:2)
But there are people out there who strap bombs on their bodies and kill non-combatants in order to create a better, more just world. (In their demented minds)
Re: (Score:1)
"THE INTERNET IS DOWN!! THE INTERNET IS DOWN!!"
Yeah, well, with three strikes, it will be in your house. Service provision is conveniently accomplished through a small number of big corporations that will be more than happy to flip the switch and turn off your internet.
Re: (Score:2)
typical helpdesk conversation (Score:1)
This is pretty much off topic.
"THE INTERNET IS DOWN!! THE INTERNET IS DOWN!!"
Helpdesk: "Have you tried going to google.com?"
Customer: "Oh, that's coming up fine."
Re:Resilient by design (Score:5, Informative)
ARPAnet and MilNet were designed to be resilient against centralized attack and outages
During the evolution from those networks to the current, commercialized, information utility, much of that design was abandoned. We have migrated from an everything-is-redundantly-multiconnected, route around failures, survive a nuclear exchange system to a hierarchy, with a distinction between core and edge, where loss of certain boxes can shut down 10,000 to 100,000 end user sites.
(That's why those boxes are designed with internal reduncancy, like a telephone exchange. And I know them intimately, having spent over a decade designing parts of them.)
The core/backbone does retain some of the features of the Internet's cold-war-survival origin (though the transition to fiber and physical ring layouts made that more vulnerable to multipoint failures, as well.) So some of it still has part of the old robustness.
Then there are new services which added new dependencies (and sometimes new surprises when something goes down or goes away and a lot of stuff breaks).
And to top it off, the discussion is not about government actors managing to taking the net down, but identifying and surgically cutting off a designated portion of it.
So arguing from the characteristics of the robust-against-nukes network design we once had - and haven't had for decades - isn't particularly germaine.
Re: (Score:2)
ARPAnet and MilNet were designed to be resilient against centralized attack and outages
During the evolution from those networks to the current, commercialized, information utility, much of that design was abandoned. We have migrated from an everything-is-redundantly-multiconnected, route around failures, survive a nuclear exchange system to a hierarchy, with a distinction between core and edge, where loss of certain boxes can shut down 10,000 to 100,000 end user sites.
(That's why those boxes are designed with internal reduncancy, like a telephone exchange. And I know them intimately, having spent over a decade designing parts of them.)
The core/backbone does retain some of the features of the Internet's cold-war-survival origin (though the transition to fiber and physical ring layouts made that more vulnerable to multipoint failures, as well.) So some of it still has part of the old robustness.
Then there are new services which added new dependencies (and sometimes new surprises when something goes down or goes away and a lot of stuff breaks).
And to top it off, the discussion is not about government actors managing to taking the net down, but identifying and surgically cutting off a designated portion of it.
So arguing from the characteristics of the robust-against-nukes network design we once had - and haven't had for decades - isn't particularly germaine.
You seem to have missed the resiliency of the Internet on 9/11 and how even though several major core backbone connections running under Twin Towers were completely severed almost no one noticed.
Crappy headline - forgot "areas of" (Score:4, Insightful)
>> not be possible to shut down areas of the Internet that terrorists use
Big difference. Unfortunately, I see these kind of inquiries leading to a "why don't we have a great big 'murican firewall" train of thought in a year or two.
Re:Crappy headline - forgot "areas of" (Score:5, Funny)
We can have Nigeria pay for it.
Re: (Score:1)
Well the wealthy Nigerian prince can afford it.
Re: (Score:2)
Re: (Score:2)
China has one why can't we have one too?
I'm being sarcastic.
BGP (Score:3)
Not really. The internet was designed to route around damage, not deliberate breakage. It's taken decades to get more secure, and it's still not really there. Any serious network routing guys here want to speculate about how easy deliberate breakage would be? What if you cut all the big pipes and used all the satellite connections to send bad routing updates all the time, for example? I haven't looked at this stuff in years, but vaguely remember stories of small BGP misconfigurations taking most of a c
Re: (Score:3)
Sure, you can broadcast bad routes. It's happened (on accident) in the past before. Typically backbone providers just filter the network sending those bad routes, and have everything fixed within a day. Worst case scenario is the US ends up being separated from the rest of the internet because nobody trusts us. A much more likely scenario is US free interconnects go away, and we end up having to pay for traffic to take whatever path the other networks deem best when going to the US.
If the US injects bad
Re: (Score:2)
One could potentially just NULL route the IPs
ip route a.b.c.d c.i.d.r NULL0
The routes wouldn't propagate to the rest of the Internet, yet traffic would be blocked at the border in both directions. Just convince the the bigger ISPs to add them to their border routers
Re: (Score:2)
That is a rational proposition.
Re: Cyber Commander, seroiusly (Score:1)
I wonder if his official rank is commodore 64?
Re: (Score:2)
It's a pretty decent file manager for android. Has a samba plugin that works!
YEs, it does work that way (Score:2)
Re:YEs, it does work that way (Score:5, Insightful)
If you cut the link cables to Europe are you cutting off Europe from you or are you really cutting yourself off from Europe?
Re: (Score:1)
Yes
Re:YEs, it does work that way (Score:5, Funny)
Re: (Score:2)
Isn't this like an embargo (Score:2)
Yes, you can knock countries and regions off the internet. But you really can't do it without collateral damage.
I agree *completely* that doing this would be less effective than letting things stand.
But I have to ask, in a technical sense why *couldn't* we cut off conflict areas from the rest of the internet?
Taking Syria as an example, we could .com and .edu websites hosted in Syria and route them to nowhere
1) Disable their top level domain.
2) Identify the
3) Identify source connections from within Syria and automatically route *them* nowhere
On #3 above, Syria has only a handful [wikipedia.org] of service providers, and the source ad
Re: (Score:3)
While countries can be largely knocked off the internet by severing their physical connections, that isn't really the question at issue. The panel was asking about eliminating the ability for terrorists to organize and recruit over the internet, especially through the dark web. The reason this goal isn't the same as cutting off a country's access is that extremists aren't neatly limited to national boundaries and they certainly don't mind those borders when establishing websites for recruitment. It's the sa
Re: (Score:2)
That's not as easy as it looks. Europe has connections to the US across the Atlantic, to Africa across the Mediterranean and to Asia through Turkey, the Ukraine and Russia. And that's ignoring any satellite links.
Cyber Command? (Score:2)
God these self-aggrandizing titles are annoying.
He's not the "Cyber Commander", he's in charge of an entity whose purview is things related to the interwebs.
But let's stop treating him like he's the fucking Field Marshall of the internet.
Re: (Score:2)
Re:Cyber Command? (Score:5, Informative)
His title is Commander, US Cyber Command (USCYBERCOM), which is a unified sub-command of the US Military. Calling him "Cyber Commander" is a stupid journalistic oversimplification, it's not his actual title.
Of course, you can always tell government drones when they refer to "cyber" anything, but that is just the way it goes.
Re: (Score:3)
"Calling him "Cyber Commander" is a stupid journalistic oversimplification"
As if calling him "Commander, USCYBERCOM" didn't sound stupid enough (isn't it something coming from Mattel?).
Those big boys and their expensive toys...
Re: (Score:2)
His title is Commander, US Cyber Command (USCYBERCOM), which is a unified sub-command of the US Military. Calling him "Cyber Commander" is a stupid journalistic oversimplification, it's not his actual title.
Of course, you can always tell government drones when they refer to "cyber" anything, but that is just the way it goes.
Nonsense - his complete profile is right here and his title is definitely Cyber Commander: http://yugioh.wikia.com/wiki/C... [wikia.com]
Re: (Score:2)
Sure you can... (Score:3)
It's not easy, but it's certainly possible to mostly do that. It's just that it hurts more than it helps in most cases, because it hurts the legit stuff going on. You want to change this, you have to actually incentivize the leaders in those countries to crack down in an effective way.
Re: (Score:2)
All the talk of dark optical, dot com built redundancy is often just talk in many parts of the USA. A lot of physical optical might have been built out at some time but only a few active monopolies, cartels, duopolies really control all networks to keep the backhaul working i
What are you, my dad? (Score:3)
If they say it isn't... (Score:2)
If they say it isn't...you can bet they already have a plan that does.
Of course, it may not quite work.
Just shut down... (Score:3)
...the atmosphere, that's where the bad weather is.
...the oceans, that's where the garbage patches are.
...bacteria, that's where infections derive.
...brains, that's where ignorance thrives.
Geo-blocking doesnt require gr8 firewall-o-murca!! (Score:2)
Route-poison traffic to and from location X. People forget that valid Internet communication is 2way. Sure they might be able to broadcast out but not being able to receive in effectively cuts them off. Their internet will get awfully quiet.
The thing is that "head of U.S. Cyber Command" is not saying is that cutting off the internet also cuts off easy common communication for any intelligence resources the US has in that area.
In this instance a communications blackout works against both parties.
Re: (Score:2)
This is a very good point; however by "area" they don't necessarily mean "geographic area". Let's say you cut off Syria and northern Iraq from the Internet; that doesn't stop ISIS operatives in Europe from using the Internet. It doesn't even really stop Syrians from getting data from to those sites using some kind of gateway (e.g. POTS or packet radio). It just means they won't be streaming Netflix.
Re: (Score:2)
No shit (Score:1)
The Govt needs taxes. (Score:1)
LOL! Not Fallin' for it. (Score:2)
Nope, not going to buy into it. Just like there was no domestic spying. The government has no off switch, until the use it.
It's easy (Score:1)