Really simple things can be hugely influential and famous. Like SQL injection, buffer overflow and other classic types of software vulnerabilities — the grand old man of cyberspace remains useful year after year. State-sponsored actors, rivalling companies or criminals alike are keen to fall back using simple methods and tools to demonstrate their capabilities in the cyberspace. Humans are known friends to employ such campaigns as revenge, a show of powers, insult or acquire business/political priority. Distributed Denial of Service (DDoS) attacks are just good for those who want to be the bullies in the cyberspace.
Cyberspace is still largely unmapped territory. Even when the level 3, the world of packets and pings, travels through cables and connectors which are largely owned and run by state-sponsored actors, on the higher level a mythic elevated concept of world citizenship prevails. On that level, a vigorous struggle is going on about who is able to provide security for the people, what are the forms and shapes of the social frameworks for the post-national cyberspace. That struggle inspires old nation-states and their security organisations to engage and to promote themselves as viable authorities in the cyberspace. Many of them have made a silent and unilateral declaration of a global mandate. To actualise that and to build up the social attachment, these actors need to demonstrate their skills and capabilities, in essence, be able to dominate all the other self-proclaimed sheriffs in the town. Now, on the global scale and scope: Mission Impossible.
What could be a better way to push up one’s role than to take others down at will? Those who can deny the service of others, even for a while, try to become the new sovereigns in the cyberspace. Welcome to the world of offensives, invasion and intervention, in the pretty talk: DDoS attacks.
Chauvinistic War Games
The DDoS attack stays popular and effective as it relies on the exploit of targets desires. In the wide-open global network, greedy web services want to reach out to the world. Every tiny web-shops think that they have the customer-base as huge as the world. And what is more, every nation, tiny, immature or hostile government think that thanks to cyberspace now they are global as well. They can reach out and project their power to people they think are theirs, wherever they are. Goodbye territories and limited mandate of sovereignty.
In the global cyber-village, everyone wants to be everywhere and all want to eat the sun. The difficulty in reaching the tail of the rainbow leads to vigorous campaigning to keep others down, maximise own capabilities and still keep on with running after the carrot and away from ghosts of all kinds.
Since everyone desires, yearns and dreams about world dominance, their inherent vulnerability must be the willingness to be everywhere and to expand. Therefore, the ultimate means to intervene, obstruct and indeed, to throw sticks to the wheels of others, is letting one have that as much as one want, and in this case, even more. Every global cyber business or government want to be everywhere and online 24/7, hence they are doomed for the battle of that role in the cyberspace, a battle that never ends and to which there is no solution.
The one who is able to declare that they are able to provide security against others, the one, may acquire some subordinates and host a regime of some kind. Yet, the world is never for one and one cannot be the world.
Deterring an invasion
As everyone who stays in the global cyberspace is inherently vulnerable to DoS attacks, some are less so than others. And many never meet the beast, even when they are visibly available and even attractive. On the other hand, those who are attractive and even welcoming or asking such hostilities towards them, those either never face or can defend successfully. Still, even with a successful defence and recovery procedure, even a tiny slice of hours can cost a lot. And, since the cyberspace is all there wide open for all to play around, the pride, masculine might, fame and reputation, indeed the self-proclaimed ability to provide security and police within the cyberspace, they are the weak points. Should some company stay offline for a while, even when that would cost some money in the loss of production, what they are afraid of, and what makes then angry and scared, is the apparent humiliation.
Estonian cyber attacks are perhaps one of the most classic examples of that. Russia was accused and the tensions between the two countries have not been much better after that. What bugs them, is not the tiny offline time, but the lack of skills, on the deeper sense the balance, borders and territories in the cyberspace. Two or more entities want to be the kings of the castle at the same time, without lack of international institutions to induce a Cyber Peace rather can Cyber War, these various entities are doomed to exercise their skills and manoeuvres in the state of anarchy.
Since one may or may not experience such attempts of invasion, on the network level 3, one may either take the risk, outsource it or try to defend. The consequences of such invasion, however which could be also due to normal increased business activity or increase in the level of interest towards oneself, may vary depending on the business and entity. Most companies have no resources to defend against risks that are not too likely and of which no fatal or critical consequences may be expected. Thus, the viable options stay as take the risk or outsource it.
Various outer edge proxy solutions are on market, behind which one can withdraw as a pre-emptive defence against sudden DoS attacks or increase in the visitor volumes. With flexible Internet-facing “buffer zone” service, any denial of service attacks would be taken by the common and capable front-line rather than the small and incapable business. Similarly like military alliances, small entities tend to prefer to dwell under the patronage of others. And indeed, the defence industry, even the defence against cyber invasion, rogue packets and hostile networks, pays money more than many companies can afford. Therefore, a shared hard and well-armed front-line in the cyberspace may be a good solution for many small and ever-larger businesses.
However, there is the cost attached to such patronage, both financial and political, yet something that might be less than the expected cost of the incident when one of the risks would actually materialise. Ultimately, it is a business decision, to decide on security investments. Typically companies take high risks, which may or may not be good for the long-lasting business strategy.
Kristo Helasvuo, Guest Author.