The United States National Security Agency is working on a new program codenamed “MonsterMind” that will automate the monitoring of traffic patterns on the Internet to look for attacks, NSA whistleblower Edward Snowden told Wired.
When it detects an attack, MonsterMind will automatically block it from entering the U.S. cyberinfrastructure.
It also will automatically fire back at the server from which the attack was launched.
That could be a problem because such attacks can be spoofed — routed through the servers of innocent third parties, Snowden told Wired.
MonsterMind will require the NSA to access just about all electronic communications coming into the U.S. from abroad, which violates our Fourth Amendment rights, he pointed out.
It’s the Constitution, Stupid!
“Judging from that account of MonsterMind, it sounds like it could very well be a violation of Fourth Amendment rights, although it’s hard to say without any more information, said Hudson B. Kingston, legal director of the Center for Digital Democracy (CDD).
Other NSA programs have what Hudson calls “fig leaf” controls built in to somewhat limit the collection and dissemination of more personal communications, which MonsterMind apparently lacks.
“Mass collection of personal information is a violation of privacy rights even if it might be used to stop cyberattacks, and the NSA does not seem to be balancing constitutional protections in its efforts to intercept all traffic on the Internet,” Hudson told TechNewsWorld.
Protect First, Talk Later
“Cyberwarfare is a genuine threat to the stability of the U.S., and it’s understandable that the NSA and other agencies are working tirelessly to identify the sources of threats, methods of defense, and ways to fight back,” said Darren Hayes, assistant professor and director of cybersecurity at Pace University’s Seidenberg School of CSIS.
“If the U.S. government was not working on a cyberwar defense program, we should be concerned,” Hayes told TechNewsWorld. “An attack on our financial system or utilities by a foreign government would lead to a loss of confidence and perhaps result in a loss of lives.”
The high speed at which cyberattacks occur requires the development of automated defenses, Hayes argued.
Shooting Ourselves in the Monsterfoot
Here’s the thing, though: MonsterMind cannot guarantee our cybersafety — and in the worst case, actually could result in our attacking ourselves.
“Automated responses usually have a limited set of [issues] they can respond to,” David Swift, chief architect at Securonix, told TechNewsWorld. “Zero-day malware by definition is unknown, and an automated response to an unknown attack without human analysis is a recipe for denial of service.”
For example, a spike on Twitter, NetFlix or other streaming media could be seen as anomalous if the algorithms used weren’t up to snuff, Swift explained. Looking for a single-frame attack in a billion frames that doesn’t match a known malware pattern is difficult, and scaling up a tool to deal with the hundreds of millions of actors on the Internet is a “monumental task.”
Possible Solutions to Issues With MonsterMind
Behavioral analytics tools might be the way to go, because they learn what is normal from collecting data on an organization’s user population and profiling user and peer patterns, Swift suggested.
Another option is to use benign cyberworms.
Snowden is describing pre-Internet technology known as a “ferret,” Kyle Kennedy, CTO at Stealthbits, told TechNewsWorld. For a cyberferret to be effective and avoid problems, such as attacking innocent parties’ servers, cyberferrets could be joined with cyberworms — tracking and infiltration programs that can map a virus or intrusion back to the original source, even if the source uses antidetection techniques.
“Cyberworms inherently do no damage unless they carry a Trojan Horse or a cyberbomb or virus component,” Kennedy said.
In any event, fears that MonsterMind might take out an innocent third party’s servers in an automated counterattack might be overstated.
“By the phrasing [of Snowden’s statements], it appears it would not be a direct attack back, which is illegal in most cases, Swift pointed out, but rather a cutting off of the connection to the IP address or address range determined to be malicious.”