Cyber: Boundless Nonsense

Tuesday, July 31, 2012

Don Eijndhoven


In the Cyber industry, there is much to gripe about. We have a lot of very vocal experts out there, and roughly the same amount of opinions as there are experts.

Most of the times, the differences of opinion are really just people being pedantic (or clueless) and while this is a detriment to the entire industry, we have bigger fish to fry.

Some notions out there are just plain wrong, and they lead to really poor laws or national policies. If you’ve read any of my previous articles, you may know that when I go off on a tangent, my rants usually involve people who claim cyber warfare doesn’t exist.

But the pundits have been strangely quiet on this topic lately, and so it leaves my hands free to chase another topic that’s been bothering me lately. Quite frankly I’m a bit surprised that I haven’t seen more articles on this subject, but here we go anyway:

Cyberspace is NOT without borders. Cyberspace DOES have boundaries.

As any IT person with a basic education in networks & systems will tell you, networks are made by connecting physical networking devices. These devices obviously occupy a physical space somewhere, making them susceptible to the national (and possibly international) laws of the country they are in.

You can even configure most networking devices to only service a subset of internet traffic or, and this is especially relevant in this context, deny service to internet traffic involving certain geographic regions.

In other words: if you run a country that is geographically wedged in between two countries that are at war with each other, you CAN opt to cease routing their internet traffic. It may not be easy, and it may not be politically useful, but it is certainly not impossible.

Back in 2007 during the cyber attacks on Estonia, the responders actually mitigated much of the barrage of DDOS attacks arrayed against them by dropping large portions of international internet traffic.

The question is: What is neutral behavior in the context of cyber warfare? Are you, as a neutral country in the scenario described above, obliged to drop all traffic between these two nations that crosses your national networks? And if you’re not, are you obliged to make sure none of the cyber attacks are originating from compromised systems within your borders?

Given the stakes involved, you may want to do that anyway. Simply dropping traffic might be easier though.  But what if dropping traffic from either side gives offense or is considered a hostile act? This can quickly develop into a political conundrum either way. There is no official “right answer” yet, so for now governments will have to decide this on their own.

A more interesting question is: What constitutes our digital territory online? Our geographical borders are usually quite well defined, but 90% of the hardware on which the internet is built, is commercially owned and maintained.

Would this mean that networks owned and operated by foreign companies are to be considered foreign territory? Does this automatically make them susceptible to the laws of the country that they originate from or registered at? But what about networks that aren’t owned by any official entity? And what about wireless networks? How would you treat areas that are covered by multiple wireless access points?

If you look at the way territorial borders are handled by governments in physical space, I see no reason to treat cyberspace differently. In fact it’s probably a much easier approach to just declare the entire electromagnetic spectrum inside national borders as national territory than to figure out some new approach “just because it’s cyber”.

You can even re-use the notion of Extraterritoriality or the special privileges as described in the Vienna Convention of Diplomatic Relations [PDF Alert].  Considering how international collaborations against cybercrime is currently being approached, we’re actually pretty much doing this anyway.

In conclusion, I would ask that experts and organizations such as RAND [PDF Alert], Margaret Chon (Seattle University School of Law), NCCIC  and the Stanford Law Review (just a random grab) either develop a better understanding of cyberspace or be more clear about what they mean.

In all fairness, I haven’t read the complete works of all these authors. They may actually understand what I just covered and if you read closely enough, they might not even be (technically) wrong.

Nevertheless they give off the sense that cyberspace doesn’t have any borders and this is simply a poor representation of reality. The differences between Cyberspace and Physical space are not so big that we need to reinvent the wheel for every policy, law or process we have.  

Let’s be sensible and re-use what we already have.

About the author: Don Eijndhoven has a BA in Computer Science (System & Network Engineering) with a Minor in Information Security from the Hogeschool van Amsterdam, The Netherlands and is currently pursuing an MBA at Nyenrode Business University. Among a long list of professional certifications he obtained are the titles CISSP, CEH, MCITPro and MCSE 2003: Security. He has over a decade of professional experience in designing and securing IT infrastructures.

He is the Founder and CEO of Argent Consulting, a Dutch firm that offers full spectrum consulting and educational services in Cyber Security, Intelligence and Warfare. In his spare time he is a public speaker, occasionally works for CSFI and blogs for several tech-focused websites about the state of Cyber Security. He is a founding member of Netherlands Cyber Doctrine Institute (NCDI), a Dutch foundation that aims to support the Dutch Ministry of Defense in writing proper Cyber Doctrine, and the founder of the Dutch Cyber Warfare Community group on LinkedIn.

Follow Don Eijndhoven on Twitter: @argentconsultin

Cross-posted from

Possibly Related Articles:
Information Security
Denial of Service Policy Cyberwar internet Attacks Network Security Information Security cyberspace International Law
Post Rating I Like this!
Marc Quibell The problem is, no one country completely, digitally, stands between two (cyber) warring countries. This requires....a good understanding of Internet Routing, BGP, how to effectively mitigate DoS attacks versus DDoS attacks...etc.

Once you are on the World Wide Web, and you get your AS number, no one country is going to have the kind of control you are describing on your data (THANKFULLY!), unless it's the origin country. Or the destination.
You can be the "middle" country all you want and gleefully block data, thinking you're having some kind of effect and trying to look good and showing everyone how much of a genius you think you are. In the meantime, the data sees your little block and takes another route.

It's the dynamic nature and always-on wonder of the Internet.

One thing I do agree with you on is that countries and their Internet Providers should take more control of the malicious data originating from their networks. ISPs have always just wanted to increase data flow at all and any costs. There needs to be more filtering.

But yes, you control and have laws on the Internet presence in your own country, as in you are an Internet Provider in a country. You do this by legislating the companies doing business in your country, as opposed to say...hardware you mentioned.

Estonia mitigated attacks by basically shutting off it's International web services to those sites being attacked. They could do nothing about the attacks. They at first tried to fight it by using their own filters locally (which btw is the only effective method, mitigation closest to the destination) but in the end they were overwhelmed and had to be shut down.
Don Eijndhoven Marc, thanks for taking the time to read my article and even responding, but you're taking away the wrong points and are in fact asserting some facts I didn't argue. Others, I meant in a different way:

- I didn't assert that any country actually IS in 'the middle', it was an abstract notion to explain my point;

- I understand the principles of internet routing very well. The point I was trying to make, is that countries can opt to cease routing traffic between two warring nations they happen to be 'in the (proverbial) middle'of. Sure there might be other nations to route the traffic, but thats not my point (and governments dont have to care);

- I didnt assert that there should be more filtering or more control. In fact my entire article didn't advocate that, nor do I intend to in any way. Its completely besides the points I was trying to make.

- Controlling internet traffic IS done on the hardware, at the end of the line. I just made the effort seem transparant. Of course, it isn't. Yes ISP's will have to do most of the work and not the governments. I figured people would get that, given the crowd here, and I didnt want to come off pedantic by pointing this out;

- Controlling internet traffic because you wish to avert getting pulled into a conflict is not something you fix with legislation, but by executive decisions from the highest levels of government. These are, by their very nature, non-standard and ad-hoc actions. Legislation takes WAY too long. Executive power is what you need;

- I spoke to some of the responders in the Estonia case and things went down pretty much as I described. Actually I had to search a bit to find a corroborating story online. I never claimed they could resolve the attacks, but they could mitigate their effects by dropping (some, not all) foreign traffic. For my point to me made, this is all the level of detail I needed. From what I gathered, the efforts here were made by the Estonian ISP(s?). I have no idea what you mean by 'filters locally'.

Thanks though.

Kind regards,
Don Eijndhoven
Marc Quibell I took everything from what u wrote and provided. For example, the Wired article link to the Estonia incident says the IT guy @ the paper that was attacked was the guy trying to stop the attacks, hence I mentioned the 'local filters' he was applying. There's no mention of an ISP doing anything.

There is no 'proverbial, abstract or any other' country in the 'middle' that can block traffic between two other nations, short of attacking the Internet itself, so I have failed to see the point.
Don Eijndhoven Marc, I stress *again* that it is never the intent to BLOCK traffic. The important factor here is that countries CAN decide to *not route traffic* for a given country. It is about the not-routing-traffic, not the blocking of access. The act, not the result.
Marc Quibell Block, not route, or drop - the end result is the same. I don't know why the semantics matter here. My question is, even if a country could see and "block/drop/not route/black hole/null route" data to/from another country, what would be the point if said traffic would then simply find an alternate route? The 'act' is not even feasible.
Don Eijndhoven Marc, I am not arguing semantics here. My point is actually crucial. On the stage of global politics, making a visible effort to remain neutral is important when it comes to conflicts. My question in this article is: What IS the desired SHOW OF EFFORT to be seen as neutral in a conflict between two (or more) nations with regards to Cyber? If you decide to drop/ not route / block traffic between two (or more) nations because you wish to stay out of the conflict, would that work? Or would it been seen as a hostile act because it MAY impede either nations' internet access?

Again, it is NOT ABOUT THE RESULT. That is inconsequential. It is about being SEEN to have made an effort to stay out of a conflict that is being discussed here.

I hope this clears it up for you. I honestly dont know how to formulate my main points any clearer.
Marc Quibell My comment oh this would be to quote you, "we have bigger fish to fry"

Doug Wulff If you get more granular on specific institutions hit by attackers you can get granular and block all traffic to and from countries that offer no business value. For example, here is an in-line appliance that blocks traffic by country, and for countries allowed by your policy, blocks very large lists of known botnets and malware.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.