Saturday, December 13, 2008

Indian Navy Demonstrates that Offense Stops Pirates

Clearly the Indian Navy doesn't understand vulnerability-centric security. If they did, they wouldn't have captured 23 pirates "who tried to take over a merchant vessel in the Gulf of Aden, between the Horn of Africa and the Arabian Peninsula." They also wouldn't have "exchanged fire with a pirate "mother vessel" off the hijacking-plagued Horn of Africa, leaving the ship ablaze." Someone needs to teach these Indian sailors that the best way to stop pirates is to "build security in" when merchants construct ships!

I guess the Indians read my Offense Kills Pirates post. Maybe they decided to Take the Fight to the Enemy. Whatever the reason, good for them. Instead of commercial shippers being the only party suffering higher costs in this piracy environment (due to losses, higher insurance, increased salaries, etc.), now it's more expensive for pirates too.

Yo ho ho, pirates. We're coming for you soon. When will we take the same attitude to cyber pirates?*

*Note: I don't mean those the RIAA/MPAA calls "pirates."


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

15 comments:

Security Retentive said...

Richard,

To be fair piracy is a relatively rare event where the laws of the high seas are well settled and don't generally trample national laws, rights, etc.

Should the same pirates happen to have a high speed satellite uplink and be doing bank fraud, maybe we could attack them for that too.

A single nation state attacking online criminals who operate within a single nation state isn't quite the same thing, right? Doesn't mean offense can't work, but it does make it a whole lot trickier.

gunnar said...

Actually all threats need to exploit a vulnerability, its just some are more cost effective to deal with proactively and other reactively, as in this case.

The example you chose actually shows the *utility* of having strong countermeasures to mitigate vulns. To wit - the pirates operate where the US Navy doesn't. You may notice a distinct lack of pirate attacks around the large container shipping lines in N America, China and so on.

Going on "offense" is only useful if your defense sucks in the first place

Richard Bejtlich said...

Gunnar, that's my meta-point -- defense is horribly broken throughout the analog world; why would the digital be any better?

In a phrase, life is vulnerability.

Security Retentive said...

Richard,

I know you've written this before, but it still isn't clear to me how we'd draw the lie between the effectiveness of defense and the role that a credible deterrent plays.

Consider the typical bank. The defend against lots of standard attacks through defensive measures, otherwise they wouldn't bother with a vault, with counting the drawer at the end of the day, with background checks for employees, and all manner of other mechanisms.

Sure they also have guards, alarm systems, and a response capability, but I have no doubt the number of bank robberies would be a lot higher if they had no purely defensive measures in place.

Its hard to say how much deterrence each of these things provide since the whole thing operates as a system from the standpoint of the attacker.

Anonymous said...

Slightly hubristic thinking the Indian Navy reads your blog no?

Richard Bejtlich said...

Anonymous, I have it on good authority that all the navies, nay, all the military forces of the world, read this blog.

Anonymous said...

Well good on you sir. Seriously I enjoy reading your blog, you have very thought provoking posts, but I admit you do wander into Donald Trump rhetoric occasionally.

Davi Ottenheimer said...

Richard,

You are totally incorrect.

First of all, the Indian Navy destroyed a commercial fishing vessel without harming any of the pirates who had hijacked it. They escaped easily, but the company that owned the vessel lost their boat and crew and did not have "total-loss" insurance.

Second of all, arming vessels at sea is likely to cause great concern with the maritime insurance companies. Because of the complexity of international maritime laws, you can not just engage the pirates with armed response without incurring much higher risks of total loss (see #1).

Third, as many have pointed out elsewhere, an attack on the symptoms is unlikely to net positive security. The Indians would probably get more bang for their buck if they put pressure on the US to stop intentionally destabilizing the Horn of Africa. The American short-sighted special-forces and logistics engagements have continually created a hornet's nest of pirate activity. The US knows what should be done to neutralize the pirates, but their priorities are askew as they can not accept the trade-off in terms of enabling sovereignty.

Richard Bejtlich said...

Anonymous, I think you are missing out on my attempts at humor...

Chris Wright said...

Personally, I think the Indian Navy did exactly the right thing. At least they have the guts to go after the pirate while our own so-called superior forces seem to lack the balls to take a shot themselves.

Niklas Eriksson said...

Patching a datacenter!

http://www.smokecloak.com/?section=gallery

;)

/Niklas

Richard Bejtlich said...

Thanks Gunnar for telling me that China Will Fight Pirates Off Somalia too. Good for them.

Davi Ottenheimer said...

@ Chris Wright

"so-called superior forces seem to lack the balls"

A fire-and-forget approach does not take balls. It is dumb, and easy. Anyone can pull a trigger when they are scared and/or angry.

You should celebrate the "right thing" when someone can hit a target calmly, accurately and without casualty, let alone work alongside others to secure a multilateral commerce zone.

111 said...
This comment has been removed by a blog administrator.
wow gold said...
This comment has been removed by a blog administrator.