Could 'bullet time' stop a cyberattack?

Is a cyberattack by Iran against the U.S. a realistic threat? And if so, could it be defeated by a technique called "bullet time," that slows Internet traffic just enough to give critical infrastructure defense systems time to respond?

There is considerable disagreement over that, with some experts saying both that an attack is likely and the defense is possible, while others dismiss both.

Nobody in government or in cybersecurity thinks Iran is capable of delivering any kind of serious military blow to the U.S. But some say it could damage computer networks that control critical American assets like the power grid or the financial system.

In an interview last week with National Public Radio, Jeffrey Carr, a cyberconflict expert who has consulted for the U.S. Department of Defense said, "[The Iranians] have all the resources and the capabilities necessary to be a major player in terms of cyberwarfare."

[Gregory Machler goes in-depth: The future of SCADA-control security]

The NPR report also said that James Clapper, director of national intelligence, told Congress that Iran is motivated to attack the U.S. and that its cyber capabilities have, "dramatically increased in recent years."

He cited the country's ability to track dissidents, shut down Twitter, block websites and launch sophisticated cyberattacks within the country. And while NPR said cybersecurity experts doubt that Iran could take down the U.S. power grid, it might be able to hack into the banking system.

Meanwhile, a story in New Scientist this week profiles security engineers at the University of Tulsa who say they have developed a way to slow Internet traffic, including malicious data, to give networks time to deal with attacks.

The technique has been named "bullet time," referring to the scenes in "The Matrix," when Keanu Reeves's character, Neo, was able to dodge bullets, as time appeared to slow down. According to Tulsa's Sujeet Shenoi, while the system would not be easy or cheap to set up, "slowing the malicious traffic by just a few milliseconds will let the hyper-speed commands activate sophisticated network-defense mechanisms."

But Gary McGraw, CTO of the security software consultancy Cigital, says the problem is not that "bullet time" would be expensive or difficult, but that it is a fantasy to think it would work.

"It's ridiculous. When you're talking about cyberattacks, it's beyond milliseconds," he said. "It's picoseconds (one-trillionth of a second). And when you use Internet protocols to slow down traffic, that slows everything else, too."

Dan Philpott, editor of FISMApedia (Federal Information Security Management Act), is a little less dismissive, but said "bullet time," while, "conceptually interesting," would be effective as countermeasure in very few places. "The problems aren't in responding, but identifying attacks when they occur."

McGraw also dismisses as "ridiculous" the possibility of a serious cyberattack by Iran. "They couldn't even defend their nuke," he said, referring to the Stuxnet worm that wiped out an estimated fifth of Iran's nuclear centrifuges in 2010.

He believes Iran has improved its cyber defenses since then. "They would be stupid if they didn't," he said, but still contends the country is not close to capable of a sophisticated attack.

Philpott is not so sure. "Iran has very well-educated population and good access to computers, so it is probably adequate to the task," he said. "I don't know that they have a cyberattack mechanism, since their government is very fractured [among] public, private and religious [entities]."

"But I wouldn't out of hand dismiss their capabilities. I tend to agree with government experts that all of the qualities are there,"Ã'Â Philpott said.

Both agree on this much: The U.S. needs to improve its defenses, especially in areas like the power grid. McGraw said those who say the financial system is more vulnerable than the power grid have it backward. "The finance guys have much better defenses than the power grid," he said.

Philpott says the security of energy facilities is "not up to standard. A lot of the things we depend on aren't built very well," he said. "They fall down under the simplest of attacks."

McGraw said the best way to protect critical infrastructure against cyberattack is to "build things that aren't broken."

Yes, it's impossible to build devices that are completely invulnerable, he said, but it is possible to build them so they are very difficult to attack. "And if the cost [of an attack] is too high, the bad guys will go elsewhere," McGraw said.

Philpott agrees. "Don't make it low-hanging fruit," he said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place