Schneier on Security
A blog covering security and security technology.
« Hacking Swine Flu |
| The History of One-Time Pads and the Origins of SIGABA »
September 2, 2009
The Exaggerated Fears of Cyber-War
Good article, which basically says our policies are based more on fear than on reality.
So why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.
Politicians, too, deserve some blame, as they are usually quick to draw parallels between cyber-terrorism and conventional terrorism—often for geopolitical convenience—while glossing over the vast differences that make military metaphors inappropriate. In particular, cyber-terrorism is anonymous, decentralized, and even more detached than ordinary terrorism from physical locations. Cyber-terrorists do not need to hide in caves or failed states; “cyber-squads” typically reside in multiple geographic locations, which tend to be urban and well-connected to the global communications grid. Some might still argue that state sponsorship (or mere toleration) of cyber-terrorism could be treated as casus belli, but we are yet to see a significant instance of cyber-terrorists colluding with governments. All of this makes talk of large-scale retaliation impractical, if not irresponsible, but also understandable if one is trying to attract attention.
Much of the cyber-security problem, then, seems to be exaggerated: the economy is not about to be brought down, data and networks can be secured, and terrorists do not have the upper hand.
Putting these complexities aside and focusing just on states, it is important to bear in mind that the cyber-attacks on Estonia and especially Georgia did little damage, particularly when compared to the physical destruction caused by angry mobs in the former and troops in the latter. One argument about the Georgian case is that cyber-attacks played a strategic role by thwarting Georgia’s ability to communicate with the rest of the world and present its case to the international community. This argument both overestimates the Georgian government’s reliance on the Internet and underestimates how much international PR -- particularly during wartime -- is done by lobbyists and publicity firms based in Washington, Brussels, and London. There is, probably, an argument to be made about the vast psychological effects of cyber-attacks -- particularly those that disrupt ordinary economic life. But there is a line between causing inconvenience and causing human suffering, and cyber-attacks have not crossed it yet.
The real risk isn't cyber-war or cyber-terrorism, it's cyber-crime.
Posted on September 2, 2009 at 7:40 AM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The greatest trick the devil ever pulled is to convince the world that he does not exist.
I'm trying to understand your comment, Soze. What do you think is being ignored or overlooked here?
I completely agree with Bruce here, and it's why I get upset over bills with ideas like the US executive getting the power to remove Internet access from an individual or seize control of private networks in the event of a "cyber-emergency."
I'm not sure I understand Bruce's final comment. Is there really any meaningful difference between "cyber-terrorism" and "cyber-crime"?
I would imagine the motivations. Cyber-crime is about profit.
Terrorism is the use of violence and threats to intimidate or coerce, esp. for political purposes. (dictionary.com)
Using the word "terrorism" in the sense of "invoking terror," I can't ever see the current notions of attacks on computer systems and networks to honestly be associated with that word.
I am not "terrorized" by the notion of the entire world being without computers for a day, a week, or a month.
On a side note, I dislike the use of the "cyber" prefix. It connotes cybernetics, and that's not really what we're discussing.
It would be a cyber-shame if our cyber-in-chief were to cyber-cut our cyber-access over a more-than-likely less than real cyber-attack.
Money quote: "Have we learned nothing from the WMD debacle?"
"The real risk isn't cyber-war or cyber-terrorism, it's cyber-crime."
No, the real risk is cyber-hyperbole, which creates unnecessary fear, causing many people to take costly counter-productive actions.
I know of many power plants, waste water treatment plants, and gas utilities that are concerned about the idea of losing their computers for a few minutes, let alone a week or month. Plenty of them use remote computer-controlled SCADA systems to monitor and modify their service delivery.
If they had to shut your local power plant down for a month because it's been compromised by overseas hackers, I'd count that as terrorism.
And FWIW? While there are many secure SCADA installations, there are many more insecure ones who do not have the time, personnel, or money to properly manage their security.
I would agree that cyber-crime is the much greater danger rather than cyber-terrorism or cyber-war. However, the solutions are pretty much the same regardless.
@Vern: "Using the word "terrorism" in the sense of "invoking terror," I can't ever see the current notions of attacks on computer systems and networks to honestly be associated with that word."
It can be done, but term shouldn't be cheapened by confusing it with cyber-crime and electronic embezzlement.
I know an auditor who detected a flaw in a building system where the gas valve could be opened, the gas remain on, and the building filled with gas. Eventually, a car entering the parking garage on the basement woud have sparks to ignite it and destroy the building. I think that qualifies as cyber-terrorism.
Cyber attacks on a nuclear system or food supply system, or other systems intent to cause death and widespread damage could be classifed as cyber terrorism.
Defacing web pages to make terroristic threats is more cyber mischief and cyber vandalism.
There are many culprits for the mischaracterizations--press looking to sell papers, politicians looking for power, etc. Even good intentioned people may either misunderstand the phrases or use the word that will get them the most ears and most support for a cause they belief is good.
In any case, most talk of cyber-terrorism are not terrorism, but that is not to say it cannot be done.
Bruce - dont forget about cyber-espionage.
Both sides of this are interesting. The responses to Vern are spot on - there ARE areas of vulnerabilities that aren't determined by 'ultra secret' organizations that justify their existance - they are private industry weaknesses. As pointed out, losing power for a while, or dumping toxic levels of cholorine in a city drinking water supply is possible. if done intentionally, that's a form of terrorism.
While I dispise the way this is treated in the press and by law makers (more knee jerking than a spasm factory), there ARE reasons to be concerned, and more so, do something. pretending it won't happen isn't good enough. I was in a meeting once with many agencies, and the discussion touched on HERF weapons. The general consensus was it can't happen. That the bad guys don't have the money or technical skills to pull it off. However, as I pointed out they DO. Money is your money siphoned from your accounts. Technical skill scoffing was from the 'scientists' who study this in very expensive environments. The bad guys have no intention of reusing these - a one time massive effect is just fine with them.
This is the same attitude that brought us the inability to understand how to perform in Vietnam - using WWII traditional battlefield training, we had no idea how to deal with people and children that are convinced that what they do is right. They are willing to commit to it and die for it. We didn't understand it, so we ignored it. Ignoring what we don't understand does not 'fix' it.
In this case I don't think we can have a clear division of purpose or apply a nifty sound bite title to a vulnerability and lock that concept in place. Terrorism is being dulled by misuse, and like all things over done, will be useless as a term (albeit the concept remains).
As you migrate your needs to a framework, that framework can be a target. If it actually becomes a target or not is a different discussion. If someone doesn't like you, for whatever the reason, then they may pick that framework to poke at you. Big, small, it's all the same, only impact changes. Dependencies tend to stick and grow, we only notice the impact when the thing is gone or disrupted.
Unless a person can prove the perps did it, then everything is speculation.
Someone attacks the computer for a nuclear power plant (which probably shouldn't be on the grid in the first place); is it terrorism? a prankster? someone ransoming the company for money so the negative news never sees the light of day? We don't know and in many cases we never will.
So if you don't have the perp, all you have is speculation. And so far I rarely see 'cyber-terror' linked to an actual identity. The phrase and the jounralism that surround it is completely speculative and thats where the fear part gets to slip in. There sure is a lot of emotional (read: exaggerated) news out there for something based entirely on speculation, don't you think.
Someone else already said though. The majority of malicious actions invovling computers revolves around profit. Crime. Stuff that we actually know is happening, are catching people doing it, and we see it affect the lives and efficacy of businesses everyday. And that is getting largely ignored for FUD articles or because of geographical limitations for law enforcement.
Is there such a thing as cyber-terror? Sure. Does it really matter given the other problems we're facing right now? No, comparably speaking it doesn't even come close.
@crickel: I think you'll find that most computers that actually control critical infrastructure, such as power plants and water treatment facilities, are NOT exposed on publicly accessible networks. I personally don't care if my electric company's "pay-my-bill-online" website is knocked out for a few days - life goes on. And I never lose any sleep over Hollywood-style scenarios dreamed up by uninformed media types who spew "cyber-doom-and-gloom".
I see it as rather Orwellian:
It doesn't matter what we're afraid of - as long as we're afraid of something - so that our government can protect us from it.
And newspapers need bad news to sell copies.
If I was paying US taxes I'd be asking what the NSA are doing with my money!
This would be true for any sanely designed network. And while that covers most of the big ones, there are people who don't care.
The main issue is laziness on that. The tech who doesn't want to have to drive several miles into work just to check out what the night observer has seen, and prefers to just be able to log in remotely and check out the readings. The network designer who just hooks all the back-end systems in via SNMP to a central monitor, but doesn't properly set up a VPN to channel access to that monitor.
How many different electricity producers are there in North America? How much do your really want to bet that all of them have actually placed system security ahead of convenience for their techs? Most of them probably have, but I suspect a number of them just figure that nobody will ever actually notice that you can log in remotely.
uberdilligaff: It's not unlikely that the bill payment system could cause problems: get in and make every customer account $1m in arrears, 90 days past due - if their customer cutoff process is remote-controlled, they just shut down supplies to everyone, without ever directly compromising the grid controls themselves.
For that matter, having the controls isolated brings potential security risks of its own: engineers will tend to secure isolated systems less thoroughly than they would for an Internet-connected host. Then someone bridges traffic in, or an enterprising intruder hooks a patch lead into something unguarded, and the whole grid's wide open. Not far off the way Mitnick exploited telco switches: find the unlisted number for a modem hooked into the switch's management port and you're halfway there already - and simple wardialling can get you that far.
The SCADA world is better prepared than you think, but far more vulnerable than most anyone knows.
In the case of most critical systems there are regulatory guidelines about what happens in a failure that mandate physical presence of operators within X hours in the event of SCADA failures; You would also largely need to have both physical AND control system access in many cases to do much more than harass the utility in question.
It's actually pretty hard to convince your water system to pump raw seware down into the water supply ON PURPOSE, you generally need multiple failures including physical and planning ones before something like that can happen. The bad news is that there are pre-existing planning and physical failures waiting to be exploited, but not of the doomsday variety. If you wanted to get the utility in question fined a lot of money, that's well within the reach of any reasonably sophisticated attacker.
I'm guessing you historically haven't seen much of it because it's not common for somoene else losing money to be profitable to you, but you can certainly construct hypotheticals.
what on earth is "geopolitical convenience"?!
Surprised the author did not mention the San Jose Mercury News story "Internet security problems have an upside for Silicon Valley" (Saturday, 09 May 2009).
"Cyberwarfare is murky by nature. Governments typically deny any role in covert operations. The nature of computer networking makes it easy for
governments, rogue political elements, terror groups or cybergangs to cloak their deeds, said ArcSight CEO Tom Reilly. An uncloaked exception came during Russia's invasion of Georgia last year. While Russian tanks rolled, their hacking comrades shut down Georgia's power grid and disrupted Internet and telephone services, as well as fuel supplies. The episode vividly illustrated the vulnerability of computer systems. Reilly likened botnets to "sleeper agents" that can be activated at a moment's notice."
Is this true or just cyber-security market speak to generate increased government spending?
Over-hyped cyber-stuff -- Cyberbole?
Great info and discussion here.
Seems like these days in the US anything that gets a terror label attached gets unlimited/unsupervised federal money. No public scrutiny, hush hush top secret.
I'm sure a few cyber counter terror contractors are lining up for a new way to milk that federally funded anti terror cash cow?
cyber- makes it teh more sexier. Which is not to say that there aren't foreign criminal syndicates and foreign government-backed spelunking expeditions going on.
It'll actually be cyber-war when and if cracking constitutes an act of war. (But putting any system on a network, that's sensitive enough that its compromise warrants a declaration of war, should probably be an act of treason or a legally punishable act of gross professional incompetence, in the first place, right?)
The real risk is Cybermen!
@zith "executive getting the power to remove Internet access from an individual or seize control of private networks "
Re-read the bills and the strategy. The presidents power extends to critical infrastructure.
Ah are we infringing the property rights of multinational corporations? Pity. If some cyberman is trying to eradicate the flood control system on the California Dam system or the cooling system on a nuke because someone has gained access (because of profit driven cost cutting measure put safety systems on the internet and they didn't know what they were doing) yeah I want someone not motivated by profit able to order a shut off to keep the threat away from the vulnerability.
The highest person on our pyramid is the president. We trust him with control of nuclear weapons how is this anything more?
Regarding taking "individual" internet access away. We do that now, don't we. Did it to Condor, MafiaBoy, phiber optic, and it'll likely be done to Gary McKinnon. It's called jail.
@Lowell Gilbert "difference between "cyber-terrorism" and "cyber-crime"?"
Depends on your definition of is.
Is terrorism and crime the same thing?
Is terrorism and war the same thing?
(i personally regard war as a massive crime - but leave that aside)
Is crime really low grade class warfare promulgated by the powerless against the state? An asymetric war that choses to target civilian rather than military or governmental assets.
I'd say yeah there is a difference. Crime (and this depends on your politics) is usually apolitical. They want to rob banks because that's where the money is. It's a goal.
Terrorism (not the terror inflicted by a knife weilding abusive spouse on their SO and kids) is motivated by politics. It's a tactic.
Humor: Cyber-War will probably be noted more for a DOP: Denial Of Porn.
A few years ago one of the government "think-tanks" (CSIS I think) termed it "Weapons of Mass Annoyance".
What does everyone think about the Senate bill that would allow the President to take privately owned networks off-line during a "cyber-attack"? Does you think it would lend itself to civil right abuses? Would it have the potential to become a tool for a wannabe dictator or an overzealous underling?
The problem with the senate bill is how do you define critical infrastructure which is what i believe the bill refers too.
We have a history of redefining things in this country. Just look at how cruel and unusual punishment has evolved from hanging to electric chair to gas chamber to lethal injection and now even lethal injection is being called cruel and unusual by some.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.