Schneier on Security
A blog covering security and security technology.
« "Don't Commit Crime" |
| Surveillance and Morality »
July 7, 2010
The Threat of Cyberwar Has Been Grossly Exaggerated
There's a power struggle going on in the U.S. government right now.
It's about who is in charge of cyber security, and how much control the government will exert over civilian networks. And by beating the drums of war, the military is coming out on top.
"The United States is fighting a cyberwar today, and we are losing," said former NSA director -- and current cyberwar contractor -- Mike McConnell. "Cyber 9/11 has happened over the last ten years, but it happened slowly so we don't see it," said former National Cyber Security Division director Amit Yoran. Richard Clarke, whom Yoran replaced, wrote an entire book hyping the threat of cyberwar.
General Keith Alexander, the current commander of the U.S. Cyber Command, hypes it every chance he gets. This isn't just rhetoric of a few over-eager government officials and headline writers; the entire national debate on cyberwar is plagued with exaggerations and hyperbole.
Googling those names and terms -- as well as "cyber Pearl Harbor," "cyber Katrina," and even "cyber Armageddon" -- gives some idea how pervasive these memes are. Prefix "cyber" to something scary, and you end up with something really scary.
Cyberspace has all sorts of threats, day in and day out. Cybercrime is by far the largest: fraud, through identity theft and other means, extortion, and so on. Cyber-espionage is another, both government- and corporate-sponsored. Traditional hacking, without a profit motive, is still a threat. So is cyber-activism: people, most often kids, playing politics by attacking government and corporate websites and networks.
These threats cover a wide variety of perpetrators, motivations, tactics, and goals. You can see this variety in what the media has mislabeled as "cyberwar." The attacks against Estonian websites in 2007 were simple hacking attacks by ethnic Russians angry at anti-Russian policies; these were denial-of-service attacks, a normal risk in cyberspace and hardly unprecedented.
A real-world comparison might be if an army invaded a country, then all got in line in front of people at the DMV so they couldn't renew their licenses. If that's what war looks like in the 21st century, we have little to fear.
Similar attacks against Georgia, which accompanied an actual Russian invasion, were also probably the responsibility of citizen activists or organized crime. A series of power blackouts in Brazil was caused by criminal extortionists -- or was it sooty insulators? China is engaging in espionage, not war, in cyberspace. And so on.
One problem is that there's no clear definition of "cyberwar." What does it look like? How does it start? When is it over? Even cybersecurity experts don't know the answers to these questions, and it's dangerous to broadly apply the term "war" unless we know a war is going on.
Yet recent news articles have claimed that China declared cyberwar on Google, that Germany attacked China, and that a group of young hackers declared cyberwar on Australia. (Yes, cyberwar is so easy that even kids can do it.) Clearly we're not talking about real war here, but a rhetorical war: like the war on terror.
We have a variety of institutions that can defend us when attacked: the police, the military, the Department of Homeland Security, various commercial products and services, and our own personal or corporate lawyers. The legal framework for any particular attack depends on two things: the attacker and the motive. Those are precisely the two things you don't know when you're being attacked on the Internet. We saw this on July 4 last year, when U.S. and South Korean websites were attacked by unknown perpetrators from North Korea -- or perhaps England. Or was it Florida?
We surely need to improve our cybersecurity. But words have meaning, and metaphors matter. There's a power struggle going on for control of our nation's cybersecurity strategy, and the NSA and DoD are winning. If we frame the debate in terms of war, if we accept the military's expansive cyberspace definition of "war," we feed our fears.
We reinforce the notion that we're helpless -- what person or organization can defend itself in a war? -- and others need to protect us. We invite the military to take over security, and to ignore the limits on power that often get jettisoned during wartime.
If, on the other hand, we use the more measured language of cybercrime, we change the debate. Crime fighting requires both resolve and resources, but it's done within the context of normal life. We willingly give our police extraordinary powers of investigation and arrest, but we temper these powers with a judicial system and legal protections for citizens.
We need to be prepared for war, and a Cyber Command is just as vital as an Army or a Strategic Air Command. And because kid hackers and cyber-warriors use the same tactics, the defenses we build against crime and espionage will also protect us from more concerted attacks. But we're not fighting a cyberwar now, and the risks of a cyberwar are no greater than the risks of a ground invasion. We need peacetime cyber-security, administered within the myriad structure of public and private security institutions we already have.
This essay previously appeared on CNN.com.
EDITED TO ADD (7/7): Earlier this month, I participated in a debate: "The Cyberwar Threat has been Grossly Exaggerated." (Transcript here, video here.) Marc Rotenberg of EPIC and I were for the motion; Mike McConnell and Jonathan Zittrain were against. We lost.
We lost fair and square, for a bunch of reasons -- we didn't present our case very well, Jonathan Zittrain is a way better debater than we were -- but basically the vote came down to the definition of "cyberwar." If you believed in an expansive definition of cyberwar, one that encompassed a lot more types of attacks than traditional war, then you voted against the motion. If you believed in a limited definition of cyberwar, one that is a subset of traditional war, then you voted for it.
This continues to be an important debate.
EDITED TO ADD (7/7): Last month the Senate Homeland Security Committee held hearings on "Protecting Cyberspace as a National Asset: Comprehensive Legislation for the 21st Century." Unfortunately, the DHS is getting hammered at these hearings, and the NSA is consolidating its power.
EDITED TO ADD (7/7): North Korea was probably not responsible for last year's cyberattacks. Good thing we didn't retaliate.
Posted on July 7, 2010 at 12:58 PM
• 84 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"what person or organization can defend itself in a war?"
The first casualty of the 'cyberwars' is English as a language. Just as terrorism was once a frightening phrase that has now lost its teeth in all circles except the most powerful, 'war' is threatening to lose its meaning. Eventually a person or organization will defend itself against 'war' because 'war' won't mean much at all... more than a few kids declaring it in their free time.
One, two, three, four, I declare a CYBERWAR!
Personally, I chalk this up to the media. Loaded terms get eyeballs, which gets advertisers. Simple.
The third paragraph should state "Mike McConnell" not "Mitch McConnell".
It used to be that if we wanted to go to war with someone it took a formal declaration of war by congress. And once we decided to declare war we meant it, the troops were landing and the bombs were dropping. We declared war against powerful enemies, enemies that at least stood some chance of defeating us or at the very least causing major damage to our nation. World War 2 was a war, the revolutionary war was a war. look at something like Afghanistan and your realize they have no chance of taking over the united states and thats not even their goal. Afghanistan shouldn't be called a war a conflict maybe or some other terms but not a war. and if that can't be considered a war then the war on drugs or the war on terrorism currently can't either. and if the best cyber terrorist can do is ddos a website for a while then we certenly can't say were at war with them. that doesn't mean we shouldn't have defenses because we should. Especially around key infrastructure like the electrical grid ect. but you have to protect that from anyone with a pc and a little hacking skill not some unknown enemy that we say were at war with just to make them sound more evil.
I really like this article because I think it is important to see the time-line and I think you did a good job there. I also loved this DOS analogy: "if an army invaded a country, then all got in line in front of people at the DMV so they couldn't renew their licenses."
"It used to be that if we wanted to go to war with someone it took a formal declaration of war by congress. And once we decided to declare war we meant it, the troops were landing and the bombs were dropping."
It is interesting. We're extremely reluctant to call actual wars with that name -- Iraq, Afghanistan -- yet we are quick to declare rhetorical wars: on crime, on terrorism, on drugs.
"Cyber 9/11 has happened over the last ten years, but it happened slowly so we don't see it," said former National Cyber Security Division director Amit Yoran.
Which means that an average of 300 people were killed every year by that "Cyber 9/11".
Anyone have a list of names of those killed? So we can build a monument to them? Anyone?
Regarding losing the debate ... could either of the people opposing configure a firewall? Or lock down a Windows workstation?
One thing seems quite clear cut to me. It's not a new idea: most likely I got it either from one of Bruce's earlier articles, or from BoingBoing.
When someone uses the prefix "cyber", you know that they're bullshitting you. They want you to be scared.
Thanks for trying, Bruce.
Seems to me a functional definition of a "real cyber war" is when we're allowed to send real bombers to launch real cruise missiles at the aggressor's cyber assets and send real warriors to shoot real bullets into our opponent's cyber warriors.
Cyber-anything that results in less than physical violence may be cyber-espionage, cyber-crime, cyber-activism, cyber-dissembling, cyber-bookselling, cyber-commandbuilding, or cyber-constitutionwrecking, but please let's save the term "war" for when real people get killed and real stuff gets blown up.
"It is interesting. We're extremely reluctant to call actual wars with that name -- Iraq, Afghanistan -- yet we are quick to declare rhetorical wars: on crime, on terrorism, on drugs."
Now that's a New York Times Op Ed I'd love to read...
@: ""cyber Pearl Harbor," "cyber Katrina," and even "cyber Armageddon" -- gives some idea how pervasive these memes are. Prefix "cyber" to something scary, and you end up with something really scary.
Just now read what could be "cyber-divorce"
Divorce lawyers: Facebook tops in online evidence
The question is two-fold:
1. Do you think organizations outside of the US, be they other countries or a collection of various people attempting to break into US computer systems, be they public or private, with the intent of stealing information and/or causing damage?
2. Do you think any country or group of people (i.e. terrorists) that we are engaged in military actions against would attempt to disrupt our computer systems and various infrastructures?
I would argue that the answer to both questions is "yes". We can then engage in this silly game or words, i.e. using the term "war" when we have not declared war on anybody, or we can sit down and decide how to look at the problem that is very real and decide how best to handle the situation.
The sort of thing that bothers me (other than all the pure silliness of most of the cyber discussion) is something a bit more subtle than what is mostly discussed.
Nearly everyone doing a large amount of any business (or manufacturing) has gone to a "just in time" sort of system. And in fact, at places like grocery stores it is so fully automated they no longer even have the tools to do much of anything by hand anymore. They sometimes (often) don't even know the prices on items without the scanner working. And even some testing of that is rarely done, but when it was (y2k) the manual system at Northern Hydraulics shipped me a log splitter when I ordered a bench vise (nice deal!). I know of at least one major hardware manufacturer I used to consult for who would be completely shut down if say, there were no 10k resistors coming in on time -- you can't ship hardware if any single part is missing.
Now, this supply chain is "tight" as it must be for that system to work and save money as promised. In other words, if it is broken for a few days, they can't just roll twice the trucks for a few more days to catch back up again -- the extra trucks and roads simply don't exist anyway. Huge economic hard could result, and things are a bit fragile now anyway.
Now, imagine how much sheer panic you could cause by making all the grocery stores unable to reorder -- they can't do it by hand, because without the system they don't know what they need, and they can't just wing it because the system is so tight and the trucks and roads aren't there for them all to just put in a safety factor.
People in that situation go into acquire and hoard mode, making it worse than it needed to be (just like everyone went from being happy with half a tank of gas to having to have a full one in '73, making the gas shortage that much worse than it really was). Things could get stupid fast, and of course, all this is done over the internet...
The only trick would be to break it so they didn't notice it was broken for a couple of days....switch orders around between stores, lesson amounts or leave out crucial things altogether for some stores, but have others only get those things, things like that, and wham, you've got panic which in many cases kills more people than the thing that created it in the first place due to dumb human behavior when in herds.
Since I personally live off the grid and am mostly "ready" for most things, I'd find it amusing, but I bet most would not.
We don't need a military to jump lines at the DMV, I just did some business with them and it's that bad already. The VA DMV has an expired security certificate for https and it wasn't even registered in their name, but for some other part of the state government. That about says how good our government is at this kind of thing -- 13 year old script kiddies can get this right, but for that I pay taxes?
"1. Do you think organizations outside of the US, be they other countries or a collection of various people attempting to break into US computer systems, be they public or private, with the intent of stealing information and/or causing damage?"
Yes. Some of these are known as "vandals" and their actions are known as "vandalism". They deface web sites.
Others are "spammers".
Others are "criminals".
And that is the core of the problem.
The people claiming "cyber-war" are looking at POTENTIAL threats (in a very "movie plot" fashion) and then BACKWARDS extrapolating to existing situations such as vandalism by script-kiddies to justify their claims.
The response to a threat must be appropriate and proportional.
War indicates a situation where the normal rules of society -- such as national sovereignty -- are suspended. In many cases virtually unlimited resources are expended, often with little strategic value to those expenditures.
If one locks at a threat and responds appropriate, they lock their door and pay a homeowner's insurance policy. Maybe invest in a motion sensor light and monitored alarm. They don't decide that burglars are at war with them, warranting the installation of a minefield across the lawn and electrified fence across the driveway.
We absolutely need vigilance and caution. We don't need to view the problem as a war needing to suspend the normal rules of human conduct and to authorize disproportionate expenditures.
And some of them are under the direct or indirect employ of other country's military/intelligence services.
We need better cyber security. I'm not sure this is a huge problem for the government. The NSA has ridiculous cyber protections. These threats that government officials throw around seem directed more toward the proletariat. And if that's the case, high profile figures and politicans should look at companies like Nixle, which have user authentications and secure information portals at NLETS.
Other networking sites like Twitter and Facebook get hacked on regular occasions.
"And some of them are under the direct or indirect employ of other country's military/intelligence services."
Possibly. But so far none of the "experts" have been able to provide evidence of such activity outside of normal spying.
And if we went to war over spying ...
I don't understand - are you arguing that the attacks aren't taking place? Or, are you complaining the word 'cyber' is being worn out? Or, are you saying ... what? This reads exactly like the article in some tech magazines a couple months ago. I don't understand the complaint. It reads fine, but at the bottom of all the "yeah...you tell 'em Bruce" comments, I'm more confused than ever.
Others are saying that it's all about the money and the cheney-halliburton yada yada yada defense contractor industry is creating the whole thing so they can win big contracts, etc. Really? I mean, the attacks aren't really taking place? So, how do I know these guys aren't the ones telling stories. Why should I believe them? Why should I believe someone who is trying to convince me organized crime doesn't really exist and it's just some teen hackers burrowing into banks and Pentagon systems and defense contractors, etc etc etc.
Oh, I know. If only they would choose long passwords with upper and lower case characters this wouldn't happen. Yeah, all we need to do is educate people and it'll all go away.
If you don't mind I'll also consider the possibility it's about writing something people will read. And to do that it has to be contrary. You have to take the opposite side then jump up and down so people will come back for more. Why would anyone read TechCrunch or Wired or anything else, if they all agreed? First they tell you Vitamin C cures everything and it's a big secret that's been held from you. A couple years later they write big headlines Vitamin C doesn't do spit, and they're the first one's to blow the whistle on it, so get it while it's hot folks. Next week it'll be something else. It's competition for eyeballs and that's the real conspiracy.
"I don't understand - are you arguing that the attacks aren't taking place?"
All I'm seeing is a bunch of script-kiddies, some spammers and a smattering of criminals.
This has been in the news a lot recently in the UK: our power grid, hospitals, flight control, ... - all our essential systems are allegedly vulnerable to "cyber" attacks.
I somehow doubt that, but more importantly I wonder why any of these systems would be hooked up to the net in the first place. Do you *really* need to be able to monitor your nuclear power station via remote desktop from home?
Is the threat of cyber attack being blown out of proportion? Yes. But does that make it a lie?
It's a matter of scale. There is a battle going on, and it involves livelihoods rather than lives, the culmination of which can impact on our standard of living. This is just more dithering by the Cult of the Difficult Problem.
I reiterate my quote from yesterday's comment:
"Cyber is such a perfect prefix. Because nobody has any idea what it means, it can be grafted onto any old word to make it seem new, cool -- and therefore strange, spooky. "["New York" magazine, Dec. 23, 1996]
I can see the English language spewing forth a cyber-Vesuvius, cyber-Pompeii, and, of course, cyber-Eyjafjallajökull was actually an attack perpetrated by turrursts, using sophisticated networking equipment to trigger explosive charges deep within the volcano - a clever combination of human control and cybercontrol.
Hey, wait a minute ... isn't that what "cyber"(-netics)" originally meant: the study of mixing human and electronic control, as in "Cyborg"? ... The biggest "war" is on the English language, which will be the biggest casualty.
@ Bruce Schneier: Thanks for the cyberblog; the opportunity for us to post cybercomments with our cybercomputers; the cyberlinks, cybercartoons, and even the occasional cyberflame. ... Now if you'll excuse me, I need to go to my cyberhome and eat my cyberdinner.
This is exactly why I so vehemently oppose Congress' current attempt to push through legislation to allow the President to shut down the Internet if there's a "cyber war" threat.
My stance on that is simple: If you don't want sensitive systems attacked via the internet, then don't connect them to the internet! I see absolutely zero reason that the nation's power grid, as one example they love to give, being accessible from the internet. They also like to claim that our financial institutions might come under concentrated attack. What isn't mentioned is that, because the stakes are so high, financial institutions invest heavily in security. If anything is going to be attacked at all en masse, it's not going to be hard targets like banks or military systems. It's going to be whatever has prepared the least and significant damage can still be done.
It's a lot like that old military pamphlet that was linked on this blog a while back that detailed methods of sabotage. Why go through all of the trouble to train people to perform a technically difficult act of sabotage, knowing it's going to set your plans back tremendously if a trained individual is apprehended? Hack the electrical grid? Please. If an unskilled person learned just enough to fly a small plane then a crop duster could be stolen, loaded up with chaff (finely shredded aluminum that fighter jets use to confuse radar) and dump it from the air on key transformers (it shorts them out) and then litter the road with caltrops so that the repairmen can't get to them with passenger vehicles? That will disrupt the power grid and it doesn't even take intelligence to do it. Also, it actually costs money to repair.
I could think of simple attacks like those all day. Theoretically so could anyone who actually had a desire to carry them out. Countermeasures against low-tech attacks should be cheap, which reveals (in my opinion) our government's real motive in suggesting the ever expensive solutions they do: more power over the citizenry.
Hey bruce and clive. I'm seeing reports that the NSA is setting up something called "perfect citizen" to monitor infrastructure and what they deem as important private entities. The NSA? As Bruce would say, take it for what it is worth. @Ward, obama shutting down the internet? Break out the SW internet for news and rally points. Maybe we can set up shortwave television.... Oh hell, maybe I need to rent Red Dawn or read infowars. ;)
A security "expert" who often appears in the press and on TV once asked me to prepare him to speak on cyberwar.
I gave him first source material references, such as Arbor traffic analysis and the formal complaint filed by Georgia against Russia. The facts were clear. I thus suggested a soundbite: the threat of cyber attack is very real and growing but still insignificant compared to a war with boots on the ground.
Instead of sticking to this line at the first hint about impact he said whole cities were disabled; the Georgian grid was taken offline due to Russian "cyberattack". Another minute and he might have said the sky fell too. None of it true, but the reporter did not argue or ask for detail.
My hope was the paper would require a quick and simple fact check before running the story. It did not. Instead, it went straight to print...as a story about the growing opportunity to invest in security companies that sell cyberwar solutions. Fortunately it was a small piece and disappeared not long after.
Another way of looking at the same issue is with the WSJ story last year:
I have to first mention breaches of critical infrastructure (esp SCADA) have been a notable topic of concern in the US govt since the mid 1990s. I worked on pentests in 97 and saw it reach a crescendo in 99, before it all led to President Bush's executive directive (Critical Infrastructure Protection in the Information Age - October 16, 2001).
The debate at that time was dominated by financial planners and powerhouses (e.g. Barr Devlin, Enron). Not surprisingly they completely balked at adding overhead to operations and eagerly downplayed cyberattack as a risk. They spoke in terms of strict value to shareholders, which carried a lot of weight back then, so literally nothing was done.
This goes back to an earlier blog post of yours about MBA students planning for disaster:
Anyway, that WSJ article in April 2009, if you fast forward to today, influenced a very different regulatory environment on the Hill -- it's no longer about if there is a threat and whether SCADA will be on the net, it's a battle for who will be given control that has been a long time coming.
The timing of all the cyberwar stories thus appears to serve a purpose. Power has shifted dramatically towards the NSA (not just military) after the WSJ story (not to mention CIA unofficial memos), to your point about trying to stoke a fear of war to win a debate.
Keep up the good work on trying to shift power back towards center, and the facts.
At the end of the day, definitional arguments aren't particularly useful. The real question is: are the kinds and level of attacks sufficient to justify involving the military in defence of civilian infrastructure?
Espionage certainly falls far short of war - it's been a constant feature of inter-state relations in peacetime for as long as the modern state has existed. However, that doesn't mean that it's not a threat to national security, and therefore worth the attention of the military (which is tasked with defending national security).
Every time I hear the word "cyberterrorism" a part of me thinks "If I have to be the victim of a terrorist attack, can it please be a cyberterrorism attack rather than, say, a nail-bomb terrorist attack".
"A real-world comparison might be if an army invaded a country, then all got in line in front of people at the DMV so they couldn't renew their licenses. If that's what war looks like in the 21st century, we have little to fear."
Isn't this what the french farmers do like every other week blocking the roads of france. Only they call it a strike.
The sole purpose of the exercise is power and money. The proponents seek to gain power and control, along with a share of the taxes. The ideal business for a corporation is to provide a 'service' that is legally mandated and tax-payer funded. Any positive outcome will be purely fortuitous. Any negative outcome can be blamed on Teh Big Gubmint.
Tempting though it is, I think it's really important not to compare 'cyberwar' to the War on Terror. The WOT has killed many, many people. Most of them innocent. Far as I can see, nobody has ever died from cyberwar. This is the point we should be making. If cyberwar is an existential threat - show us the bodies.
Bruce, how can you say that you lost the debate fair and square when the "cards were stacked against you"? Didn't you see the pre-debate audience voting percentages? Even if you had swayed all of the undecided to your side (and everyone else stayed the same), you still would have had less that half of the votes.
Is that just the nature of all debates? Or should the audience have been picked to even the playing field?
"Thanks for trying Bruce"
@Bruce. This is why you never get invitations to Congress or the White House. (I hear its nice)
Even if the threat is currently virtual we are scaling up for it. A lot of RFPs we're seeing are for "cyberwarfighting." Huge contracts with large number of option periods. Multi-service Centers are being established, "capabilities", as they say, are being acquired. That's on the unclass side. What's going on on the black side is only a matter of speculation.
I'm reminded here of where we were after Nagasaki. Zero risk of a nuclear war (all extant weapons expended). But there was still serious argument about gaps. Damn RAND. First we continued to make the bombs, then the Soviets acquired the same ability. Then the risk of confrontation and exchange became higher. But even while we were seeing THEM and The Beast from 20,000 Fathoms the actual ability of the Soviets (or us) to deliver warheads to target was limited. Like our fears today with non-state actors armed with nukes--in some cases they could only ferry them to closer launch points or ship them as cargo.
It took later sustained development of the weapon systems (missles, long range bombers, boomers) to make nukes an existential threat.
"Mr. President, we can't afford to have a mine shaft gap."
So here we are again? Who wants to play Plissken?
The real 'cyber' threat will be the fully autonomous weapon systems that descend from the Predators (T-0.1).
PW Singer makes a strong argument that taking human casualities (from the attackers side at least) out of the commit-to-combat equation increases the probability of war.
We see it now in Iraq and Afganistan. Our ALL Volunteer military. (well mostly ALL volunteer-Stop Loss is still in effect.)
"They knew what they were enlisting for. Screw 'em, they ain't my children." The Majority of Americans remain unaffected adn indifferent. So Afganistan has sputtered along for the better part of a decade while the adminstration had better things to do.
"Prefix "cyber" to something scary, and you end up with something really scary."
Oh. My. God. CyberMechaStreisand. Quick, mail the government some money!
Not how it works. Whichever group gets the most change in their support in a positive direction is the winner
Actually, I think Wayne has valid points. That our vulnerabilities have been expoited (i.e., compromised systems) but not used in a highly visible, crushing attack, doe not mean they will or cannot be.
While I agree that cyber as a term has been muddied so much it's virtually useless, and onlly serves to be used by the media to cry wolf - the problems, and vulnerabilities exist, and are rarely addressed. If the thought is that they won't be expoited by 'vandals' or 'criminals' or even nation-states not happy with us, and therefore we need not DO anything about it, falls right into place for an entity who wishes to cause harm.
Just because digital is at the speed of light does not mean the 'attacks' per se, must be. Laying a good ground work before the attack is perfectly sensible.
I worry when I read people just blow off known issues as non-effective, because no one has eploited it to some highly visible advantage. I'd say, for example, the draining of our monies in the banks is pretty visible, and highly damaging - just isn't quite as exciting as a 105 round through the front door.
That vulnerabilities haven't been expoited to date does not mean there are no plans to do so. Ignoring problems because you haven't seen evidence of malicious intent is just wrong.
Cry wolf? No. Practical efforts to mitigate issues, certainly. Radical piece of sky waving and blurring of terms by the press does not mean there are no issues, and that does not mean we should ignore those issues that DO exist.
We have a couple of conversations taking place here, with a blurring of definitions. One is the term 'cyber' and how it's been abused, misused, and ignorantly flailed about like an air raid siren. The other are real issues of vulnerabilities in our infrastructures (private, personal, and government) that can and do affect us - that should be addressed.
Please take care to not confuse one issue (context abuse) and the other (actual problems to be faced) in that we end up doing not enough, or even nothing about the actual problems.
Well duh, when did I claim otherwise? People are caught up on the semantics of the word war, and only one definition of this word. Look at the board definition of the word and it fits in this situation.
You look at the situation and come up with a plan to deal with it. This includes hardening of system and appropriate levels of response. A teenager trying to hack into a local school to change his grade doesn't need to have the 1st rifle infantry storming his house but a visit from the local police might be in order. Ditto for China trying to hack into corporate systems, can't use the military to deal with this but some other means can be used. And yes, at times a military response could be the correct response.
apologies for typos and mispellings. Not Enough Coffee Yet.
"That our vulnerabilities have been expoited (i.e., compromised systems) but not used in a highly visible, crushing attack, doe not mean they will or cannot be."
That is the essence of the "movie plot threat".
"If the thought is that they won't be expoited by 'vandals' or 'criminals' or even nation-states not happy with us, and therefore we need not DO anything about it, falls right into place for an entity who wishes to cause harm."
No one is saying not to protect the systems. Protecting them against the KNOWN vandals and spammers and criminals will yield real results.
The problem is when people point to vandalism and then claim that CYBERWAR is a threat.
If--as asserted--the prexifing of "cyber-" to some root word make is scarier, perhaps instead of lamenting the fact those with a more lucid outlook on life should take advantage of it. Perhaps we should start speaking of the government's ploys as what they are: cyber-jockeying; cyber-propaganda; cyber-rights-denial; etc.
I think the Gov't's hype is a TACTIC to enable them to invade our PC's and monitor our usage so they can have more control over the masses. Can you say "New World Order"?
Sounds crazy but look at the Executive Orders that have been passed or amended throughout the years and then tell me what you think.
just to mention that Cyber Command have a hidden code to crack on their logo (which reminded me of the logo contest for some strange reason :) )
Nice to know they take life seriously!
Bruce, the 'and' link to the guardian in the fourth paragraph is broken. It looks like you used special slanty quotes instead of normal ones for the href.
describing this as 'movie plot threat' dilutes it as unimportant. I know for a fact (many actually) that the current state of our infrastructure is vulnerable, that those vulnerabilities are being exploited to validate the access. This ranges from desktops to SCADA devices in gas/water pipelines. This is not a movie plot, these are verifiable threats. My point is that if you believe it only happens in the movies, you will be vulnerable. That someone hasn't already toasted your personal hometown water supply with 1000% the clorine count doesn't mean it cannot happen, that it's only a 'movie plot threat'.
Do not simplify too much - this will cause folks that should be concered, to not be concerned, and ignore *real* issues as unimportant.
I'm not even discussing the silly symatectical argument about the meaning of cyber here. I'm not advocating a Chicken Little attitude - merely a responsible one.
Personally I fail to understand why we shouldn't do anything about actual vulnerabilities because someone says it's just a hollywood stunt, not reality.
We tend to concur on the actual issues - I think again this is two issues in one 'column'. Cyber and it's ilk - definitions gone wild. And actual threats.
I think that what I know are threats, are NOT being treated as serious- and therefore remain threats. Whomever has control of those vulnerabilities is moot - it's the exploitation of them that becomes and issue.
Painting everyone saying there is a problem as a 'movie plot threat' empty argument doesn't help. Vulns exist, we need to take care of them regardless of the 'cyber' arguement.
btw, this isn't aimed at you - just an expansion of my previous.
Example, sort of: Had a DNS server on a network for the global company I worked for once, show up as compromised. Rootkitted. We took the machine offline to find root cause (no pun) and prepare to mitigate against the weakness through out. However the IT Director went slatheringly out of his mind- screaming at us. His idea was since no one apparently 'Did anything' in the 2 months it was rooted, it was a non-issue. I was flabbergasted at his perspective. For one, if it was a single host, then the response would have, naturally be tempered by that - but it wasn't. Taking it offline had no effect on traffic. In fact, it HAD been used (quite effectively) for sniffing traffic and other issues. That he didn't SEE an obvious meltdown as a result, meant to him we could leave it without any future effects. not so, but he never saw it that way.
matter of perspective I guess. To him it wasn't an issue because he never saw it as a problem. Others saw it as a clear threat and had a very different opinion.
I think Lieberman's "Kill Switch" bill relates to the subject of this blog. It's also a really disturbing idea.
I realized that what I'm trying to suggest might be better told via another, sadly true story.
A county sheriff where I live last year was in a gun fight with a man and as a result they both died. This is part and parcel of what Law Enforcement trains for and engages. The part that probably was overlooked (except by a few after the fact) was this probably was a matter of relaxed attitude.
The bad guy was breaking into homes in a mountainous area for years - the press took to calling him the "Cookie Bandit" because he took food, as well as valdalized buildings and stole property. How cute. How wrong. Turns out, when finally confronted by the sheriff he was anything but a character from Sesame Street - he was a serial killer, and died as one. The Sheriff was probably a bit more relaxed in the confrontation and lost the edge, because for years this guy was portayed as a harmless, almost comedic character.
It's pure speculation that had the Sheriff been more concerned, that the outcome might have been different - meaningless to speculate on that.
My point is that the media, and the flood of soundbites portraying something as harmless, might not be. It's perspective. I certainly do not trust the media to help me with my infrastructure decisions. I am concerned that it is counter effective on any educational efforts I might have to help the end users become more aware of their responsibilities.
the abuse of 'cyber' is a good example of this. Now we professionals are arguing the use of cyber to be a scare tactic (of course it is, if in the hands of media ... what a wonderful concept, the gritty grey world of Neuromancer), but it doesn't mean we have to let up on actually mitigating issues. If we feel that it's only a 'movie plot threat' and not valid, we will be farther behind on mitigation than normal. As security experts we are already fighting the catch up battle. :)
Note sure if my story helps but it's not a cry wolf, but rather an effort to make sure we differenciate between media hype and real threats.
Bruce, my wife and I were at the debate (you might remember signing my wife's well-used copy of Applied Cryptography) and think the outcome may have been very different in a different city. This was Washington D.C. and the audience was most likely USG employees and contractors. Rotenberg's anti-government and pseudo-conspiratorial theories weren't going to win you converts with that crowd. Replay the debate in Silicon Valley and his arguments may have gotten more traction.
In my opinion, both sides won the debate based on different definitions of Cyberwar. Based on the idea of WAR, declared or otherwise, then the threat (or more specifically, risk) is completely overblown. Based on the idea of a metaphorical-war, like the Cold War, then accurately measuring the threat is irrelevant and can't be overblown. This is a war of ideas. It's a war of posturing. This is a war about convincing other people (and other countries) that they're even more vulnerable than we are.
As an aside, why does the FBI have a Cyber Division? Is cyber-crime somehow different than normal crime (handled by the Criminal Division)? Is cyber-terrorism, whatever that is, different than normal terrorism (handled by the Counterterrorism Division)? Is cyber-espionage different than normal espionage (handled by the Counterintelligence Division)? We act like adding the prefix "cyber" changes one concept into a different concept.
"Personally I fail to understand why we shouldn't do anything about actual vulnerabilities because someone says it's just a hollywood stunt, not reality."
Because there are, literally, billions of possible "vulnerabilities" and we would go broke attempting to defend each of them against every movie plot threat that anyone could dream up.
Now, if you want to talk about fixing vulnerabilities that are being exploited TODAY by vandals and spammers and criminals that would be a different discussion.
The same if you want to talk about what "best practices" should be.
It's probably an excuse for more monitoring and control of the Internet. The propaganda war to make people dumb about things like what the wars are about and other nationalistic blindness is hard to mantain when the Internet doesn't all follow the mainstream media illusion.
@Anon "Sounds crazy..."
Yes you do.
New desktop - thanks!
Cracked 9ec4c12949a4f31474f299058ce2b22a on my lunch break. It says "Nunc Id Vides, Nunc Ne Vides".
Sounds to me like the terms of the debate should have been reversed. The thesis should have been "There is such a thing as cyber war, which is defined as follows." The onus of proof should have been on the other side.
@Bruce - you are taking the side of Howard Schmidt, and I completely agree that we are now in a debate on definitions. That said, if you read Adm. McConnell's full testimony that included the Cyber War quote, you might agree that he used it as much as an attention-getter than anything else.
If you disagree that our nation and infrastructure is under constant attack from other nation states, or that we are adequately protecting our assets, then the debate is over. Your readers seem an optimistic lot. However, I'm confident that anyone in your position knows better.
So while we debate the definition, and the attacks and breaches continue to mount, and the media picks up a random story here and there when a breach is noteworthy enough or even made public...what needs to happen before we(i.e. Government) takes action?
I applaud the use of the "cyber" terms if it brings attention to the issues. It's a far more benign attention-grabber than a crash of our financial system, electrical grid, or air traffic control system.
Call it what you want, but cyber-espionage is serious. The US needs to take precautions against low probability yet high cost events as the government is probably the only organization with the resources and commitment to defend against threats of this nature.
"If you disagree that our nation and infrastructure is under constant attack from other nation states, or that we are adequately protecting our assets, then the debate is over."
That sound perilously close to "knowing" that there are Communists operating in Hollywood back in the McCarthy era.
"So while we debate the definition, and the attacks and breaches continue to mount, and the media picks up a random story here and there when a breach is noteworthy enough or even made public...what needs to happen before we(i.e. Government) takes action?"
That's easy. There are fewer than 3 murders a day in NYC. So, all the cyber-terrorists have to do is to kill 3 people in one day in the USofA using their cyber-weapons in a cyber-attack.
If the cyber-terrorist's cyber-weapons can't kill our people in a cyber-attack as fast as we kill each other in a major city then why spend money on the cyber-fear instead of demonstrable threats?
Actually, I can imagine something I'd consider worthy of the name "cyberwar" that didn't kill anyone (not directly, anyway). The thing that distinguishes it from cyber-whatever is that someone has put a lot of thought into every aspect of it. It is by definition very complex, and probably requires the concerted effort of thousands of experts.
It doesn't require that any particular line of attack be spectacularly successful (e.g. making a lot of nuclear power plants melt down, or crashing hundreds of airliners), but everything that can be attempted must be attempted, and with skill and resources. If someone's trying really hard to corrupt all financial/legal/medical records all at once (which might start months before the climax), and also attacking the power grid and air traffic control and the internet all at once, then it might be cyberwar. If nobody's attacking the telephone system, it's not cyberwar. If nobody's crashing commercial servers, it's not cyberwar. If there's a plausible (non-lethal) IT attack and nobody's trying it, it's not cyberwar.
And above all, if the general population didn't notice it at the time, then it definitely wasn't cyberwar.
This from the HSO Weekly e-Newsletter Volume 39...
"The 2nd annual Cybersecurity Symposium kicks off in Washington today as elite cyberati from federal agencies, the Pentagon and private industry gather for a day of brainstorming about threats to our computer networks."
Soooooo. The word cyber is being used as frequently and as accurately as the Smurfs use the word "smurf"
Maybe a partial response is public humiliation. Some one write a worm that over writes "Cyber" with "Smurf"
A sampling of the debate
Smurfati (Gaga's next hit)
U.S. Smurf Command,
National Smurf Security Division director Amit Yoran
Smurf Pearl Harbor,
The Smurfwar Threat has been Grossly Exaggerated
Protecting Smurfspace as a National Asset: Comprehensive Legislation for the 21st Century
North Korea was probably not responsible for last year's Smurfattacks
Smurf-dissembling, Smurf-bookselling, Smurf-commandbuilding, or Smurf-constitutionwrecking
The NSA has ridiculous Smurf protections
all our essential systems are allegedly vulnerable to "Smurf" attacks.
Is the threat of Smurf attack being blown out of proportion? Yes. But does that make it a lie?
Hey, wait a minute ... isn't that what "Smurf"(-netics)"
Smurfblog; the opportunity for us to post Smurfcomments with our Smurfcomputers; the Smurflinks, Smurfcartoons, and even the occasional Smurfflame. ... Now if you'll excuse me, I need to go to my Smurfhome and eat my Smurfdinner.
Eat Smurfs? Yuck How could you @Tom T.
But to be fair I've always thought of cyberspace as blue. It occurs to me you know that Gibson could end the misuse by turning RIAA lose on the copywrite infringers. Is he seeing a nickle out of their use of his intellectual property?
"It occurs to me you know that Gibson could end the misuse by turning RIAA lose on the copywrite infringers. Is he seeing a nickle out of their use of his intellectual property?"
Sure. Go ahead and recommend that to him.
What happens then? Will we see countless articles on "blogosphere-war"? With "blogosphere-terrorism"?
In a surprise blogo-attack today, blogo-terrorists unleashed their newest blogo-weapon upon an unsuspecting people. The USofA's strategic reserve of the canonical list of "yo momma" jokes was corrupted and had to be deleted.
The President has asked that all citizens please check their browser cache for an uncorrupted copy.
We must all do our part and contribute our shared blogo-efforts to maintain our blogosphere for future generations of bloggers.
I hate the word "blog".
@Brandioch Conner "I hate the word "blog"."
As you should (as any sane mind should) for any word invented by Smurfs.
But the question of ownership is interesting. The "people" don't really have the wherewithal to run control on anything on a greater span of years than less than a decade. It's why we in the States delegate it to our reps.
But ownership is individual responsibility.
It's individuals that create organizations like EFF, ACLU, BT and BP.
One guy though started thinking about the possibility of people using medical technology to decapitate a human head and keep it alive. It bugged him -- alot. So he went out and patented the process so that (legally) no one could do it without his permission. and doing it illegally gave him a recourse under law.
The whole earth review had an interesting article on it back in the day. He saw a problem and (literally) took ownership of it.
"If the cyber-terrorist's cyber-weapons can't kill our people in a cyber-attack as fast as we kill each other in a major city then why spend money on the cyber-fear instead of demonstrable threats?"
An attack on the electrical grid or air traffic control system could kill hundreds if not thousands. Should we wait until its "demonstrated" before we spend the money to prevent it?
@ Wolfgang Wagner
"An attack on the electrical grid or air traffic control system could kill hundreds if not thousands."
I'm a big fan of prevention (at least when it comes to preventing the preventable), but there are less preventable problems that are more properly dealt with in a resiliant manner that depends on a plan for rapid recovery. The many electrical grids fails from time to time, rarely causing more than annoyance. Service is routinely restored within hours to days. Turning off the air control system would certainly be disruptive but flight crews are quite able to land their aircraft without external assistance. If you're concerned that North Korean smurfwarriors might hack the system so cleverly as to make planes collide deliberately (like when the Gremlins rewire the stop lights in Kingston Falls so that they are green in all directions) then we're moving off into movie plot threats.
Does all this powerstruggle mean that there is going to be an cyber incident soon? Something big terrrroist happens (A bomb goes off every year) and it will be declared a cyber incident?
There will be cyber scare and cyber rules?
Re: NSA Perfect Citizen
There is insufficient information that can be verified to say...
The WSJ artical was the start of a proverbial "tempest in a tea cup" with misquotes and assumptions abounding in various press outlets (and as Davi notes above they don't check their sources these days).
One thing that can be said irespective of anything else "Perfect Citizen" was a name choice guaranteed to get people worked up.
It does not help the NSA's case when their "for press" statment jibe with each other over such things as "sensors" and if it is "R&D" or "data gathering".
If you think along product development lines you have various stages. The first of which is the usual scientific method,
1, See paterns in random data
2, Identify non random data and correlations.
3, Investigate issues arising from paterns
4, Identify if issues are measurable.
5, Perform an analysis to confirm hypotheses.
At this point the second stage of "feasability" is carried out and then other "Marketing" issues.
The third stage is getting managment "buy in" to go further. This generaly involves
1, Identify product gap.
2, Do a "requirments analysis"
3, Do an "Engineering feasability study".
4, Do an "Engineering prototype".
Then iterate one or two times.
At this point a lot of eyes have been looking on the issue and as is normal with something new you look to expand the product base.
And this is the point where otherwise benign technology gets scary.
In order to expand the product base as wide as possible to attract as much business as possible you have to look not at the actual "functionality" but the "potential" for that functionality.
For instance a CCTV camera is of it's self fairly benign, it's what you hook it upto that get's scary.
And it is this that is causing concern whipped up by the name and who the players are.
Am I saying "Perfect Citizen" is benign?
No far from it what I am saying is that we know way to little to make even a gut reaction let alone an informed judgment.
So one to keep the eye on for now.
@ Brandioch Conner,
With regards @jlc3's comment,
"Personally I fail to understand why we shouldn't do anything about actual vulnerabilities because someone says it's just a hollywood stunt, not reality."
Is a valid point, however you are providing an excuse to those not wishing to take remedial action with you commen of,
"Because there are, literally, billions of possible"vulnerabilities" and we would go broke attempting to defend each of them against every movie plot threat that anyone could dream up"
Whilst it is true in the way it is written it ignores an important issue.
Whilst their may as you say be "billions of possible vulnerabilities" they are seldom if ever compleatly unique. That is each of your "bilions" falls into one or two of very few classess of vulnerabilities.
Importantly the defense for most classes is broad not speciffic and thus just a handfull of broad measures protects against a slightly larger number of classes of attack each of which in all likley hood contain the majority of your "billions" of individual attacks.
Further whilst protecting against each individual attack only provides a defence against it and one or two like it that are effectivly "known knowns" or "known unknowns". Protecting against a class also has the side effect of prottecting against some "unknown unknowns" as well due to the "class overlap" effect.
With regards to your final comment,
"Now, if you want to talk about fixing vulnerabilities that are being exploited TODAY by vandals and spammers and criminals that would be a different discussion"
You have to be carefull you don't fall into the tarpit referred to in the old saw about alligators and swamp draining.
Focusing on individual attacks is in general counter productive, like killing woodworm beetles as they emerge from their holes. The damage has been done and you are not protecting yourself against further attacks. The solution is to make the environment toxic not just to the existing lava but also future ones that hatch from any eggs that might be laid in future years. But importantly the right choice of toxin works effectivly against all the class of wood boring insects and some other creatures.
The debate really lacked focus on what "threats" were even being considered, and I think that nebulousness really hurt the "yes" position. It seems to me the "no" side of the table immediately painted their own statements as "straw-men"(?!) in the debate and then redirected it to seize the common ground that, yes, there are security vulnerabilities everywhere as if that was the point being debated.
I was particularly annoyed by the equivocation of the Cold War to the term "Cyber-war". People *actually died* during the Cold War. Millions of them, in fact. The lack of a nuclear exchange certainly was saving grace for those of us in First World countries, but that's not much consolation to Vietnam or Korea or all those other proxies. Even when it wasn't "hot" everywhere, people were still certainly winding up dead in Berlin. Who has died from the "current" cyberwar?
Mildly off-topic, but it was also a little jarring for McConnell to claim Washington as the first spymaster (what of Walsingham?) or when he mentioned our role in defeating German encryption (without mention of the Poles and especially Brits who by most accounts did the heavy lifting on that front, yes?). I guess the Japanese front is less sexy? Some seemingly myopic (albeit perhaps typical) historical framework going on there.
"We surely need to improve our cybersecurity."
Depending on who you ask, it is even possible that special-interest legal issues have interfered with information security. For example, see "Unintended Consequences: Twelve Years under the DMCA" from the EFF ( https://www.eff.org/wp/unintended-consequences-under-dmca )
A very apropos quote:
"'cyber' is a prefix you put on something to indicate it's a s**t metaphor" - Metlstorm.
The Military (the command, not the individual troops) has a cyber-hard-## to push a Cyber war threat so they can grab as much Cyber based control as possible.
He who controls the flow, regardless of what is flowing, has the power. This applies to money, information, food, you name it and the Federal Government thru the use of Military Command is looking to garner as much control of information as it can so that it can then control who learns what.
Senator Jay Rockefeller said the internet should have never existed. The hatred/fear of the internet by Rockefeller and many of his fellow professional politicians is because it has spawned a form of communication and information sharing between the average person that neither big business nor corporations can control or spin. Because people are able to communicate and share with each other outside that control, a massive revitalization of liberties and rights as defined by our constitution has taken off and this scares the hell out of these guys.
The threat of Cyber war is their saving grace as it could allow them to take back control of the internet and thereby control of the flow of information and the exchange of ideas between the electorate. The internet is an information Jungle but at least it offers a way for people to discover they are not unique in their views and thoughts on Liberties, Freedom and how out of control much of the government has become. The internet is also killing the main stream media, Newspapers, traditional magazines and even TV based news based shows and channels.
Before the internet allowed people to connect, most had no clue that they were not alone in thinking that there are serious issues with what the governments and the international corporations are doing. My parents are not big internet people; seeing it as mainly a way to email and send photos f the grandkids. Their single source of information and news comes from corporate controlled outlets being in the form of the daily newspaper and the news on the TV. If you can, thru the use of a handful of media conglomerates (which is exactly what we have for the most part with only a few local TV stations spread throughout the country being the exception) , control what gets reported and what doesn’t you can greatly push the consensus of the masses in the way you want. For example if you want to downplay the bad economy then you simply have all the news outlets put positive spins on ny news piece dealing with the economy and or simply not report anything that cannot be spun positively. This used to be called conspiracy theory but in fact its smart business if you are the media conglomerate owner or iin general part of the uber wealthy that gain from keeping the average person dumbed down and or uninformed.
Just look at the example of the FEDERAL RESERVE. Just 5 years ago most people had no clue it was neither Federal nor any kind of Reserve; everyone thought it was the Monetary arm of the government, not a privately owned Bank with rich and powerful shareholders. Go back 10 years ago and not only did most not know the real identity and purpose of the Federal Reserve but if you tried to speak out and say what it really was you were labeled as a conspiracy theory nut job. Now thanks to the internet and information sharing the masses are learning just how badly their elected representatives over the past 100 years have robbed the public to steal form the average person and re-distribute to the rich and powerful.
The threat of Cyber war is the Ace in the hole for these people to get back the control of the flow of info and they will do whatever they have to in order to get this done.
I found it significant that out of the entire thread (including Bruce's original post) - no one has pointed out the obvious - namely that in real war (as defined by soldiers of one state fighting soldiers of another state) or real terror (as defined by bad people who kill civilians) - real people get killed.
As an Israeli - I find the American fixation on cyber terror and cyber war somewhat amusing.
Although I understand that it is fundamentally a way of generating more business for the Raytheons of this world - the fixation on cyber-X seems like a way of vicariously participating in some kind of a cool war effort (patriotism and machoism...) without having to pay the physical and emotional price of dealing with losing friends and families to real world terrorists or soldiers.
Perhaps - if I might speculate - it is even possible that the President Obama has not declared war on Afghanistan because it runs contrary to his liberal weltanschaung of "lets solve conflicts by talking everyone since everyone are created equal".
Yet cyber war and cyber terror are proofs of the inequality of life.
While the DHS, NSA, FBI, CIA would have difficulty producing a single example of a real person being called by a piece of targeted malware - any Israeli I know - including yours truly has close friends or family who were killed by real wars and real terrorists.
Given the recent Stuxnet cyber attack, and (partly in reply to Danny's comment) - the real possibility that pipelines, or other potentially dangerous, software controlled systems could be intentionally compromised with the _intent_ to create a physical consequence ... do you still think these are over-stated / over-sold? ("yes, mostly" is a perfectly reasonable answer - I'm interested in a review given recent event, not vested in a particular position).
I grew interested in I.T. Security in highschool, and moved into it in uni. Dropped out after 2 years because I still hadn't learned anything except that uni costs quite a bit.
A cyber war is reasonably possible given how much is wired up nowadays, except that at the same time it really isn't. Most military equipment isn't connected to the main grid, which means you need to physically access it. Good luck with that.
You could take out.. I dunno, the GPS system? Mobile phone towers and landlines. Basically like fighting a war with muskets and mollys versus M4's and Apaches. Possible, but still quite useless. The NSA has CTF games, Capture the Flag for anyone who isn't up to scratch with their gaming terminology. Difference is, they do it with computers, object is to take down an opposing computer. Several hacking sites do the same thing, quite fun too. But the NSA is very, very good at it. They've had a cyber division for years, and I'm fairly certain that if anyone tried launching an attack against the U.S.A., then N.S.A. could trace a computer signal and the military could go do what they do best.
A virus is less traceable but very.. Inelegant. It's like a puncture wound with a foil compared to a nuclear bomb. Sure, the nuke will do the trick but it's going to take out absolutely everything. You can make a "targeted" virus like the Stuxnet one, but it's still not all that targeted. You can't be sure of hitting your target, unlikely you'll know if the target gets infected, will take out all your allies as well. Unless you give them the patch, but people talk which will lead to the patch getting around quicker than you want.
So a virus is useless for cyberwar. Only leaves direct hacking which is traceable, and that, as pointed out 2 paragraphs up is somewhat frowned upon given the projected response.
An EMP would be much better for a technological attack, and the countries that could produce those large enough and in enough numbers to actually be effective doesn't include countries where the burkha is used. Russia, China, U.S.A., possibly some of the EU countries, Britain. 'Bout it so far as I can tell.
A cyberwar is one of those "in 50 years" kind of things, possible now, but not on the scale used in the media. As an attack vector as a part of a conventional war, it would be, and is quite useful. Even if just for temporary confusion in major cities diverting resources away from a strike area. As a war in and of itself, no. Not now, not for another 5-10 years at the very least.
Granted, just a dropout so may be missing some vital information, ymmv, as they say.
1: In the course I was doing, we were continually taught business techniques for selling a patch. After speaking to several people in the industry, it seems patching a potential issue is frowned upon from a cost/benefit point of view. Why patch a problem that may or may not lead to a loss of information due to a hack when the likelihood of being specifically targeted is low? So any publicity which results in a more secure I.T. world is a good thing. Might get such stupidity like "security through obscurity" sent to virtual hell where it belongs.
As said above, Stuxnet is useless if you really wanted to take out a business. Too much variables involved, not all that likely you're going to hit your target. Yes they could be compromised, not on a level that requires the amount of media. But as above in the note, any attention now is a good thing, since later on it will be understated and given no funding whatsoever.
3: @Bruce Schneier
"It is interesting. We're extremely reluctant to call actual wars with that name -- Iraq, Afghanistan -- yet we are quick to declare rhetorical wars: on crime, on terrorism, on drugs."
Not at all, makes perfect sense. I think.
Vietnam, Korea.. The U.S.A. as a country is very anti whatever the government decides to do, simply because they decided to do it. Even if it's something they want. MSFT is a company like that, even if someone likes their products and would prefer them over anyone else, they'll still hate them, simply because it's MSFT.
So to say "Let's go to war", the nation will react, potentially violently. It's a surefire way of getting voted out asap.
On the other hand, nothing pushes progress like a war, nothing unites a nation like tragedy. So to say a "War on X", makes them look really good. Gets the nation united. Only temporarily, but it makes a good advert in the meantime. And who's going to object to a war on drugs when you can guilt anyone disagreeing with you? To the point of being a pariah.
A side note, the "war on drugs", really is an actual war in Mexico. The U.S.A. isn't allowed to actively fight in Mexico, so it's a non-shooting war for them. But when drug cartels are being run by ex special forces and loaded with the equivalent amount of gear, then it very rapidly escalates beyond a simple revolver and flack jacket in a police raid.
But again, it imparts a level of seriousness that few other words do. Does wonders for the level of belief people will put in the rhetoric put out to support a campaign.
An actual war would have peace rallies blocking traffic all through Washington DC shortly after it started. :P
@ Chris B,
"You can make a "targeted" virus like the Stuxnet one, but it's still not all that targeted. You can't be sure of hitting your target, unlikely you'll know if the target gets infected"
Hmm not sure on that from some research I have been party to it would appear the most successfull way to get to a target is via multi vectored air-gap crossing "fire-n-forget" malware. Which is very much what Stuxnet was supposed to be (I've commented on this before prior to Stuxnet's appearance).
The targeting is not of necessity a problem it depends on how you go about it.
If you assume no "ET Phone Home" capability then the targeting needs to be very specific, however targets tend to be highly dynamic thus the more specific the more time sensitive it becomes.
This gives a threshold based on the dynamics of the target and the delay time from launch to designated target. It is this specific problem that makes directed attacks appear a better option as it very much shortens the time component. But it also reduces the probability of success if the target is not on a direct path to the attackers.
The advantage of the ET option is that a two way path can be established (with an unspecified time delay bassed on the reliability of the path) this means the initial targeting can be less specific and can be refined step wise on each iteration of comms. The downside is that you will get hundreds if not thousands of "calls to home" to deal with.
Stuxnet did not appear (from what has been said) to have the ET capability at the level required. This may be due simply to those developing it not having an idea of how to implement a sufficiently secure return path.
As I have detailed before there are ways of making both forward and reverse comms channels that are sufficiently decoupled that tracing from target back to control is highly improbable.
In effect you get the coverage area of a nuke but with pinpoint strike capability, however you have no real control over transmission delay so you still have a forward time payload issue (but this is a simple problem if the time to attack is greater than the delay time of the control channel).
I've played around in the lab with some covert return channels for "air-gaped" systems. (Trying to understand countermeasures)
I find the most useful return channel is the system power.
If the system is very new, it might have a digitally controlled switched mode power supply. These digital SMPS are great because you can program them to be unstable yet still remain within the system regulation limits. (one wide PWM pulse next one narrow PWM pulse = 2 average width PWM pulses) Multiphase Digital SMPS are even more fun because you can easily use them to construct a Powerline QAM modulator.
The RF signature of the unstable PWM is easy to detect and embedding a long spreading sequence makes each infected system uniquely identifiable. The same technique can be used with regular analog loop AC-DC SMPS's, but it requires intentional load modulation, this reduces the Antenna RF efficiency because multiple loads are typically located within a 1/8 of a wavelength at the load modulation frequency.
@ Robert T,
First off my apologies for a very late reply I've been somewhat pre-occupied having just spent another week in hospital (I don't know what it is but I just cann't seem to keep out, and no it's not the food or Nurses).
With regards my comment about a covert comms channel I was referring to long distance such as half way around the world and by the likes of hopping on and off memory keys etc.
That is a piece of malware has two basic purposes the first is to be malware the second is to act as a forward or reverse relay for other malware that might not have a public comms path to ET with.
Imagine if you will a fault tolerant comms network using removable media or other air gap crossing method to get updates in and data out from a device on an isolated network (such as PLC's or those dealing with highly sensitive/confidential material).
From what has been said Stuxnet appeared to have one half of the capability (ie get updates in) but not the reverse comms channel (which is very important for effective targeting on fire and forget malware).
With regards your comment about using the SMPS as a power line modulator as an "outbound" comms channel yup it would work very nicely if you are reasonably close to the target and on a common mains power supply so that you could instal monitoring equipment to pick the signal up (do it up around 14MHz and it might just make it around the world on a clear channel ;)
The trick to perform is how to make an ordinary PC etc sensitive to this mains power signalling so that it could act as a relay point.
I have not tried but some 24bit sound cards have a lousy earth return and thus suffer earth return pickup... It may be possible to pluck the wanted signal out of the ground return noise.
If it can be done, then some people are going to get ultra nervous about how they airgap systems :-)
Like Nick P it is an area I already address for certain sensitive things. In my case by passive series filtering at AC (50Hz thus very big ferrite core inductors) then using AC-DC sub 1Hz lowpass into a battery float (for very low impeadence) and DC-AC again with filtering.
It's big and clunky and not particularly efficient which is not ideal. What I have been thinking about is using series resonant powersupplies running around 1MHz and instead of modifing the resonant frequency actually change the inductance value by using variable reluctance techneiques (have a look at chapter six "High Frequency Transductors" in a book called "soft ferrites" by E.C.Snelling, published in 1969 by Iliffe books of London, the ISBN could be 592 02790 2).
"The trick to perform is how to make an ordinary PC etc sensitive to this mains power signalling so that it could act as a relay point."
Yea, that would be a nice trick, problem is that the typical Mains AC has an impedance of less than 1 ohm at frequencies below 1khz and about 150ohms at frequencies above 1Mhz.
I have played around with "power factor correction" circuits as low bit rate receivers. Basically modulating the time of the Diode turn-on of the Tx system (requires that you create a task sync'ed to the Mains frequency and phase the task load so that it occurs in the mains cross over period. This task needs to dissipate lots of power for a few milli seconds around the AC voltage zero cross-over. Doing this discharges the Input cap to the TX systems SMPS so that the diode turn-on time happens earlier (i.e. phase modulated on the Mains AC). This causes harmonic distortion generation on the AC Mains, which is correctable by certain classes of PFC systems, especially those intentionally used for mains PFC correction. Often these power system PFC devices have inbuilt system monitoring channels (aka receiver) You can only communicate at very low rate Bps, but for certain apps this is all that is required.
If you can add a pair of Narrowband powerline modems using the frequency band 40Khz to 500Khz and 16 QAM modulation (CENELEC band). The PLC modems will automatically detect the AC load phase angle change point that occurs at the SMPS diode turn-on. Typically they will change the type of modulation at this point (drop back to BPSK or FSK) so the modulation will be QAM16 at AC crossover, something similar to 8PSK at the AC peaks and BPSK at the rectifier turn-on / off points. If the Narrowband data is a suitable known PN sequence than you can construct a very efficient antenna at around 250Khz and gets loads of processor gain from the sequence.
The trick IMHO is to get devices added to the AC Power Network that nobody suspects. These devices form the PLC to RF return channel bridge.
It is now 2013 - is cyber war still exaggerated? I think it is the new OBL. The ultimate fear. The true unknown unknown and unseen unseen. Threat level 1001
It's now 2013 - is cyber war still exaggerated?
It rather depends on your definition of "cyber war".
If you instead say. "Cyber Espionage" or "Cyber Crime" then the answer is they are both very much on the increase.
To rephrase an old saw "There be gold in them there mountains of code" and the "rush" is very much on as the traffic stats show...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.