Me on Cyberwar

Last week, I gave a talk on cyberwar and cyberconflict at the Institute for International and European Affairs in Dublin. Here's the video.

It was only the second time I've given the talk. About three quarters in, I noticed that I didn't have my fourth and final page of notes. So if the ending feels a bit scattered, that's why.

Posted on November 19, 2010 at 1:13 PM • 12 Comments

Comments

bahggyNovember 19, 2010 2:35 PM

I did like the Fridge/Stuxnet analogy, I'll nick that if I may!

I must ask, do you normally speak to such small, disinterested audiences? It does seem a remarkable waste of your time...

Bruce SchneierNovember 19, 2010 2:38 PM

"I can provide some tips for you on how to properly secure your notes."

I think just staying at the printer until I am sure all the pages have printed will suffice.

GagliaNovember 19, 2010 2:58 PM

"I think just staying at the printer until I am sure all the pages have printed will suffice."

Beware of evil maids refilling your printer with disappearing ink ;)

Eric SNovember 19, 2010 3:06 PM

Nice talk Bruce -- thanks for posting.

I saw the televised debate you mentioned. I was hoping you would give further explicit comments about what factors you think played into your defeat.

You like to cite various incendiary newspaper headlines. Zittrain's argument was that this is a straw man: just because some newspapers exaggerate (and some politicians lie for self-serving purposes) doesn't mean we don't have serious, national security-level weaknesses due to computer vulnerabilities.

And because those vulnerabilities exist, there is a real threat that they can and will be exploited when it serves the interests of a state actor.

On its face it sounds like a strong argument. You even cite examples of big eavesdropping campaigns by (you believe) China. I believe this is a concrete supporting example of Zittrain's argument.

I think in order to undermine it, you'd have to argue that (1) such vulnerabilities don't exist or (2) they could not be used to significantly aid a state in attacking the United States.

What are your thoughts on that?

bahggyNovember 19, 2010 4:18 PM

@Eric S
I think Bruce took great pains to NOT attribute the eavesdropping to China but to point out that many assume it is China but in fact, attribution is near on impossible.

thecoldspyNovember 19, 2010 11:02 PM

@bahggy

I think any time Bruce talks, people listen. And even if he is in a room with idiots, people outside of that realm are listening. I am sure that some of them even hang onto each and every word looking for nuggets of intelligence they can use later on. What I am saying is this: it doesn't matter who Bruce speaks to or whether they look or act disinterested, people listen even if those he speaks to don't. Of course that is only my opinion.

@Eric S

He already talked about why he felt defeated. I think it had something to do with his debating skill set. I can tell you this, he was up against a groupthink that states we are at war, and it might as well be a cyberwar. We are always at war with Eastasia according to Orwell. And this cyberwar is no different than any other war. The only difference is the battlefield conditions.

Bruce is actually right. This is not a real war in the sense of needing to run and hide or else. This is a war for money and big contracts. This chaos that is happening on the net is the excuse that is laid at the feet of those who have to be sold on it as a requirement for our safety in order to support it.

There is also a huge amount of propaganda being sold to the masses that says that at any moment the lights will go out, or the nuclear installations will be attacked, or other governments (always Chinese or Russian or the ambiguous Easter Europeans) will attack us if we don't ratchet up the security, or if we don't pay more to the government or the security apparatus or give more to the National Security State to protect us.

Everyone in the business is getting bloody rich off of this fear, and it seems no one wishes it to end, for if they did wish it to end, they would more than likely be signing their own pink slips. And much like the war on terror, and the war on drugs, and the war on the citizens at the airport, money is required to support it, and fear is sold as a way to get that money. Fear the lights will go out. Fear the nukes will suddenly go boom. Fear the power grids, the air traffic control systems, the nuke installations, the water, the food, the stores, the.....

Anyone that lives in such an oppressive and fearful country will give in to this fear mongering eventually, and will ultimately beg for others (government, security etc) to remove this fear. I don't wish to quote Trotsky, but as was once said:

"The revolution kills individuals and intimidates thousands. ... At the appropriate time, the terrorist offers, and the victim accepts, a Faustian bargain. To obtain relief from the tension of daily life in an atmosphere of constant and apparently random violence, the victim surrenders his birthright of freedom in exchange for peace—literally at any price. And the strategist who makes stability his goal hands a perfect methodology to his tormentor, who merely has to disturb stability. Each bombing, assassination, or kidnapping throws the stability seeker off balance/ Two steps forward one step back-and the stability-seeker plays the tune for this deadly dance."


Are we not at that point already in this trumped up cyberwar? I think so.

M N KhurshidNovember 20, 2010 3:58 PM

Some people on web are trying to save internet. Imagine that you are an IT graduate and you use online banking. Your bank offered you a software that will stop phishing attack and save your credentials. The same bank than offer free Internet Security Software of a reputed security company.

You started using anti-phishing software and you noticed that anti-phishing software revealed public IP of bank's server. You then discovered that Internet Security Software which was offered free of cost has a loop hole in it. Try to realize these conditions.

Obviously, your mind would say how can these security software will protect you when they failed to protect Bank's public IP address and their own resources.

I hope you understand the situation.

bahggyNovember 21, 2010 9:59 AM

@M N Kurshid,

I'm sorry, I don't quite follow you. If you do NOT have your bank's public IP address, it would be _very_ difficult to connect to it, no?

M N KhurshidNovember 22, 2010 2:55 AM

@bahggy I agree with you without public IP, it is not possible to connect with bank. What I really mean to say is that, a cyber attacker can monitor traffic of bank's public IP. Although, every thing is encrypted but think with a mind of a clever attacker who can break encryption by some method. All encryptions have some industrial standards.We should not forget that Chip & Pin is broken by students. An attacker is more than a student...

I want to end my comments with following quotes.

"Out of the crooked timber of humanity, no straight thing was ever made". (Immanuel Kant).

"The world is never going to be perfect, either on- or offline; so let's not set impossibly high standards for online". (Esther Dyson).

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..