Schneier on Security
A blog covering security and security technology.
« The Legality of the Certificate Authority Trust Model |
| Blowfish in Good Time Max »
January 21, 2011
Cyberwar is Overhyped
A new report from the OECD says the threat of cyberwar has been grossly exaggerated. (Hey, that's what I said.)
There are lots of news articles.
Also worth reading is this article on cyberwar hype and how it isn't serving our national interests, with some good policy guidelines.
Posted on January 21, 2011 at 11:59 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The thing with cyberwarfare and its "threats" is the same as airline/airport security - you can never pinpoint what the next attack will be. The best bet is to play it safe, use RAMP measures, and keep vigilant watch on assets.
But the US is too caught up in imagining threats to realize that the real threat is not being prepared for basic ones - like someone with a knife on the plane or someone getting a pistol through the metal detectors at the airport.
On the Stuxnet front - Americans are highly unlikely (in the unlikely event that proof is presented we were involved in its inception) to perceive that attack on Iran's nuclear facility as cyberwarfare. Why? Because we came up with it and did it and it's ok because we're good now.
I think the perception of cyberwarfare is so wild and full of fantasy because there's never really been an imminent, perceivable, or defendable threat. Unlike an invasion or someone dropping a bomb.
Cyberwar is Overhyped... most things are... why should cyberwar be any different?!
The excitement is helpful in drawing attention to the problem, but I really wish the assessments could be less "first time ever" and more "variation on what we know".
I tried to argue at a couple conferences last year that Stuxnet was developed using mostly public information and old worms (e.g. bits of Conficker) but found it pretty much impossible to compete with "OMG OMG did you see the 0-day!" messaging.
I hate to make the comparison to everyone's favorite toy but it's like other tech marketing in America. The iPhone copied a bunch of technology but despite all its engineering flaws it still managed to convince people it was some kind of completely new revolution in thinking.
You can touch the screen? Amazing. Never seen that before. And you can slide the map? Amazing. Wow. 0-day
I still say that until a healthy person at home is killed by a "cyber attack" then the usage of "cyber war" is wrong.
I'm afraid to ask what that cyrillic comment (ruPerdoncD) is about, but it looks like spam of some kind...
@ Brandioch Conner
I agree. Same for "war dialing". Ever see a modem kill someone?
...and what's up with the band that called themselves War? They never killed anyone. Posers.
Pretty sure the siphonophore "Portuguese Man of War" is deadly (http://www.ncbi.nlm.nih.gov/pubmed/2564268), but Man of War was an English class of naval design. What's up with calling them Portuguese?
It'd help if these studies flooded the mainstream *before* we drop billions in taxpayer dollars on our knee-jerk-over-reactions.
No wonder the US sucks at Go.
Actually, bigger picture, the cable news cycle simply needs to STFU. Until the press instills an industry-wide 'Think before you broadcast' policy, it's probably healthier/more informative to turn off your television and avert your eyes from the newsstands altogether. 95% of the headlines you read today will be recanted in the fine print next week on page 7, it just won't be running up to you and punching you square in the face with its hyper-bold seizure print and its buzzword-laden FUD-subtitle.
But really, if even just our politicians stopped watching cable TV for a few months, our country might have a chance at righting itself before we completely capsize altogether.
Sadly, I only see it getting worse.
@ Davi Ottenheimer
"Man of War was an English class of naval design. What's up with calling them Portuguese?"
According to the Wikipedia:
"The English common name for the genus Physalia, 'man-of-war' is borrowed from the man-of-war, a powerful 16th century sailing ship of English — not Portuguese — design. Interestingly, the Portuguese common name for Physalia is 'caravela portuguesa' (English: Portuguese caravel), based on its resemblance the Portuguese-built caravel. In the 16th century, the English adapted the earlier Portuguese caravel design for its man-of-war class ship, and presumably as 'man-of-war' replaced "caravel" in the English navy, so it also did in the English language."
Always nice to have a slow news day at the cyberwar desk.
Stay warm everybody!
You can't have a "permanent war economy" without being in "permanent war" - and that's hard in the real world since it takes men and materiel.
But, hey, in "cyberspace", everything is "virtual"? You can be "at war" ALL the time! At NO cost! (Well, at considerable cost to the taxpayer which is, of course, the whole point.)
"Cyberwar" is as much a godsend to the Pentagon and the military-industrial complex as the new Chinese stealth fighter. First reaction to the latter: sell Taiwan a ton more fighters and fighter upgrades!
Like on Slashdot:
I'm currently reading:
Cyber War: The Next Threat to National Security and What to Do About It
by Richard A. Clarke
Which I first read about on this site. It pretty much disagrees and contradicts what Schneirer has written on the subject. I encourage everyone who wants a differing opinion to pick it up.
Its a different kind of warfare that differs from kinetic wars in obvious ways. That said, the threat is real and although direct loss of life may not be realized there are still serious ramifications to consider.
Simply stating it isn't there is naive and potentially dangerous. Another good paper is one written by Gen. Eugene Habiger.
It seems to me that the first problem is to sort out what 'Cyber' has to do with 'war'.
If one looks at things system-analytically, the 'cyber' becomes a vector for accomplishing a goal (the 'war' part of it).
Same with 'cyber' and 'espionage'. It's a bit like the differences among 'humint' and 'elint' and 'sigint'. The 'hum' and 'e' and 'sig' are the vectors; the goal remains the 'int'. Of course, what 'int' you can and cannot get on any particular vector varies.
What's really happening is that people are waking up to the fact that there's a new vector.
In the case of Stuxnet, which seems clearly to have been a 'Cyberattack' on Natanz, the Cyberwar has to be seen in the context of a wider covert war against Iran that includes assassinations of Iranian nuclear scientists, their abduction or defection (depending on who you listen to), funding and support of anti-state groups such as Kurds, Jundallah, support for the 'Green Revolution' etc.
It also has to be seen in the context of what's happening in Lebanon and Gaza.
After all, we don't segregate 'elint' from the broader issues of war.
The first implication of this broader view is to question how the Iranians will view the Stuxnet 'Cyberattack' and how they will respond. Will they take it seriously? Will they view it narrowly or will they treat it as a novel vector in an ongoing covert war that they are only too familiar with? If so, will they feel obliged to stay 'Cyber' or will they find another vector? The principle of asymmetric warfare seems to be that you don't respond to your enemy in kind but 'on the cheap' where you can do more damage.
It also has to be considered whether Iran has any friends that might want to help it along any of these vectors. Recall that Hezbollah was decrypting Israeli tactical communications in real time in the last Lebanon war. That seems pretty sophisticated. Who helped them? Let's say Iran. Who helped Iran? Or are we to imagine that Iran has such home-grown capabilities?
Moreover, in attacks like Aurora, which was very similar to if not actually the inspiration for the model attack in "Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation" http://www.uscc.gov/researchpapers/2009/... it seems pretty clear that advanced nation-states are systematically conducting 'int' along the 'cyber' vector.
The difference with Stuxnet is that we have the first public case of 'Cyberint' becoming 'Cybersabotage'.
Many people trash both Aurora and Stuxnet because they're not as sophisticated as they might have been. Here's an interesting quote from the paper mentioned above:
"These attackers have also demonstrated an awareness of a targeted organization’s information security measures according to forensic analysis of attacker activity, and appear able to alter their operations to avoid detection, reflecting the highly detailed reconnaissance that they—or others on their behalf—conduct. The attackers in these operations likely use tools or techniques that are only as sophisticated as they need to be for the environment in which they are operating, holding their more capable tools in reserve until genuinely required." (p. 57)
This is not someone talking about Stuxnet, but Americans talking about Chinese penetration methods against American 'cyberassets'.
So the take-away is that there's a novel vector which has to be assessed in the context of the broader issues of (covert) war and peace.
I've said it several times before, it is not war, but crime.
Using "war" is a way to beat the drum and rattle the saber and call those who should no better to the flag of largesse at the appropriations table.
Whilst this might serve the short term ends of war hawks and the parasitic spives that give them "backhanders" in one for or another it doe not bode well for the future.
Pretending that these "criminals" are the equivalent of soldiers of nation states badly distorts the perception of their activities in the public eye. And in turn gives them a legitimacy and even sympathy that will prevent them being dealt with appropriatly.
For instance it is possible to extradite "criminals" to countries where they have actually commited their crimes and prosecute them and imprison them appropriately. Soliders are very very rarely punished for the activities they carry out and except under very exceptional circumstances never extradited to face punishment.
Part of the reason the war hawks can get away with this "cyber-war" drum beat is the issue of information attacks -v- conventional attacks.
Conventional attacks require physical resources involving the considerable expenditure of energy on physical objects. As energy and physical resources are almost directly equatable with money it is fairly easy to see that conventional warfare is expensive not just monetarily but in raw physical resources and man power thus can only realy be prosecuted by nation states.
Information attacks however have few if any resource demands on the attacker. The attacker expends some effort on finding attack vectors that exist like shadows between the functioning parts of their victims systems. These vectors are then used like theives in the night to gain access to the victims systems. From that point on it is the victim not the attacker providing the resources required to prosecute the attack.
From this respect information attacks can almost be losely considered as espionage activities where the victimes own resources are turned against them. That is the attacker recruits "agents" to do their bidding. However the reality is the attacker creates their agents as parasitic entities on the victim, so it is better to consider these agents as leaches or ticks or simillar pests.
However this is an imperfect analogy because the agents are also copying data. There is no physical analog for this activity the nearest we get is photography. However photography takes an image of a physical object it does not create a direct copy of the physical object. In information attacks the image of an information object is in all respects other than location a copy of the object the energy and resources required to do this are very minimal on a bit by bit basis and usually leave little or no trace that a copy has been made. That is the cost of stealing a valuable information or data object is very small and is bourn by the victim not the attacker, worse the victim may remain oblivious to this theft even long after it has been used to harm them.
Thus it can be seen that what is coventionaly viewed as war in the tangable physical world has little or no meaning in the intangable information world.
It is this failure to understand the differences between the tangable physical world and the intangible information world that makes many attack vectors available, alows individuals from vast geographical distances to appear in many thousands if not millions of local locations simultaneously and to steal both the physical reasources and energy from the victim to steal information to carry out further attacks be the intangable information world attacks, or physical world attacks where the physical world is controled by information based systems.
But plain and simple the two outcomes of information attacks are the equivalent of either theft or vandalism in the physical world which are just common everyday crimes. And importantly it is the victims own lack of understanding of the how and the why that intangable information impinges on our tangable physical world that enables such crimes to be committed.
But worse the "Cyber-war" battle cry is making the situation worse, in the physical world you need state level organisations to protect the civilian population against warfare where as individual civilians are quite capable of fighting crime by the appropriate use of simple security precautions.
Thus the conflation from crime to war is allowing individuals to abdicate their responsability to defend themselves and it is this that is going to cause the problem to continue long after it could be either contained or resolved.
The purpose of an army or other standing armed force is to either chase armies out of territory or deter them entering, an army does not capture and punish an opposing army. Individual civilians on the other hand deter crime they do not chase criminals, the civilian police do that, and when criminals are caught they hand them over to civilian judges and juries that ensure that those caught are dealt with by other civilians in prisons and the like.
There are good and proper reasons why a nation state has a military side with armed forces, and a civilian justice side with mainly unarmed law enforcment personnel. The two are kept distinctly seperate to prevent escalation from a social nuisance to society destroying warefare.
Cyber-attacks are effectivly a social nuisance and should be treated as such and the usual rules of law should be applied, otherwise people will be woken in the night to find their neighbours have been excorcised from the face of the planet by if they are lucky working smart weapons from an unknown country. Justice is seldom if ever served by the barrel of a gun or other weapon, warfare is as many know murder for political reasons and has nothing what so ever to do with justice.
Stuxnet was a media and social hack just as the UK were after funding of Strategic Defence and Security Review (SDSR) of 2010.
I'm saying no more about this. You can speculate and rant forever on this subject and never really get anywhere.
All you can do is look at the global climate and timing of the worm.
Vendors were desperate to push their industry to government, they managed to get Marcus Sachs to leature the Whitehouse on cyber-security to get them to take it seriously, just before worm deployment.
This was to raise the profile of the so-called cyber-security and the perceived risk.
This was a lot to do with money, this was a lot to do with individuals jockeying for position in the political realm.
This was a lot to do with vendors looking for a new profit-vector.
My opinion is the cyber-security push and Whitehouse involvement and cyber-czar appointment is the biggest fraud against Whitehouse trust of recent times.
Advisors took the cyber-security perceived threat and ramped it up artificially.
If the U.S Government and the Whitehouse need proof they've been conned, watch this video:
I've been pushing this video now for years, as evidence of what was going on just before Whitehouse and Stuxnet era of the so-called cyber-security perceived risk.
Mr. Sachs has since stepped down from SANS Internet Storm Center, as director, and what a sigh of relief.
The Whitehouse has been defrauded on the cyber-security issue on a false-pretense.
The same kind of mentality, which took us into the war in Iraq.
One would think US were past that mentality, but it looks as if you guys still have work to do to weed out the knotweed from the political system.
In a long term trajectory, there is going to end up a cyber-war-Iraq-like situation, in that, Whitehouse has been given misleading intelligence by security advisors, simply to ramp up the status of the IT Security industry into the frontpage headlines of western media and social influence.
After the first cyber-war proper, we will be regretting it, the same as we're regretting the so-called regime change of Iraq.
It will be exposed that indeed the cyber-war was started on a false pretense, by folks at the Whitehouse who put trust in their security advisors, because ultimately they have no choice, but will realise afterwards the threat of cyber-security and cyber-war wasn't as real as it was made out, and that it was more a political threat than it was a national security physical threat to anyone.
We will be taken into a cyber-war proper, no it won't be just, yes it will be on a false pretense, and no there won't be a real need for it.
Apart from to line the pockets of tycoons and to protect political status and to reinforce it.
To those who say that it's crime or a money-making hype:
In the sense that we're not about to have a full-scale 'cyberassault' on some country, it probably is.
But consider this, from one of the articles Bruce cited:
In 2007, the Israelis took out the Syrian air defense system with a cyber attack before bombing a
partially constructed (North Korean designed) Syrian nuclear facility to smithereens.
What's clear is that all countries (US, China etc) are now moving into the use of the cyber vector as part of their armamentarium. In other words, just as you might use an EMP to disable a radar system, now you can hack it.
This is not a hype; it's a fact.
We can treat 'Cyber' as a new dimension of 'Battlespace'.
That's not to say that when gunpowder was invented that some people said it was just marketing noise for the miltary-industrial complex, and that it had nothing up on traditional bows and arrows. Nor to say that it wasn't overhyped by the gunpowder manufacturers. But for all that, it had a significant effect on human history, and on human war.
at the risk of being pedantic, the beginning of the last paragraph should have read '...was invented that some people didn't say...'
Cyberwar is a sexy and very marketable concept for many folks. Government hackers at the cutting edge of technology launching precision strikes against enemy installations or all-out attacks on a foe's critical infrastructure. And all of that without anyone actually getting killed.
Arguably, it takes a fool not to see the many possibilities, but acknowledging a potential threat, conducting risk analysis and contingency planning based thereon is something entirely different than buying into a hype and allowing yourself to get dragged along in yet another arms race, beit on virtual battleground. Yes we've had Aurora and Stuxnet. What of it ? You protect against them with the same due diligence as you would against ordinary hackers or industrial sabotage, not by thinking in terms of strike and counterstrike.
Getting carried away because of fear, paranoia and lobbying by those who have to gain from it is nothing more than contributing to making cyberwar a self-fulfilling prophecy way beyond the isolated acts of sabotage we've seen so far.
In the Northrop-Grumann article on Chinese capabilities linked above, there is to my mind a persuasive argument that Chinese military doctrine now includes attacks on C2 nodes using the Cyber vector. The paper emphasizes attacks on NIPRNET, ignoring SIPRNET, which to my weak mind seems odd.
To those who claim it's overhyped: what's WRONG with the article's arguments? Let's go beyond blanket dismissals that it's marketing hype and get to specifics.
Apparently the cyber war is _underhyped_. Stuxnet shows up all over these comments, but not Estonia, and not the Chinese attack on Silicon Valley, nor the hijacked bot network being used to broadcast spam. The DOS attacks on wiki-leaks and visa are additional examples.
@ overhyped and underloved,
"Let's go beyond blanket dismissals that it's marketing hype and get to specifics."
If you are asking why I think it is "cyber-crime" and not "cyber-war" the simple answer is "the enemy within" and the way an individual society deals with it.
In essence war is a fight over between two societies or "ideals" of societies that involves the take up of arms by one or both sides in open conflict.
It is one of the reasons we differentiate between "war" as we tend to think of it (two opposing nation states), "civil war" (two opposing factions within a society) and "civil unrest" (those excercising their right to protest about another faction of society, usually against the actions taken by that part of a society in temporary governance).
Crime on the other hand is not about "ideals" but about "property" and it's ownership as codified in statute law (I'll leave tort out for now).
Theft has been defined as "denying the owner the right and privileges pertaining to ownership". That is ownership is a concept above mear physical possession of an item of property.
In many ways all other crimes can be seen as "denying the owner..." including violence against the person.
Historicaly crime has been something that "is within society" not external to it as with war which "is against the society".
That is when you commited your crime you used to have to have been "local to it" and thus within the geographical area of a society in which it's writ is held. Such areas where society holds judgment over it's members and can seek to prosecute action against an individual is a usualy called a jurisdiction. Which is why as a criminal you used to be "beyond prosecution" when you crossed into another jurisdiction.
Thus history has built up a series of special laws for those that commit crime against a society as a whole and these are for "acts of sedition and treason" depending on if the crime was for the individual or for others.
Of more recent times is the idea that intangable knowledge can also be a "property" like any tangible good, and that crimes involving knowledge are different in many ways and that is why we have the concepts of spying and espionage. As such these acts are usually against a society of some form as opposed to an individual (organisations and companies are collections of people and are societies in their own right even though they may be part of a larger society).
The problem with the "cyber-world" is that there are no jurisdictions that conveniently map onto georgraphy of nation states.
This concept is not entirly new, the problem has been seen with companies or other societies that cross jurisdictions for several hundred years and the law has generaly resolved the issue by "locality" bassed on the notion of the economic distance/cost metric.
The problem with the "cyber-world" as we have created it is that the "distance/cost" metric is so small as to have no constraint (other than time) and thus everywhere is "local".
Further crimes in the "cyber-world" are not actually committed by individuals but by "cyber-agents" acting on their behalf.
Thus it is possible to commit a crime from outside of a jurisdiction without incuring a distance/cost penalty, which is a concept that our legal brethren (judiciary) are having difficulty with as are those that pass the laws (executive).
But worse as the crimes are commited by a proxie agent there is the issue of "force multipliers". An individual inhabiting the physical world as a physical being is constrained by the "laws of nature" and can thus only be in one place at one time and is further constrained to the limits of their physical form. They can however by utilising tools or "force multipliers" exceed the limits of their physical form, however these tools are still physical items thus require energy input or cost in their manufacture and utilization (all weapons are force multipliers or tools). Thus tools in the triditonal form also had the limitation of having to be operated by an individual and thus still local to the operators location.
However it was quickly realised that tools could be operated by others under instruction thus the idea of proxie agents as a workforce. This broke the limitations of locality but only at a further cost as the agents where usually physical and thus required the costs of that physical form.
However in the "cyber-world" force multipliers are information which has a minimal cost of duplication, further from a "cyber-criminals" perspective the duplication costs and costs of operating "cyber-agents" falls not on them but on their victims.
And this gives rise to the notion of "an army of one, fighting on a thousand fronts" because the "cyber-agents" have near zero cost to the attacker an individual criminal can appear in a thosand places simultaniously and commit a thousand crimes.
The important thing to remember though is that the "cyber-agents" are mindless automota that is without instruction they will either stop or just carry on doing the same task over and over. Thus as we see with some of the current botnets removing the control channel usualy stops the botnet activites or that a bot can be stopped with a software patch changing the environment it is attempting to inhabit from being tenable to untenable.
That is like criminals cyber-agents can be negated by individuals at their front door with an appropriate measure. Cyber-agents are not individualy in any way an overwhelming force, a simple measure that keeps one instance out of your house will stop all instances of that cyber-agent entring your house.
Thus the only method of attack cyber-agents have is the unpreparedness of their potential victims. They can exploit this unpreparedness either by stealth or speed. We see a speed attack by the way it clogs up the networks and swallows other resources, we don't see stealth attacks except by chance or if they cease to be covert in their activities.
By and large a speed attack has an advantage of only a very short time window before action is taken to nullify it's threat. Thus this can be negated by "speed of response" to deny it the resources it needs to continue being a threat.
It is the stealth angle that is the real isssue and is what APT is all about (and yes this is a very real concern). It's main danger lies in two areas espionage and timed first strike attacks. Neither would be possible if the systems we deployed where either appropriatly secure or appropriately checked (ie we are unprepared in our defense).
But as detailed earlier espionage is a crime it is not of necessity a crime against the society we live in thus it is not in of it's self prosecuting a war.
Likewise a first strike is again a crime from within society it is not of necessity a crime against the society we live in and even where it is it is not of necessity anything other than a nuisance.
Cyber-crime or cyber-attacks are only of use where people have and are in some way dependant on cyber-systems.
A first strike could debilitate a society or even destroy it but, so could any natural or man made disaster of sufficient magnitude it does not of necessity make it a war.
@ overhyped and underloved
"what's WRONG with the article's arguments?"
Nothing. There is however a subtle nuance between blanket dismissal and blind buy-in in yet another scare until somewhere in the near future 75% of the entire national budget goes to DoD and DHS. If only the war on poverty was waged with the same diligence as the war on terror, just imagine how many lives that would save or improve ...
Imagine how many lives would be saved or improve if our politicians weren't allowed to invest their billions into the war machine for their own profit.
Force poverty to hurt the white-collar bottom line and it will evaporate, along with most of the street crime in the country. Makes me think of an old Mad TV skit where some drunkard president cures AIDS and cancer overnight by giving the diseases to the 10 most powerful people in the country.
The 'war on terror' will rage on until its ability to make our politicians rich wears thin.
@overhyped and underloved
"To those who claim it's overhyped: what's WRONG with the article's arguments?"
Simple. No healthy person has ever died as a direct result of a "cyber attack". Look at the battlefields of past wars. See the difference?
Therefore, it is over-hyped as "war".
Next, it is over-hyped as a threat. Basic procedures that should be followed to keep out the script-kiddies will be sufficient to keep out the "cyber attacks".
Finally, so what? Even if all the hype were true, what then? Is the USofA going to surrender to China without an invasion just because our computer crashed?
Just because no one (that we know of) has yet been killed by remote cyber attack doesn't mean it's impossible and won't or can't happen. There are a ton of marginal (I'm being nice!) security SCADA systems out there controlling things that if messed with WILL kill people -- and they are controlled by windows xp and on the Internet for the convenience of the owners.
Heck, there's cases where just yelling "fire" in a crowded bar has killed people due to the stampede.
Just because a spy (that int producing vector) doesn't shoot a person, doesn't mean they weren't killed as a direct result of the spy's actions either. Maybe the intelligence he developed helped someone else decide who to kill -- the net result is more or less the same -- the target's dead. Does it really matter if the intel was humint or cyberint? Sure doesn't to the target.
China's stated approach isn't to take over some country via cyber attacks. It's to make it *easier*, which of course would save lives on China's side in a war, and probably some on the other side as well. Or, phrased as defensive, to mess up any attacker and make them less effective. They know what they're talking about.
Heck the panic you could create just by messing up a whole country's JIT grocery delivery system would kill some people from fighting over their fear of "no food". You wouldn't even have to affect more than one or two of the major chains in this country to have the effect. No you can't just double shipments the next day -- there aren't twice the trucks or twice the roads, or twice the warehouses. In fact I heard the other day that WalMart is so hand to mouth that they are using reefer trucks in parking lots to augment their inadequate warehousing (which is costing them a lot of money -- trucks are inefficient refrigerators).
A man is smart. People are dumb, and they'll destroy themselves if you get the right memes into their heads.
The real battle might just be there -0- in people's heads. Note how the Russians just picked up and moved on when someone blew up a bomb in an airport -- the terrorists didn't win that day, life moved on. We'd have shut down all the airports for a couple days!
Forgot to name an obvious case where fear alone became self fulfilling. Anyone here remember the gasoline panic in the early '70s? Due to fear, many who were fine with 1/4 tank of gas left before getting a fillup suddenly got paranoid and kept their tanks full all the time, spiking the demand for gasoline to the sky instantly...and making the problem far worse than it needed to be. Don't know how many that one killed (a few certainly -- there was violence in some of the lines) but in man-hours wasted alone, it would amount to many lives. I was a pro driver (actually, a mainframe repairman for DEC) at the time, so I saw it for real and up close.
Work it out, with all the millions of cars, and their per-car capacity of 3/4 tank of gas suddenly all needing to be "full" all that time, that's quite a demand spike, and it happened overnight, faster than the system could react. Groceries might be worse (and a lot easier to hack).
I note that if the computers at most grocery stores were down, they'd not know how to do it by hand anymore. I've had it happen where some item couldn't scan and they couldn't sell it because no one knew what the price should be...and they are secured very minimally at the POS terminals, and hooked up to the 'net as a cost saving feature over dedicated landlines.
If you can halt a company’s operation through a spam or DDOS, the intrusive and targeted malware like Stuxnet presents a clear and present threat to a country’s economy and critical infrastructure. It may be overhyped in some cases but it is a threat which every nation should be prepared for to protect their critical infrastructure. It may be a defendable threat if you are prepared by using reasonable safeguards.
"Just because no one (that we know of) has yet been killed by remote cyber attack doesn't mean it's impossible and won't or can't happen."
That is correct. It does not mean that it could not happen.
But it does mean that you have slipped into "movie-plot threat" territory.
I disagree about Stuxnet: dismissing Stuxnet for not being the norm is not a good idea. On the other hand, I agree about the inapplicability of statistics. Demonstrating cyber-war shall be qualitative rather than quantitative. Cyber-war shall be dealt with, but it cannot be demonstrated by statistics, but by analysis of all that has not yet happened.
See interesting post about the research: http://www.hbarel.com/blog/index.php?itemid=48
Re-Writing your comment here:
I still say that until a healthy person at home is killed by a "cyber attack" then the usage of "cyber war" is wrong.
Posted by: Brandioch Conner at January 21, 2011 1:23 PM
With due to respect to all of you, I disagree with this point. See the thing is that we cannot directly compare the "Cyber War" with the "Conventional War". There is a big difference in this.
You cannot kill somebody with a DDOS attack or a 0-day(everyone knows that), However the impact of a Cyber War is considerably high. We call this threat as a "Cyber War" only because it's happening in the Cyber Space.It doesn't mean to kill someone, but rather compromising critical infrastructure or penetrating into military or may be corporate networks to attain confidential information. And in my point of view Cyber War is not an Independent threat-Cyber Crime, Cyber Espionage etc are directly interconnected with this. Unlike the Conventional War , Cyber War is not only supposed to happen between two nations(Wikipedia definition is missing some points), Even an individual or a group can perform it (Wikileaks #Anonymous operations for instance). And again if a country wants to conduct a Cyber War against another country they can do it without announcing a WAR, that makes the Cyber War different. I agree with the fact that media is inflating this threat - But, see they are born for that, Let them do their work- At least people who are in the industry knows the impact of this threat.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.