The Cyberwar Arms Race

Good paper: "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy," by Jerry Brito and Tate Watkins.

Over the past two years there has been a steady drumbeat of alarmist rhetoric coming out of Washington about potential catastrophic cyber threats. For example, at a Senate Armed Services Committee hearing last year, Chairman Carl Levin said that "cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects." Proposed responses include increased federal spending on cybersecurity and the regulation of private network security practices.

The rhetoric of "cyber doom" employed by proponents of increased federal intervention, however, lacks clear evidence of a serious threat that can be verified by the public. As a result, the United States may be witnessing a bout of threat inflation similar to that seen in the run-up to the Iraq War. Additionally, a cyber-industrial complex is emerging, much like the military-industrial complex of the Cold War. This complex may serve to not only supply cybersecurity solutions to the federal government, but to drum up demand for them as well.

Part I of this article draws a parallel between today's cybersecurity debate and the run-up to the Iraq War and looks at how an inflated public conception of the threat we face may lead to unnecessary regulation of the Internet. Part II draws a parallel between the emerging cybersecurity establishment and the military-industrial complex of the Cold War and looks at how unwarranted external influence can lead to unnecessary federal spending. Finally, Part III surveys several federal cybersecurity proposals and presents a framework for analyzing the cybersecurity threat.

Also worth reading is an earlier paper by Sean Lawson: "Beyond Cyber Doom."

EDITED TO ADD (5/3): Good article on the paper.

Posted on April 28, 2011 at 6:56 AM • 38 Comments

Comments

GreenSquirrelApril 28, 2011 7:28 AM

I cant really complain too much because more than half my work is the result of over-inflated ideas about Cyber-Doom...

While, morally, I cant support the over-hyped rhetoric, it certainly pays the bills...

BF SkinnerApril 28, 2011 8:07 AM

Well, the WORST case scenarios ARE bad.

But every system is not critical to the nation or their owners. I got blamed for recommending a patch application to a 'critical' HR system that brought the buggy, unstable, untestable PoS system down. And it was down for over a week. Yet people got paid, got orders, got benifits. 's when I learned system owner/managers often conflat 'critical to my career' to critical to the organization.

DayOwlApril 28, 2011 9:03 AM

It sounds a lot like the justifications to feel people up at airports. The point isn't security. It's control of the cyberspace they're after.

Richard Steven HackApril 28, 2011 11:04 AM

One might add that the same run up to the Iraq war is being pushed today with regards to Iran. Which is why we're seeing self-fulfilling "cyberwar" prophecies via things like Stuxnet and whatever this new worm the Iranians are complaining about (if it exists) is.

If we weren't flogging the Iran bogeyman, Stuxnet might have waited a few more years to happen and the hype over "cyberwar" might be a bit more muted at this point.

Of course, if we weren't flogging Iran, we'd be flogging China or North Korea, so maybe not.

Clive RobinsonApril 28, 2011 11:13 AM

@ DayOwl,

"The point isn't security. It's cotrol... ...they're after."

Yep and the Politicos will give it to them.

Originaly the Politicos were all for the Internet or "Information Super Highway", then they discovered it had a down side. Every time they opened their mouths some one would point out in hours if not minutes if what they said was untrue or contradicted an earlier statment they had made.

Once the politicos controled the media on a nod and a wink because they had the power to make life extreamly difficult for media tycoons etc. But the Internet destroyed that and if you notice you will see that the Politico's are controled by the media these days.

The Internet gave some journalists rapid access to information that they would otherwise miss. Once somebody on the Internet said "Hey Senator Smith said the opposit in his speach of the 18th june three years ago" they simply had to look it up not spend considerable time searching on the off chance.

This enabled them to get stories together more rapidly than their colleagues who fairly quickly caught on (now some journos spend their whole life cutting and pasting from the Internet and don't even bother to fact check, they just chuck it up on line and it becomes the perceived truth).

The Politicos tried in various ways to get hold of the Internet by putting out their own speil first but this has failed them.

Thus the politico's run scared of the Internet (see recent capitulation by current US President with regards to his birth certificate and the very fringe polotics of the "birthers" made more main stream by certain blow dried billionairs).

The fear these "cyberwar merchants of doom" is actually a sales pitch as it enables them to say give us the control and we can sort out your other problems as well...

echowitApril 28, 2011 11:21 AM

A little off-topic, the comment level on this site amazes me -- only 3 comments and most if what I wanted to say is already covered.
1 - Spent 40 years in aerospace - Good living but troubled conscience ...

2- Have experienced Mgt rejections of programs that "are going to tell me what I don't know" ...

3- I now know what Erica Jong was really saying ... (OK, a little lol on that one)

Mark RApril 28, 2011 11:39 AM

Is this PDF crashing Acrobat for anybody else, or just me?

(conspiracy theory time)

What better way for the APT to get malware onto our cyber-warriors' machines than to troll them all with a PDF purporting to be a paper claiming that there's no such thing as cyberwar?

It's... brilliant!

Ron SApril 28, 2011 11:58 AM

I am experiencing the same thing as Mark R. Now, if I could only find that tinfoil hat ...

ScaredApril 28, 2011 12:16 PM

Even worse: My Acrobat reader is really slow now with any locally stored pdf....! I hope I'm imagining this? Eeeek!

Brandioch ConnerApril 28, 2011 1:06 PM

Ditto with the problems with Adobe Reader 9 and that file.

Similar problem when trying to open with IE 7.

Running WinXP at the moment.

Mark RApril 28, 2011 1:33 PM

Fully patched Adobe Reader X here... first attempt was via the Reader plug-in in Opera... crashed.

Second attempt, downloaded the file locally and opened natively in Reader. Crashed.

If I were running the US Cyber War effort, the first thing I'd do is shut down Adobe Software.

Captain ObviousApril 28, 2011 1:41 PM

@ Adobe crashers
Bruce posts three full paragraphs...and you STILL need to read the article? pffft.

@April 28, 2011 2:29 PM

@ Captain Obvious - lol

@adobe crashers:
Google at your service - search for the article and use html view

NZApril 28, 2011 3:04 PM

Current software IS buggy and full of security holes (Adobe Reader is not the worst, btw), BUT what we need is better code, not agencies and regulations.

Dirk PraetApril 28, 2011 3:34 PM

The same people that brought us smash hits like the Gulf Wars, Afghanistan, the war on terror and the Patriot Act since a while have upped the rhetoric on the new threat on the block: "cyber doom".

With their impeccable track record of correct identification, assessment and efficient solutions, it's probably only a matter of time before people like Bruce and other sceptics will be labelled "traitors" by popular media. As was the case with folks such as Martin Sheen, Sean Penn and Susan Sarandon when they spoke out against a new invasion of Iraq in the run-up of the second Gulf War.

It would stand to reason that such well-meaning patriots would express similar concern or advocate action with regards to other potential threats to society:

- Financial crisis: Er, no. They deregulated the entire industry to the point that full implosion of the system could only be averted by a massive taxpayer bail-out. Caused more damages and casualties than OBL would ever be able too.
- Environmental protection: Not really. Oil companies get tax benefits and drilling rights everywhere. The BP fiasco caused one of the biggest man-made environmental disasters in human history. If OBL would have blown up the Deepwater Horizon, they would all have been yelling bloody murder and the DHS budget would have doubled overnight.
- Global warming: No. That's a leftist myth.
- Education and healthcare: Nope. Cost cutting everywhere. In most civilized countries however considered as basic pillars of society.
- Renewable energies: hippie crap. The American way is oil, coal and nuclear power. If ever we run out of them, we'll get them somewhere else.

And the list goes on. It just goes to say that none of these fear mongerers give a damn about the public's safety or well-being. The only thing they care about is improving the status of their own wallet and position. The only threats - real or perceived - they'll jump on are those that can further this purpose.

Richard Steven HackApril 28, 2011 6:15 PM

Motivated by the PDF crashing comments, I downloaded and opened using Adobe Reader.

No problems.

No worries, either.

Ah, Linux!

OTOH, the other day I experienced for the second time since I upgraded to openSUSE 11.3 from 11.3 something I've never experienced on Linux before - a total hard lock. Something to do with the video driver presumably. I switched from one screen to another using Alt-Tab as usual. Total lock. No keyboard, no Alt command, no cursor, nothing. Had to hit the button like it was Windows...(sigh)

Dirk PraetApril 28, 2011 6:41 PM

Just tested the .pdf on OpenSuSE 11.2 , KDE 4.6.2, Acrobat 9.4.2, Firefox 4.0 . Firefox-tab freezes when opening the .pdf , all other open tabs remain fully functional. Save the .pdf first, then open in Acrobat: no problem whatsoever.

Dirk PraetApril 28, 2011 6:50 PM

@ Richard Steven Hack

"a total hard lock"

Have you run a full RAM check lately ?

Mauro SApril 28, 2011 8:19 PM

Threat inflation was a common fixture of all the cold war arms race (“bomber gap”, “missile gap” etc). As General Smedley D. Butler well said, “war is a racket”.

Richard Steven HackApril 28, 2011 9:09 PM

Dirk: Nope, but I do know one of my hard drives is overheated according to the S.M.A.R.T. sensor. Not sure why, it's a hot machine but not that hot.

Just noted Firefox released 4.01 and there's this fix in it: "Other notable fixes include a issue where Adobe pdf documents with a size larger than 5 Megabytes could not be loaded in the browser"

Might be related.

Richard Steven HackApril 28, 2011 9:28 PM

TSA offtopic: Techdirt says the following:

As the TSA is busy sexually assaulting Miss USA, apparently it's not paying very close attention to everyone else. The TSA has confirmed that in the past five days alone, it has had to shut down security screenings three separate times, at Newark airport, after screeners accidentally let passengers go through without being "fully" screened. These aren't cases of people sneaking through either. Apparently, it involved people designated for further screening who were then ignored and went about their businesses of heading to their gates and boarding their flights. I wonder if those people were able to get liquid through to the gate area!


RSH's take: If you're a terrorist, just hang around long enough or try enough times and you'll get through...probably with your Uzi in your shorts...

The nice part about this is that they're letting people get by who were ALREADY FLAGGED for further screening - exactly the people you presumably do NOT want to get by!

tommyApril 28, 2011 10:07 PM

Use Foxit reader (free). 1/100 the footprint of Adobe reader. Which is also about 1/100 the attack surface, or space for faulty code...

Whatever reader you use, disable JavaScript support. (d'oh).

Seems that by the time I got here, the pdf was replaced by a standard HTML web page, so can't test it (with Foxit on Windows). Anyone have the old link?

Disclaimer: I have no personal or financial interest in either Adobe or Foxit, but given Adobe's latest zero-day Flash vuln a week or so ago, and their long list recently, they're on the "avoid if possible" list.

Coincidentally, this ties in with this writer's post at April 28, 2011 9:44 PM board time (apparently, Bruce's Minneapolis/Central time?), on WiFi security vs kidporn, which was posted before reading this. Pertinent excerpt:

"Another issue is the environment created by "crisis". (If there isn't an actual crisis, make one up.) Wars were formerly the justification for discarding civil rights. FDR used the "War Powers Act of 1917" to confiscate gold in 1933. Didn't they sign a treaty in 1918?...

WWII saw imprisonment of perfectly-innocent American citizens of Japanese descent.

Now, 9/11 and terrorism are the buzzwords to move us from John Stuart Mill to Karl Marx, "the end justifies the means".

The syllogism goes like this:

Terrorism is horrible.
Therefore, any means to fight real, suspected, possible, or imaginary terrorism is justifiable.

Which gets extended to:

Kidporn is terrible.
Therefore..... (ditto)

And on, and on...
********
Add "cyber-warfare" to the above portion, and no need for this writer to comment further.

Clive RobinsonApril 29, 2011 4:16 AM

@ Richard Steven Hack,

"Of course, if we weren't flogging Iran, we'd be flogging China or North Korea, so maybe not"

North Korea has been the favourite "pig in the poke" of the US war hawks for well over fourty years (actualy you could say from the begining of the Korean war).

In many respects the US has taken "pot shots" at North Korea in the way China takes "pot shots" at Taiwan. So the "Cold War against Communism by proxie" is still alive and well.

Which is the reason I still think that Stuxnet was not actualy aimed at Iran but North Korea.

My reasoning is the US has been trying to attack the North Korean nuclear program unsuccessfuly for many years. This lack of success is due to the fact that North Korea is effectivly a "closed country" so getting at their nuclear program directly would be at best extreamly difficult.

Further North Korea is more of a concern to the US than countries in and around Iran and Iraq. This is because of where they are and that they have a well developed long range missile system more than capable of being used as a nuclear weapons delivery platform. With an assumed/known range that brings many countries such as Japan well into range.

All of which makes North Korea a significant problem (or "threat" in war hawk talk although the US is not realy at risk) so what to do about the North Korean nuclear program that had actually produced and tested a research nuclear bomb.

Although North Korea is effectivly closed it was known through the behaviour of the head of Pakistan's Nuclear program AQ Khan and his Swiss operation Khan Labs that North Korea traded long range missile technology in return for nuclear enrichment technology. But importantly Iran and North Korea started doing technology swaps with their respective scientists and technicians "visiting" each other when Kan's little "private enterprise" got closed down.

Because it was highly likley that both North Korea and Iran's enrichment systems used exactly the same control system, anything that slowed / disrupted Iran had a very very good chance of ending up inside the North Korean nuclear program.

Further it appears it might have actually got there because North Korea secretly developed a compleatly new enrichment system at the site of their old decommisioned plutonium production reactor around about the time Stuxnet was released. We only publicaly found out about this when the North Koreans "invited" nuclear inspectors in to see the new enrichment plant when Stuxnet was at the peak of newsworthyness. And whilst happy to let the inspector see the two thousand or so centrifuges made very very sure that the inspectors could not get at or even see in any way the control systems.

This was effectivly the diplomatic equivalent of the North Koreans sticking their toung out at the US and blowing a very public raspberry to tell the US they had failed with Stuxnet.

I would certainly have liked to be a "fly on the wall" at the various emergancy meetings in the US trying to explain that up the chain of millitary and political command ;)

pretty_pinkApril 29, 2011 6:12 AM

These are normal tools for control. Scare people then place draconian measures. The worse part is that most people will welcome it theyre already mentally prepared to be afraid.

Basically some aspects of the internet are growing out of the control of the powerful. An example is the emerging economy being facilitated by bitcoin. Expect the standard cries about criminals and terrorists - if it cant be controlled it must be demonized then destroyed. Same tachtics used by riaa et all.

BF SkinnerApril 29, 2011 10:09 AM

@Clive " favourite "pig in the poke" of the US war hawks for well over fourty years (actualy you could say from the begining of the Korean war)."

Actually you could go back to when Roosevelt (Teddy not Franklin) stood aside and abetted the Japanese annexation.

vlionApril 29, 2011 10:38 AM

After reading a ways into the paper, I grew tired of the Bush-bashing and closed it.

I thought it would be a cyberwar-analysis, not a screed about prior US administrations.

regular_guyApril 29, 2011 3:53 PM

"cyberweapons and cyberattacks potentially can be devastating, approaching weapons of mass destruction in their effects."

This statement worries me a bit. The Hiroshima bomb was about 15 kilotons and killed anywhere from 80000-200000 people depending on the source you use. The Russions built a bomb called Tsar Bomba that had a yield of 100 megatons. They actually reduced the yield to 50MT so the test wouldn't spread fallout over northern russia. Check out the link and imagine if the full yield version was dropped into the center of New York or Hong Kong. Comparing malware, buffer overflows, and DDoS attacks to a weapon of mass destruction shows a lot of ignorance.

There might be some economic effects if banks were targeted and the banking system shut down for a few days while they restored from backups. Government and smart commercial organizations keep the most important and sensitive systems/data on intranets that don't touch the internet. The worst case I can imagine is a few days of inconvenience.

Am I missing something or am I correct to think this claim is absurd? I think this man is fear mongering for some ulterior motive or has a complete lack of understanding of computers and telecommunications. Either way I don't think he should be writing defense related legislation.

I think the biggest threat to the US governments information systems security is disgruntled insiders, not the Chinese. Just look at how much information wiki leaks has gotten its hands on. I think the US government should look into how they can attract better employees and keep them happy. Someone satisfied with their job doesn't leak CDs full of data.

asdApril 29, 2011 4:57 PM

@regular_guy ,Cyber warfare could have the damage of WMD. If say the ISP get shutdown, no electronic payment(not enough cash), will power be effected by lack of communcation or by people not being able to pay them. Will supermarkets be able to communicate food deverlys, will automatic water systems fail.

Riots could do just as much damage as a nuke

Richard Steven HackApril 29, 2011 6:15 PM

Clive: Excellent points about North Korea. I suspect there might have been TWO targets intended for Stuxnet - Iran (for the benefit of Israel and the US) and North Korea (more for the benefit of the US, since Israel actually does business with North Korea.)

Asd: "Riots could do just as much damage as a nuke" Uhm, no, not even close. Even if you're imagining total economic collapse as a result of a cyberattack, which is about as likely as the Year 2000 collapse of civilization. In fact, even a nuclear attack on the 50 largest cities in the US, as predicted back in the Cold War days, was unlikely to lead to *total* collapse.

asdApril 29, 2011 7:07 PM

@Richard Steven Hack , What would be the situation of targeting the 50 largest farms or small towns?

If you leave out governments and large business, and install a ddos exploit on home computers, with a payload targeting cisco/junpier/check routers.
What would be the possible effects?

regular_guyApril 30, 2011 5:46 AM

@asd,

Even if a large scale shutdown were to happen, it might take a day or two for most places to restore vital services from backup. There is still cash and checks to keep things going with if electronic payment systems shut down for a few days. Supermarkets could always pick up the phone and call in their orders like they used to. They could also keep standing orders where they repeatedly order the same items in the same amounts every week.

Lets say some magical malware makes a botnet with every windows pc in the US. ISPs would simply shut down connections leading to residential modems so vital connections like payment systems stayed up. In commercial settings, any firewall administrator worth their paycheck would notice a huge amount of traffic addressed to the same few addresses/ports and immediately block those connections. The ISPs would likely shutdown residential services to keep their business customers running.

I doubt ISP's layer three device ACLs would accept routing or firmware updates from any old address that would make a complete ISP shutdown possible.

Any organization worth their weight in garbage has disaster recovery plans to keep business running if such a thing were to occur.

A modern nuclear weapon has the potential to wipe ANY modern city off the map. A large scale attack would be inconvenient and cost a lot of money, but does not even come close to the economic damage and deathtoll of a powerful fusion weapon in a major economic center like New York City or Tokyo.

mrUniverseApril 30, 2011 6:56 PM

@regular_guy
I think you may want to take another look at stuxnet before asserting that intranets and backups are safe because they don't touch the internet... also, consider that there is a difference between what NSA/GCHQ/FSB types do (stuxnet presumably being one example) and the "petty crime" DDoS/commercial espionage issues that those in the private sector deal with- many of the posters here are in effect asking why we have an air force when the muggers they see on the news don't have pilot's licenses...

Richard Steven HackMay 2, 2011 5:05 PM

Asd: "What would be the possible effects?"

It would be fixed by the end of the week.

The 50 largest farms and small towns? Really? No one would notice except those directly effected.

It's like the line in the James Bond movie: "Well, if we destroyed Kansas, the world may not hear of it for years."

You're seriously underestimating the resilience of society.

Now I COULD bring this country to its knees within a year with effective physical terrorism. But cyberterrorism? No chance. It's like the stupid Weatherman group in the Sixties blowing up buildings without killing anyone. They were ignored. You have to kill a lot of people to do effective terrorism. Cyberterrorism can be mediated once it's detected, unlike physical terrorism (until you catch the guys doing it which can be incredibly hard to do).

asdMay 2, 2011 6:41 PM

Richard Steven Hack, "It would be fixed by the end of the week." those defensive measures can you or any one you know get past them, if yes they wouldn't be defensive.
If its governments that keep people in check and repair damage and they can't communicate between themselves(whats the damage of anarchy). It might be preventable now but what new technology will destabilize the model.

Time frame , quick or slow and stead.

regular_guyMay 3, 2011 6:39 AM

@asd,

"If its governments that keep people in check and repair damage and they can't communicate between themselves(whats the damage of anarchy)."

Governments maintained control before telecommunications.

@mrUniverse,

Destroying a few centrifuges hardly compares to the hundreds of thousands to millions of deaths a nuclear weapon is capable of. The really sensitive assets not only don't touch the internet, but require two people to be present at all times when the asset is being accessed. Both persons have gone through in depth background investigations. With the severe penalties for defecting (think Bradley Manning), it would be incredibly risky to even hint to the other person required for access you were even thinking about defecting.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..