Schneier on Security
A blog covering security and security technology.
« Terrorism in the U.S. Since 9/11 |
| Preventing the Theft of Wire Cutters »
August 26, 2011
The Problem with Using the Cold War Metaphor to Describe Cyberspace Risks
Nice essay on the problems with talking about cyberspace risks using "Cold War" metaphors:
The problem with threat inflation and misapplied history is that there are extremely serious risks, but also manageable responses, from which they steer us away. Massive, simultaneous, all-encompassing cyberattacks on the power grid, the banking system, transportation networks, etc. along the lines of a Cold War first strike or what Defense Secretary Leon Panetta has called the "next Pearl Harbor" (another overused and ill-suited analogy) would certainly have major consequences, but they also remain completely theoretical, and the nation would recover. In the meantime, a real national security danger is being ignored: the combination of online crime and espionage that's gradually undermining our finances, our know-how and our entrepreneurial edge. While would-be cyber Cold Warriors stare at the sky and wait for it to fall, they're getting their wallets stolen and their offices robbed.
If the most apt parallel is not the Cold War, then what are some alternatives we could turn to for guidance, especially when it comes to the problem of building up international cooperation in this space? Cybersecurity's parallels, and some of its solutions, lie more in the 1840s and '50s than they do in the 1940s and '50s.
Much like the Internet is becoming today, in centuries past the sea was a primary domain of commerce and communication upon which no one single actor could claim complete control. What is notable is that the actors that related to maritime security and war at sea back then parallel many of the situations on our networks today. They scaled from individual pirates to state fleets with a global presence like the British Navy. In between were state-sanctioned pirates, or privateers. Much like today's "patriotic hackers" (or NSA contractors), these forces were used both to augment traditional military forces and to add challenges of attribution to those trying to defend far-flung maritime assets. In the Golden Age of privateering, an attacker could quickly shift identity and locale, often taking advantage of third-party harbors with loose local laws. The actions that attacker might take ranged from trade blockades (akin to a denial of service) to theft and hijacking to actual assaults on military assets or underlying economic infrastructure to great effect.
Ross Anderson is the first person I heard comparing today's cybercrime threats to global piracy in the 19th century.
Posted on August 26, 2011 at 1:58 PM
• 16 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Piracy in 19th century? Wasn't it more like late 17th to early 18th?
No mention of copyright in the article. Will this lead to a change in terminology that applies "piracy" to something else?
Piracy continued into the first half of the 19th century, although at decreased levels from earlier times. It never completely went away -- we have it still, currently off Somalia and elsewhere.
Plus, privateers who "went off the rails" were also regarded as pirates by all (except possibly their sponsoring states).
It's a good analogy, actually -- it allows for non-state actors, sort-of state actors, and state actors. Much better than the Cold War, which mainly only involved state actors -- and where MAD was involved.
"Ross Anderson is the first person I heard comparing today's cybercrime threats to global piracy in the 19th century."
As I read this I found myself imaging Ross in his kilt, with a wooden leg, eyepatch and parrot. Worrying, it wasn't had to imagine. Particularly the point where he cries for more grog.
My favourite ever quote:
"While would-be cyber Cold Warriors stare at the sky and wait for it to fall, they're getting their wallets stolen and their offices robbed."
I am going to use that one. Repeatedly.
That's an interesting article comparing cyberspace to piracy on the high seas, however, the author seems to think that the cold war only consisted of a nuclear standoff. Maybe he is too young to remember that there was plenty of espionage and sabotage that went along with it which is precisely why it was called a cold war instead of a hot one.
To say, "Well, the U.S. would recover from an attack on the power grid etc." and therefore discount the threat is like understanding that the U.S. recovered from Pearl Harbor, therefore it shouldn't be as big a deal as it's made out to be.
Henry Stimson closed the U.S. cryptanalysis office in 1929 by saying that "Gentlemen don't read other gentlemen's mail." While they did have some successes before the war The U.S. was behind in cryptanalysis at the start of WWII. As far as I'm concerned, I don't really care about treating the oppressive commie Chinese government with gentlemanly respect.
Ross being British? For sure the British navy cleaned out the Caribbean of pirate infestation in the early 18th century. Iirc Nassau was the last major hub to fall, Port Royal having succumbed to an earthquake in 1692.
Agrippa, Augustus' right hand man, cleared out pirates in the Mediterranean in a summer, sweeping it clean. We're talking ~2000 years ago in the age of triremes. Quite the achievement. Then again this Agrippa achieved so much more. Worthwhile to read up on him!
"To say, "Well, the U.S. would recover from an attack on the power grid etc." and therefore discount the threat is like understanding that the U.S. recovered from Pearl Harbor, therefore it shouldn't be as big a deal as it's made out to be."
The problem with the comparison is that prior to Pearl Harbor, everyone involved understood the effect of bombs hitting ships.
An Internet-based "attack" on the power grid is completely hypothetical. That includes the effects that such an attack would have.
Not to mention that any good admin will already have taken precautions to mitigate such actions even if based upon a fire / earthquake / hurricane scenario instead of an Internet-based attack.
"The actions that attacker might take ranged from trade blockades (akin to a denial of service)"
The author has it backwards. Blockade runners were the "privateers" that snuck in and out of naval blockades. The so-called smugglers were not blocking trading of goods, they were moving (data, information, goods) thru controlling blockade by evading detection.
To expand on the illustration, the military used blockades to control the flow of goods. I wonder if the author would consider an embargo, tarriff, or trade blockade an attacker?
$43 billion lost last year to cybercrime in UK alone! Thats almost 2% of UK GDP. Seems awfully high. Anybody have any idea how these numbers are arrived at? Reminds me of the RIAA's numbers on losses to their kind of "piracy".
I thought Berkeley Breathed covered this metaphor repeatedly in the 1980s, and while he was willing to describe extreme consequences, they're treated as comic hyperbole.
I would just like to point out that some time ago on this very site I compared the "code war" to the American Civil War. IIRC both Richard and Clive participated in that discussion.
I make no grand claims to fame for what I wrote; I only mention it to point out that there have been other people who think that the Cold War is a rather inapt comparison for the current state of affairs.
@ Ian Mason,
"As I read this I found myself imaging Ross in his kilt, with a wooden leg, eyepatch and parrot"
And the parrot would be saying "pieces of seven, pieces of seven"...
[for those not old enough to remember V24 signaling go visit the Edinburgh Festival Joke page]
What should be mentioned is that this "problem" appears mainly to be US in origin.
The reason for this might be the squabbles between the various parts of the elected US Government trying to get primacy on "cyber-anything"
Have a look at one perspective on this from Prof Spafford,
I heard Steve Forbes compare cybercrime to 19th century pirates and invoke Thomas Jefferson's response in 2004.
*"Piracy in 19th century? Wasn't it more like late 17th to early 18th?"*
@Tomasz: "19th century" refers to the 1800's. We are currently in the 21st century.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.