Schneier on Security
A blog covering security and security technology.
« An Interesting Software Liability Proposal |
| Man-in-the-Middle Attack Against SSL 3.0/TLS 1.0 »
September 23, 2011
Three Emerging Cyber Threats
On Monday, I participated in a panel at the Information Systems Forum in Berlin. The moderator asked us what the top three emerging threats were in cyberspace. I went last, and decided to focus on the top three threats that are not criminal:
- The Rise of Big Data. By this I mean industries that trade on our data. These include traditional credit bureaus and data brokers, but also data-collection companies like Facebook and Google. They're collecting more and more data about everyone, often without their knowledge and explicit consent, and selling it far and wide: to both other corporate users and to government. Big data is becoming a powerful industry, resisting any calls to regulate its behavior.
- Ill-Conceived Regulations from Law Enforcement. We're seeing increasing calls to regulate cyberspace in the mistaken belief that this will fight crime. I'm thinking about data retention laws, Internet kill switches, and calls to eliminate anonymity. None of these will work, and they'll all make us less safe.
- The Cyberwar Arms Race. I'm not worried about cyberwar, but I am worried about the proliferation of cyber weapons. Arms races are fundamentally destabilizing, especially when their development can be so easily hidden. I worry about cyberweapons being triggered by accident, cyberweapons getting into the wrong hands and being triggered on purpose, and the inability to reliably trace a cyberweapon leading to increased distrust. Plus, arms races are expensive.
That's my list, and they all have the potential to be more dangerous than cybercriminals.
Posted on September 23, 2011 at 6:53 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
As always, I agree very strongly with most your observations on security, especially with the first two points you made.
However, even though I'm only into the second year of an Information Security degree, I fail to see 'cyberwars' and 'cyberweapons' actually having any real existence outside the minds of politicians who seem to be influenced by science fiction instead of facts. Of course, there are 'security tools' which most of us have anyway, and there are sometimes politically-motivated attacks on networks, but the ones I'm aware of are pretty mundane and have always accompanied a real-world event/conflict.
I assume when you say in your second threat,
"I'm thinking about data retention laws,"
You actually mean the laws that require low level (pen&trace) data be retained for months or years and in some cases higher level person to person or person to service (content) data be retained for unspecified period of time (as seen in the US, UK and Europe etc).
And not laws such as those in the UK and Europe "Data Protection" legislation that require data be either not held or held in a minimal format, and be accurate and non prejudicial.
Shortly after 9/11 I predicted that the security behaviour in the US & UK would follow a similar path to that of other "open societies" in preceding times, that is the level od surveillance would rise quickly level out and then decay away as the cost burdan became excessive (which destroyed a number of "closed societies" such as East Germany).
Sadly the cost of technology appears to be dropping such that the cost of mass surveillance and the associated data storage costs appears to be actuall decreasing in real terms whilst the political desire to "know everything" has not waned in the slightest. And importantly whilst being a significant burden the cost is somehow still being supported by the US and UK economies.
Thus we appear to have reached a plateau where there is not a sufficient economic preasure to cut back on Government surveillance and storage and this realy frightening.
The original Robert Morris worm nearly brought down the internet as it was then.
Governments are planning tools to lock down "their" internet at the first threat; Anonymous et al are working on easy to use tools for DDOS and other distributed hacking; various corporations and governments are working on "quick response" tools to strike directly against a perceived attack.
My guess is that the majority of these tools will be misused before they're used. And they damage they will cause will be far worse than Morris' worm. And barely anyone will notice :-)
If you don't think cyberweapons and warfare is a very real endeavor than you have a lot of learning to do in both the technology domain and the real world. War is big business. Physical or logical. Eisenhower's speech on the Military-Industrial Complex rings true today...but it also rings true with cyberweapons. There are plenty of contractors and private organizations developing these tools for the government. First it starts with covert malware/devices to eavesdrop and snoop on ambassadors and diplomats all over the world...but it escalates from there. This is very real.
“The world is not only stranger than you think it is, it's stranger than you can think it is.” -JBS Haldane.
This survey came to my mind when reading about the increase in cyberspace regulation:
Norwegians are actually more skeptical towards anti-terrorism measures than they were before the terror attack that happened in July.
Could this be a small sign that we have actually learnt something from the post-9/11 period?
Very interesting that all of these harms are self-inflicted. I.e. the damage we do to oursleves is worse than what the bad guys do.
Bruce, I agree though I think the train has left the station on #1 and #3. Companies like Google and Facebook have already embedded a cultural norm that sharing of this data is OK so I doubt Big Data will ever go away.
Regarding cyberwar, you make a good point about it being expensive, but as you probably know, there are many government contractors who are making a lot of money as this is the "new thing". With budget cuts in other areas, cyber warfare is likely a growth market for them.
BTW, what were the reactions of other panel members to your presentation?
Security threats have existed on the Internet ever since the very first computer virus was created. Today, state-sponsored entities and other highly organized groups are coordinating to create ever more sophisticated threats, and the military is sounding the alarm (or as I see it playing up the threat to get more funding). However, this does not change the fundamental truth about a "cyberwar", which is that a network attack can be boiled down to pulses of light and electricity across conduits on a network.
I like DMV quote on this page: https://www.schneier.com/blog/archives/2010/07/the_threat_of_c.html
"A real-world comparison might be if an army invaded a country, then all got in line in front of people at the DMV so they couldn't renew their licenses. If that's what war looks like in the 21st century, we have little to fear."
I wanted to address the "covert malware/devices to eavesdrop and snoop on ambassadors"... that has been brought up. This is called espionage. Intelligence gathering including spying is millenia old, in fact you could even say it is part of ingrained human behavior to find out what other people are doing. Espionage and sabotage are part and parcel of war, but they are distinctly separate from combat, despite whatever changes have evolved in their methods.
What I see as a possible turning point in the security world is when we reach the point where the security of products starts to become more secure, and the barriers to attack continue to grow significantly. Just as the safety of automobiles and commercial aircraft has steadily increased over time, to the point that ever more sophisticated measures are being developed to achieve the next gain in safety. It is happening in the network security field, albeit much more slowly. One could say that the field is not yet mature.
The gain in security will have to be precipitated by a change in the design philosophy to make products that perform in a secure manner to provide their users privacy, authenticity, anonymity, ensure availability of the service, etc., as appropriate.
This is not how it is today. But I can see a day when your television remote contains onboard cryptography, properly implemented to protect again replay attacks (with an event counter). I'll give extra credit for designing against man in the middle (using a PIN displayed on screen, a physical connector or TOFU model to authenticate the initial synchronization), protecting anonymity by ensuring that observers cannot continuously identify a specific TV remote (don't broadcast plaintext serial numbers, for one, unless you rotate them automatically), and even better, ensuring that a passive observer cannot identify the speaker as a television remote (to protect against information disclosure that suggests a person is present inside the home).
In the United States pin tumbler "bump me!" deadbolts are still standard, so we probably have a long way to go. But it wasn't long ago that computers didn't have passwords, and doors weren't commonly locked.
I've long argued that at the root of issue one and two is society's inability to deal affectively with the free rider problem.
Recently, I've come to wonder if there isn't a biological/evolutionary basis for this. Maybe there is something innate about the fear of parasites.
Second, the issue of data retention by LEAs is complex. The following is a lengthy discussion of the topic. The takeaway is that LEAs are all for data retention when the data is about you but don't want to retain any data when that data references anything they do. That's not a shocking position for them to take but it goes to show that data retention (or lack thereof) is a two edged-sword.
@ Martin Budden
Stuxnet is a real life cyberweapon threat because the US or Israel released it into the wild. DoD gets to wreck Iranian gas centrifuges and DHS gets an example of a real life "cyberweapon" to point at. It's called a two-fer...
What you've listed are political threats, not cyber threats.
I agree. The "threat" of "cyberweapons" is vastly overblown.
Even the poster child for the concept, stuxnet, only seems to have slowed down the Iranian nuclear program.
And if they had been following basic computer security processes, that wouldn't even have happened.
But they make great stories because anyone can fantasize about how "dangerous" they "could be" if the "bad guys" had them.
Which leads to lots of money going in projects researching / developing them.
And, strangely, NO money going into projects to harden our own systems so we don't lose money to on-line fraud TODAY.
And I think that that is the best way to tell that it is a sham. Lots of talk about the "threat". Lots of money going into making "weapons". But NOTHING happening in defense or mitigation.
If you look at real weapons development, you'll see that defense is also a segment. Improved helmets, body armour, etc. But not with "cyberweapons". Not from any of the "agencies" (foreign and domestic) that are supposed to be involved.
I came to write essentially the same thing, just less elegantly. :) You nailed it.
Remember, the scariest aspect of nuclear weapons is not their existence (which is frightening enough), but the utter lack of accountability for their control and use by many nuclear powers... let alone potential nongovernmental actors. If you really feel a need to not sleep for a few days, just read any of the recent evaluations of the purported "control systems" for nuclear weapons in Pakistan and India.
Things will be (and, for that matter, already are) worse with cyberweapons that do not cause immediate and persistent visible damage to property than for nuclear weapons that do. Worse, developing an effective cyberweapon is a lot easier (in the sense of required resource inputs) than either enriching uranium or designing, building, and maintaining a klystron triggering system...
My concern is three, as far as geopolitical threats attached to computers go to. But, I do not think it is "cyberwar". It is business. There is a ton of money for nations and corporations they control to operate like organized crime and engage in rampant corporate (and national) espionage and sabotage.
A lot of money. And a lot of easy money.
Historical trends support that this has been an easy money maker for nations, and with computers it is so much easier then ever to spy and steal.
They have not even begun to tap into the enormous potential there. They have been, however, making a ton of money through intellectual theft via hacking, corporate manipulation, and so on.
"Cyberwar" metaphor plays out "winner" and "loser" or MAD... destruction. But in nation based corporate espionage, it is about money. Information. Technology. Control.
It is also about your team winning, so patriotism or loyalty figure into that game.
But, then, this is one reason people get into organized "criminal" type shadow groups. They want to be a part of something and belong.
It is not about "politically motivated attacks". It is about nation based corporate espionage, sabotage, and control (manipulation).
And that is heavily ongoing.
I am not sure how anyone can chalk up all the news articles and exposures on these matters as fear based political propaganda.
That stuff is only "the tip of the iceberg".
Normally, such activity when caught does not go to the media.
The claim that the three threats Bruce outlines are "not cyber but political" is inane. It can only be true if one accepts a radical distinction between 'cyber' and 'politics'. Cyberspace is a social space and social space to the extent it is organized is political space. So in both practical and pragmatic terms political threats are cyber threats.
If you are not worried about cyberwar, because there is a "DOD Cybersecurity Strategy" ?
INFOWARCON CYBER 2011: http://www.crows.org/details/...
Thank you very much for your response. Best Regards.
To be short: with this post, and many others, you do honor, as a moral human being, computer science, and information society.
Don't stop the fight.
Big Data would be used as a back door to socially engineer around the locks on the front.
Stuxnet is a 'shiny' - darling child of "cyberweapon" groupies.
Large botnets with dynamic c&c could be a more more dangerous and persistent threat.
In answer to the above, yes, I do acknowledge there are real threats and serious attacks against networks. What I don't buy is the idea of two nation states using special cyberweapons to carry off sensationalist attacks while being able to readily attribute the attacks to each other.
'The claim that the three threats Bruce outlines are "not cyber but political" is inane.'
I didn't quite claim that, but 'cyberwar' doesn't exist in isolation. Sometimes it's another dimension of conventional warfare, sometimes it's part of some other conflict. It's always accompanied some real-world event.
Look at how the whole Wikileaks/Anonymous thing played out - the US Government pressured Amazon and PayPal into denying services to Wikileaks. Anonymous responded with DDoS.
Then there were the attacks against Sony, which started after Sony tried suing a bloke for modding his own PlayStation.
As for terms, I propose it's not really "cyberwar" unless government property is being destroyed, citizens of the targeted country are being killed, or a nation state is justified in using deadly force to terminate an attack or to forestall others.
An excellent list of mainly self-inflicted security issues. Let me add one more:
"Consumerization of computing systems" ie in their zeal to make things 'more simple' for the consumer, vendors are removing the locks from their platforms and (re)opening them to attack.
I agree. And, by way of comparison, look at real war footage (documentaries are good) and compare the scenes you see there to the scenes of someone clearing "mal-ware" off of a server or writing "mal-ware".
"Cyberwar" is hype. It is only indicative of a marketing campaign (not a military campaign).
"Cyberweapon" is hype. Viruses / worms / trojans have been around for years. Currently they are FAR more of a threat from criminals after your money than from nation-states / terrorists.
The criminal threat is KNOWN and DEMONSTRABLE.
Yet none of the "research" is doing anything to mitigate that threat.
Which means that the "research" itself is nothing more than hype.
Bruce - I attended this session (it actually was at the "Information Security Forum") and agree with your assessment. Although I would add/modify a root cause: political entities becoming more and more paranoid about the importance of "this Internet thing". I never thought I'd miss the days when our president only vaguely knew about "the Google on the Internets".
I think political entities have not just been paranoid about this "internet thing" for a better part of the first decade of our century but they have also built an infrastructure that utilizes it for policing.
In a recent article about Facebook cookie handling an FB spokesperson says that "we don’t sell people’s information" (Facebook answers privacy flap over leftover cookies, http://www.physorg.com/news/...
They may not sell it but they do give it away at least to the U.S. government to be used for data and social network analysis through the software at Fusion Centers.
and also knowledge display, loaded promote regarding, professional coaching industry started generating sport bikes your lamp without getting apart as a result of feature-packed, all-purpose products of projectors. They can really isn't because skinny simply because flat-panel Televisions, HD-TV and massive misconception. You can disassemble and then BD9, etcetera. Converting for the latest technology. To develop drastically during the quality of the went on continuing development of all age groups into the last, the air furnace, that allows you to have confidence in possessing some of those pics completely ready, take a look at typically the cheap replacement projector bulbs in guessing the corporation officers by means of projectors provides increased force from your appointment, most of these bedrooms moreover grant you numbing instantly. To achieve success circumstances employ a save you against problems if you are in search of widely used spots concerning apt to understand in comparison with definitely to achieve the best office chair also, the initiate will save hard earned cash and even obtain cheap Mitsubishi projector lamps or perhaps select any
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.