Schneier on Security
A blog covering security and security technology.
« Liars and Outliers: Interview on The Browser |
| FBI Special Agent and Counterterrorism Expert Criticizes the TSA »
February 28, 2012
"Cyberwar Is the New Yellowcake"
Good essay on the dangers of cyberwar rhetoric -- and the cyberwar arms race.
Posted on February 28, 2012 at 6:43 AM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Welcome to the permanent state of emergency.
Cyberwar is essentially undefined. The term is bandied about by government wonks to justify expansion of military in to the cyber. The internet/cyber is not any nation's asset. We have nearly 400 years of international agreement and law defining war. By extending these existing principles, we can conclude that war can’t be conducted within cyber by militaries and nation states. What can be done falls mostly under categories of cyber unlawful combatant, cyber spies, cyber pirates and cyber criminals. Much of what is being prognosticated as potential cyber catastrophe would be self-defeating - why would pirates/anarchists (e.g. Anonymous) take down the internet or power grids when that is the media they use to accomplish their goals. Why destroy a computer (or a city) when you can steal its secrets and monies. Morgan, Teach and Tew knew that 300 years ago. A few of the problems are that we discussed war in terms of cyber which leads to meaningless postulations. Terrorism is practically undefined (by the vast plethora of competing definitions, at least), and 'cyberwar' is no less undefined. We as the infosec leadership, should promote definitions of cyber espionage, crime, piracy, as well as the demilitarization of the internet - an international agreement on the law of the cyber as much as we have such on the law of the seas.
But cyber-vandalism and cyber-collateral damage may well be a problem.
Our municipality just installed a new water treatment plant.
We didn't bother to fit advanced air defense to protect it from Russian bomber.
But I suspect it also doesn't have much defense against a random for-fun hacker or from it's SCADA systems being damaged by a virus/worm intended for a more interesting target
Isn't OTT rhetoric how bills get passed?
It looks like legislation including FISMA updates might pass this year. See in particular The Cybersecurity Act of 2012, S. 2105. Discussion and link to text of the bill here:
There's a lot of stuff about education, training and research in the Bill and some tweaks to FISMA. This has been years in the making. The documentation of controls and risk management processes that have been coming out of NIST for years all seem to be fairly sensible. The bureaucratic stuff that gets wrapped around it may be a another matter. The part in the new bill that appears to be getting push back from industry is the following:
"The Cybersecurity Act of 2012 would require: The Department of Homeland Security to assess the risks and vulnerabilities of critical infrastructure systems – whose disruption from a cyber attack would cause mass death, evacuation, or major damage to the economy, national security, or daily life – to determine which should be required to meet a set of risk-based security standards." (from link above).
And there's money being allocated for this:
Federal Chief Information Officer Steven VanRoekel:"The president’s budget for 2013 proposes a $769 million increase to support the national cybersecurity division at DHS."
The increased involvement of DHS and the extension to private industry seems to be new. Existing Federal oversight (i.e. of Federal infrastructure and Federal contractors) comes through OIGs, OMB, GAO, etc.
Assuming we are reasonably attentive and knowlegeable info sec pros, we are aware of the vulnerability for such infrastructures. I have actually worked on securing SCADA (ICS actually). If it is important, it should be isolated. Apparently even the Iranian nuclear program was infected by a virus.... However, there are two problems with promoting this as a reasonable fear. Firstly, it requires a high skill level that common 'terrorist' probably don’t have (although disgruntled employees could and have committed - which I recall was noted in this column previously). Secondly, it would likely need to be highly targeted and thus not likely to cause widespread panic or problems: while taking down the water or waste treatment in a city might be significant to that locality, it is not at all likely to cause impact outside of that locality. Note that even a major multiple cataclysms at the Japan power plant didn’t create significant issues beyond 10 or 20 miles (ok, maybe 50 or 100). Generic attacks, while achievable by even script kiddies, will be counterproductive to the sophisticated - DDOS means no one can access, so you can’t steal money or data.
Hmm anyone remember "Red Mercury"?
It might be more appropriate than "yellow cake".
More on changing rhetoric of risk here:
Given Bruce's writing on the terrorist risk one wonders where Mueller pulls his threat assessments from. Compare terrorist events in the US last year with events involving the looting of government and corporate secrets, financial theft, etc. through hacking.
And, with all due respect (I've read the first attempt at Cybersecurity Act), the premises for tasking DHS with internet security as noted in the Senate bill are largely faulty. Much of that is based on Cold war theories. The internet is no nation's territory. Now the widespread death, mayhem, panic, etc does currently fall under DHS - which now owns FEMA. It is attempting to justify a beaurocracy. DHS's performance for what it was created to do is so poor, and now someone want to task them with internet security? REALLY?
The source should be at:
and the S. 2015 (pdf):
Please read the testimonies from the hearing a couple weeks ago.
I would agree if we didn't have the example of Stuxnet.
The developers of Stuxnet chose to focus on a target with no civilian impact. Had they chosen to focus on one with more direct impact on daily life, I think we could very well experience something close to a WMD. Perhaps not nuclear grade, but quite bad.
It's not new, though. This kind of hype has been circulating at least since the first InfoWarCon. When was that, 1994?
I've said it before the normal "laws" we use are based on fundemental assumptions that only apply in the real physical world such as forces, the speed of light and locality.
Cyber is of the "intangible" information world not the "tangable" physical world. Information can only cause us physical harm if we give it some way to apply a force on our physical world at some place and time.
We also have to accept that if we do allow intangible information to have a tangible effect in our physical world we have to also accept that where ever this is alowed it can be used simultaneously at the chosing of just a single individual or even programing "error" (as has been occasionaly seen with software upgrades where time handeling goes wrong on say 29th of Feb etc).
This gives the concept of an "Army of one" but like voodoo it can only harm us if we allow it to.
From TFA: "The evidence they did provide—Iraq’s alleged pursuit of uranium “yellowcake” from Niger and its purchase of aluminum tubes allegedly meant for uranium enrichment centrifuges—was ultimately determined to be unfounded."
Just for the record, a couple years after Saddam's demise, Iraq sold 550 metric tons of surplus yellowcake to Canada.
It must be in the air.
Arquilla, John. 2012. “Cyberwar Is Already Upon Us.” Foreign Policy, April Retrieved February 28, 2012 (http://www.foreignpolicy.com/articles/2012/02/27/cyberwar_is_already_upon_us).
Also has link to 1993 article by the same author:
Cyberwar is Coming!
You might be implying that the post-invasion sale of Iraqi yellowcake to Canada supports the claim that Iraq was still pursuing the development of a nuclear weapon, shortly before the American attacks on Iraq. This claim has been extensively rebutted. A good summary with citations can be found at:
Does this mean Canada may have secret WMDs ?
(other than drunk hockey fans)
I have mixed reactions to Arquila's article. First he fails to note in referring to the Spanish Civil war being the prototype for air war. It was, but he fails to not the the air war was AGAINST CIVILIANS - anybody remember Picasso's Guernica? And that agressions has been refuted by Geneva Convention. I do however agree with the Maginot line, for several reasons. I have been alluding Firewalls to Maginot's wall for over decade. The article makes numerous references to what this cyberwar might be, none of which seem to be cohesive (the estonian event, Iranian Stuxnet, Arab Spring, or ?). So again, we have conjecture without definition or analysis.
Okay, one of you programmers can code the card game war and put it online, and we call it cyberwar. I only want 10% for the idea. We could make Hundred$!
Thanks. Missed the fact that there was a related article in FP.
When I first saw this, I thought it was a headline from The Onion.
Funny. "Israeli cryptographer Adi Shamir (the S in RSA), speaking on the NSA vs. DHS debate, said the job of cybersecurity should be left to the experts at NSA: “I shudder to think that the same guys who are in charge of airport security are in charge of securing the Internet,” Shamir said. “Pretty soon we are going to be taking our shoes off when we enter the Internet.”"
Also from GCN: Marcus Ranum on Cyberwar:
Fuss over cyber war distracts from real threats, security pioneer says
New yellowcake, same as the old yellowcake
General Colin Powell and George W Bush can be proud of their accomplishments.
Three cheers for Adi; however, there are a variety of political and legal issues with tasking NSA to internet protection. The most challenging is probably to potential for surveilling US persons. OK, WE're going off-topic here a bit... but this brings us back to what we need - a Secretary-level post to manage internet diplomacy and security (there have been several cyber 'czars' in US, but it didnt really work out well).
FYI the same article by Rid cited in elReg (published in RUSI) is re-printed in FPMag. RUSI seems to be a UK version of US's FP more or less....
And one more comment aimed at the article quoting Marcus. He made a presentation on topic at the ISSA International in Baltimore last year. I disagreed with the core of his position, and let him know.
Hmmm, maybe I actually made points with him.....
So the game was right. There was no cake.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..