Entries Tagged "fear"

Page 7 of 23

Book Review: Cyber War

Cyber War: The Next Threat to National Security and What to do About It by Richard Clarke and Robert Knake, HarperCollins, 2010.

Cyber War is a fast and enjoyable read. This means you could give the book to your non-techy friends, and they’d understand most of it, enjoy all of it, and learn a lot from it. Unfortunately, while there’s a lot of smart discussion and good information in the book, there’s also a lot of fear-mongering and hyperbole as well. Since there’s no easy way to tell someone what parts of the book to pay attention to and what parts to take with a grain of salt, I can’t recommend it for that purpose. This is a pity, because parts of the book really need to be widely read and discussed.

The fear-mongering and hyperbole is mostly in the beginning. There, the authors describe the cyberwar of novels. Hackers disable air traffic control, delete money from bank accounts, cause widespread blackouts, release chlorine gas from chemical plants, and—this is my favorite—remotely cause your printer to catch on fire. It’s exciting and scary stuff, but not terribly realistic. Even their discussions of previous “cyber wars”—Estonia, Georgia, attacks against U.S. and South Korea on July 4, 2009—are full of hyperbole. A lot of what they write is unproven speculation, but they don’t say that.

Better is the historical discussion of the formation of the U.S. Cyber Command, but there are important omissions. There’s nothing about the cyberwar fear being stoked that accompanied this: by the NSA’s General Keith Alexander—who became the first head of the command—or by the NSA’s former director, current military contractor, by Mike McConnell, who’s Senior Vice President at Booz Allen Hamilton, and by others. By hyping the threat, the former has amassed a lot of power, and the latter a lot of money. Cyberwar is the new cash cow of the military-industrial complex, and any political discussion of cyberwar should include this as well.

Also interesting is the discussion of the asymmetric nature of the threat. A country like the United States, which is heavily dependent on the Internet and information technology, is much more vulnerable to cyber-attacks than a less-developed country like North Korea. This means that a country like North Korea would benefit from a cyberwar exchange: they’d inflict far more damage than they’d incur. This also means that, in this hypothetical cyberwar, there would be pressure on the U.S. to move the war to another theater: air and ground, for example. Definitely worth thinking about.

Most important is the section on treaties. Clarke and Knake have a lot of experience with nuclear treaties, and have done considerable thinking about how to apply that experience to cyberspace. The parallel isn’t perfect, but there’s a lot to learn about what worked and what didn’t, and—more importantly—how things worked and didn’t. The authors discuss treaties banning cyberwar entirely (unlikely), banning attacks against civilians, limiting what is allowed in peacetime, stipulating no first use of cyber weapons, and so on. They discuss cyberwar inspections, and how these treaties might be enforced. Since cyberwar would be likely to result in a new worldwide arms race, one with a more precarious trigger than the nuclear arms race, this part should be read and discussed far and wide. Sadly, it gets lost in the rest of the book. And, since the book lacks an index, it can be hard to find any particular section after you’re done reading it.

In the last chapter, the authors lay out their agenda for the future, which largely I agree with.

  1. We need to start talking publicly about cyber war. This is certainly true. The threat of cyberwar is going to consume the sorts of resources we shoveled into the nuclear threat half a century ago, and a realistic discussion of the threats, risks, countermeasures, and policy choices is essential. We need more universities offering degrees in cyber security, because we need more expertise for the entire gamut of threats.
  2. We need to better defend our military networks, the high-level ISPs, and our national power grid. Clarke and Knake call this the “Defensive Triad.” The authors and I disagree strongly on how this should be done, but there is no doubt that it should be done. The two parts of that triad currently in commercial hands are simply too central to our nation, and too vulnerable, to be left insecure. And their value is far greater to the nation than it is to the corporations that own it, which means the market will not naturally secure it. I agree with the authors that regulation is necessary.
  3. We need to reduce cybercrime. Even without the cyber warriors bit, we need to do that. Cybercrime is bad, and it’s continuing to get worse. Yes, it’s hard. But it’s important.
  4. We need international cyberwar treaties. I couldn’t agree more about this. We do. We need to start thinking about them, talking about them, and negotiating them now, before the cyberwar arms race takes off. There are all kind of issues with cyberwar treaties, and the book talks about a lot of them. However full of loopholes they might be, their existence will do more good than harm.
  5. We need more research on secure network designs. Again, even without the cyberwar bit, this is essential. We need more research in cybersecurity, a lot more.
  6. We need decisions about cyberwar—what weapons to build, what offensive actions to take, who to target—to be made as far up the command structure as possible. Clarke and Knake want the president to personally approve all of this, and I agree. Because of its nature, it can be easy to launch a small-scale cyber attack, and it can be easy for a small-scale attack to get out of hand and turn into a large-scale attack. We need the president to make the decisions, not some low-level military officer ensconced in a computer-filled bunker late one night.

This is great stuff, and a fine starting place for a national policy discussion on cybersecurity, whether it be against a military, espionage, or criminal threat. Unfortunately, for readers to get there, they have to wade through the rest of the book. And unless their bullshit detectors are already well-calibrated on this topic, I don’t want them reading all the hyperbole and fear-mongering that comes before, no matter how readable the book.

Note: I read Cyber War in April, when it first came out. I wanted to write a review then, but found that while my Kindle is great for reading, it’s terrible for flipping back and forth looking for bits and pieces to write about in a review. So I let the review languish. Finally, I borrowed a paper copy from my local library.

Some other reviews of the book Cyber War. See also the reviews on the Amazon page.

I wrote two essays on cyberwar.

Posted on December 21, 2010 at 7:23 AMView Comments

"Architecture of Fear"

I like the phrase:

Németh said the zones not only affect the appearance of landmark buildings but also reflect an ‘architecture of fear’ as evidenced, for example, by the bunker-like appearance of embassies and other perceived targets.

Ultimately, he said, these places impart a dual message—simultaneously reassuring the public while causing a sense of unease.

And in the end, their effect could be negligible.

“Indeed, overt security measures may be no more effective than covert intelligence techniques,” he said. “But the architecture aims to comfort both property developers concerned with investment risk and residents and tourists with the notion that terror threats are being addressed and that daily life will soon ‘return to normal.'”

My own essay on architecture and security from 2006.

EDITED TO ADD (1/13): Here’s the full paper. And some stuff from the Whole Building Design Guide site. Also see the planned U.S. embassy in London, which includes a moat.

Posted on December 20, 2010 at 5:55 AMView Comments

Close the Washington Monument

Securing the Washington Monument from terrorism has turned out to be a surprisingly difficult job. The concrete fence around the building protects it from attacking vehicles, but there’s no visually appealing way to house the airport-level security mechanisms the National Park Service has decided are a must for visitors. It is considering several options, but I think we should close the monument entirely. Let it stand, empty and inaccessible, as a monument to our fears.

An empty Washington Monument would serve as a constant reminder to those on Capitol Hill that they are afraid of the terrorists and what they could do. They’re afraid that by speaking honestly about the impossibility of attaining absolute security or the inevitability of terrorism—or that some American ideals are worth maintaining even in the face of adversity—they will be branded as “soft on terror.” And they’re afraid that Americans would vote them out of office if another attack occurred. Perhaps they’re right, but what has happened to leaders who aren’t afraid? What has happened to “the only thing we have to fear is fear itself”?

An empty Washington Monument would symbolize our lawmakers’ inability to take that kind of stand—and their inability to truly lead.

Some of them call terrorism an “existential threat” against our nation. It’s not. Even the events of 9/11, as horrific as they were, didn’t make an existential dent in our nation. Automobile-related fatalities—at 42,000 per year, more deaths each month, on average, than 9/11—aren’t, either. It’s our reaction to terrorism that threatens our nation, not terrorism itself. The empty monument would symbolize the empty rhetoric of those leaders who preach fear and then use that fear for their own political ends.

The day after Umar Farouk Abdulmutallab failed to blow up a Northwest jet with a bomb hidden in his underwear, Homeland Security Secretary Janet Napolitano said “The system worked.” I agreed. Plane lands safely, terrorist in custody, nobody injured except the terrorist. Seems like a working system to me. The empty monument would represent the politicians and press who pilloried her for her comment, and Napolitano herself, for backing down.

The empty monument would symbolize our war on the unexpected,—our overreaction to anything different or unusual—our harassment of photographers, and our probing of airline passengers. It would symbolize our “show me your papers” society, rife with ID checks and security cameras. As long as we’re willing to sacrifice essential liberties for a little temporary safety, we should keep the Washington Monument empty.

Terrorism isn’t a crime against people or property. It’s a crime against our minds, using the death of innocents and destruction of property to make us fearful. Terrorists use the media to magnify their actions and further spread fear. And when we react out of fear, when we change our policy to make our country less open, the terrorists succeed—even if their attacks fail. But when we refuse to be terrorized, when we’re indomitable in the face of terror, the terrorists fail—even if their attacks succeed.

We can reopen the monument when every foiled or failed terrorist plot causes us to praise our security, instead of redoubling it. When the occasional terrorist attack succeeds, as it inevitably will, we accept it, as we accept the murder rate and automobile-related death rate; and redouble our efforts to remain a free and open society.

The grand reopening of the Washington Monument will not occur when we’ve won the war on terror, because that will never happen. It won’t even occur when we’ve defeated al Qaeda. Militant Islamic terrorism has fractured into small, elusive groups. We can reopen the Washington Monument when we’ve defeated our fears, when we’ve come to accept that placing safety above all other virtues cedes too much power to government and that liberty is worth the risks, and that the price of freedom is accepting the possibility of crime.

I would proudly climb to the top of a monument to those ideals.

A version of this essay—there were a lot of changes and edits—originally appeared in the New York Daily News.

I wish I’d come up with the idea of closing the Washington Monument, but I didn’t. It was the Washington Post’s Philip Kennicott’s idea, although he didn’t say it with as much fervor.

Posted on December 2, 2010 at 10:41 AMView Comments

Brian Snow Sows Cyber Fears

That’s no less sensational than the Calgary Herald headline: “Total cyber-meltdown almost inevitable, expert tells Calgary audience.” That’s former NSA Technical Director Brian Snow talking to a university audience.

“It’s long weeks to short months at best before there’s a security meltdown,” said Snow, as a guest lecturer for the Institute for Security, Privacy and Information Assurance, an interdisciplinary group at the university dedicated to information security.

“Will a bank failure be the wake-up call before we act? It’s a global problem—not just the U.S., not just Canada, but the world.”

I know Brian, and I have to believe his definition of “security meltdown” is more limited than the headline leads one to believe.

Posted on December 2, 2010 at 7:06 AMView Comments

Airplane Terrorism Twenty Years Ago

Excellent:

Here’s a scenario:

Middle Eastern terrorists hijack a U.S. jetliner bound for Italy. A two-week drama ensues in which the plane’s occupants are split into groups and held hostage in secret locations in Lebanon and Syria.

While this drama is unfolding, another group of terrorists detonates a bomb in the luggage hold of a 747 over the North Atlantic, killing more than 300 people.

Not long afterward, terrorists kill 19 people and wound more than a hundred others in coordinated attacks at European airport ticket counters.

A few months later, a U.S. airliner is bombed over Greece, killing four passengers.

Five months after that, another U.S. airliner is stormed by heavily armed terrorists at the airport in Karachi, Pakistan, killing at least 20 people and wounding 150 more.

Things are quiet for a while, until two years later when a 747 bound for New York is blown up over Europe killing 270 passengers and crew.

Nine months from then, a French airliner en route to Paris is bombed over Africa, killing 170 people from 17 countries.

That’s a pretty macabre fantasy, no? A worst-case war-game scenario for the CIA? A script for the End Times? Except, of course, that everything above actually happened, in a four-year span between 1985 and 1989.

Refuse to be terrorized, everyone.

Posted on November 18, 2010 at 12:19 PMView Comments

Securing the Washington Monument

Good article on security options for the Washington Monument:

Unfortunately, the bureaucratic gears are already grinding, and what will be presented to the public Monday doesn’t include important options, including what became known as the “tunnel” in previous discussions of the issue. Nor does it include the choice of more minimal visitor screening—simple wanding or visual bag inspection—that might not require costly and intrusive changes to the structure. The choice to accept risk isn’t on the table, either. Finally, and although it might seem paradoxical given how important resisting security authoritarianism is to preserving the symbolism of freedom, it doesn’t take seriously the idea that perhaps the monument’s interior should be closed altogether—a small concession that might have collateral benefits.

[…]

Closing the interior of the monument, the construction of which was suspended during the Civil War, would remind the public of the effect that fears engendered by the current war on terrorism have had on public space. Closing it as a symbolic act might initiate an overdue discussion about the loss of even more important public spaces, including the front entrance of the Supreme Court and the west terrace of the Capitol. It would be a dramatic reminder of the choices we as a nation have made, and perhaps an inspiration to change our ways in favor of a more open, risk-tolerant society that understands public space always has some element of danger.

EDITED TO ADD (11/15): More information on the decision process.

Posted on November 10, 2010 at 7:09 AMView Comments

Halloween and the Irrational Fear of Stranger Danger

From the Wall Street Journal:

Take “stranger danger,” the classic Halloween horror. Even when I was a kid, back in the “Bewitched” and “Brady Bunch” costume era, parents were already worried about neighbors poisoning candy. Sure, the folks down the street might smile and wave the rest of the year, but apparently they were just biding their time before stuffing us silly with strychnine-laced Smarties.

That was a wacky idea, but we bought it. We still buy it, even though Joel Best, a sociologist at the University of Delaware, has researched the topic and spends every October telling the press that there has never been a single case of any child being killed by a stranger’s Halloween candy. (Oh, yes, he concedes, there was once a Texas boy poisoned by a Pixie Stix. But his dad did it for the insurance money. He was executed.)

Anyway, you’d think that word would get out: poisoned candy not happening. But instead, most Halloween articles to this day tell parents to feed children a big meal before they go trick-or-treating, so they won’t be tempted to eat any candy before bringing it home for inspection.

[…]

Then along came new fears. Parents are warned annually not to let their children wear costumes that are too tight—those could seriously restrict breathing! But not too loose either—kids could trip! Fall! Die!

Treating parents like idiots who couldn’t possibly notice that their kid is turning blue or falling on his face might seem like a losing proposition, but it caught on too.

Halloween taught marketers that parents are willing to be warned about anything, no matter how preposterous, and then they’re willing to be sold whatever solutions the market can come up with. Face paint so no mask will obscure a child’s vision. Purell, so no child touches a germ. And the biggest boondoggle of all: an adult-supervised party, so no child encounters anything exciting, er, “dangerous.”

I remember one year when I filled a few Pixie Stix with garlic powder. But that was a long time ago.

EDITED TO ADD (11/2): Interesting essay:

The precise methods of the imaginary Halloween sadist are especially interesting. Apples and home goods occasionally appear in the stories, but the most common culprit is regular candy. This crazed person would purchase candy, open the wrapper, and DO SOMETHING to it, something that would be designed to hurt the unsuspecting child. But also something that would be sufficiently obvious and clumsy that the vigilant parent could spot it (hence the primacy of candy inspection).

The idea that someone, even a greedy child, might consume candies hiding razor blades and needles without noticing seems to strain credulity. And how, exactly, a person might go about coating a jelly bean with arsenic or lacing a molasses chew with Drano has never been clear to me. Yet it is an undisputed fact of Halloween hygiene: Unwrapped candy is the number-one suspect. If Halloween candy is missing a wrapper, or if the wrapper seems loose or flimsy, the candy goes straight into the trash.

Here is where I think we can discover some deeper meanings in the myth of the Halloween sadist. It’s all about the wrappers.

Wrappers are like candy condoms: Safe candy is candy that is covered and sealed. And not just any wrapper will do. Loose, casual, cheap wrappers, the kind of wrappers one might find on locally produced candies or non-brand-name candies, are also liable to send candy to Halloween purgatory. The close, tight factory wrapper says “sealed for your protection.” And the recognized brand name on the wrapper also lends a reassuring aura of corporate responsibility and accountability. It’s a basic axiom of consumer faith: The bigger the brand, the safer the candy.

Ironic, since we know that the most serious food dangers are those that originate from just the kind of large-scale industrial food processing environments that also bring us name-brand, mass-market candies. Salmonella, E. coli, and their bacterial buddies lurking in bagged salads and pre-formed hamburger patties are real food dangers; home-made cookies laced with ground glass are not.

EDITED TO ADD (11/11): Wondermark comments.

Posted on October 31, 2010 at 10:02 AMView Comments

The Ineffectiveness of Vague Security Warnings

From Slate:

We do nothing, first and foremost, because there is nothing we can do. Unless the State Department gets specific—­e.g., “don’t go to the Eiffel Tower tomorrow”—information at that level of generality is completely meaningless. Unless we are talking about weapons of mass destruction, the chances of being hit by a car while crossing the street are still greater than the chances of being on the one plane or one subway car that comes under attack. Besides, nobody living or working in a large European city (or even a small one) can indefinitely avoid coming within close proximity of “official and private” structures affiliated with U.S. interests—­a Hilton hotel, an Apple computer store­—not to mention subways, trains, airplanes, boats, and all other forms of public transportation.

Second, we do nothing because if the language is that vague, nobody is really sure why the warning has been issued in the first place. Obviously, if the U.S. government knew who the terrorists were and what they were going to attack, it would arrest them and stop them. If it can’t do any better than “tourist infrastructure” and public transportation, it doesn’t really know anything at all.

[…]

In truth, the only people who can profit from such a warning are the officials who have issued it in the first place. If something does happen, they are covered. They warned us, they told us in advance, they won’t be criticized or forced to resign. And if nothing happens, we’ll all forget about it anyway.

Except that we don’t forget about it. Over time, these enigmatic warnings do al-Qaida’s work for them, scaring people without cause. Without so much as lifting a finger, Osama Bin Laden disrupts our sense of security and well-being. At the same time, they put the U.S. government in the position of the boy who cried wolf. The more often general warnings are issued, the less likely we are to heed them. We are perhaps unsettled or unnerved, but we don’t know what to do. So we do nothing­—and wish that we’d been told nothing, as well.

I wrote much the same thing in 2004, about the DHS’s vague terrorist warnings and the color-coded threat advisory system.

EDITED TO ADD (10/13): Another article.

Posted on October 8, 2010 at 12:49 PMView Comments

Monitoring Employees' Online Behavior

Not their online behavior at work, but their online behavior in life.

Using automation software that slogs through Facebook, Twitter, Flickr, YouTube, LinkedIn, blogs, and “thousands of other sources,” the company develops a report on the “real you”—not the carefully crafted you in your resume. The service is called Social Intelligence Hiring. The company promises a 48-hour turn-around.

[…]

The reports feature a visual snapshot of what kind of person you are, evaluating you in categories like “Poor Judgment,” “Gangs,” “Drugs and Drug Lingo” and “Demonstrating Potentially Violent Behavior.” The company mines for rich nuggets of raw sewage in the form of racy photos, unguarded commentary about drugs and alcohol and much more.

The company also offers a separate Social Intelligence Monitoring service to watch the personal activity of existing employees on an ongoing basis…. The service provides real-time notification alerts, so presumably the moment your old college buddy tags an old photo of you naked, drunk and armed on Facebook, the boss gets a text message with a link.

This is being sold using fear:

…company spokespeople emphasize liability. What happens if one of your employees freaks out, comes to work and starts threatening coworkers with a samurai sword? You’ll be held responsible because all of the signs of such behavior were clear for all to see on public Facebook pages. That’s why you should scan every prospective hire and run continued scans on every existing employee.

In other words, they make the case that now that people use social networks, companies will be expected (by shareholders, etc.) to monitor those services and protect the company from lawsuits, damage to reputation, and other harm.

Posted on October 4, 2010 at 6:31 AMView Comments

Parental Fears vs. Realities

From NPR:

Based on surveys Barnes collected, the top five worries of parents are, in order:

  1. Kidnapping
  2. School snipers
  3. Terrorists
  4. Dangerous strangers
  5. Drugs

But how do children really get hurt or killed?

  1. Car accidents
  2. Homicide (usually committed by a person who knows the child, not a stranger)
  3. Abuse
  4. Suicide
  5. Drowning

Why such a big discrepancy between worries and reality? Barnes says parents fixate on rare events because they internalize horrific stories they hear on the news or from a friend without stopping to think about the odds the same thing could happen to their children.

No surprise to any regular reader of this blog.

Posted on September 8, 2010 at 6:06 AMView Comments

1 5 6 7 8 9 23

Sidebar photo of Bruce Schneier by Joe MacInnis.