Tag: cybersecurity

Fact-Checking “Cyberwar”

Wired’s Ryan Singel has given a read to Cyberwar, the new cybersecurity book by Richard Clarke and Robert Knake. (I picked out a potential example of actual cyberwarfare in a Glenn Reynolds review of the book last week.)

Singel—a journalist who has been a sophisticated reporter of computer security issues for years now—is not impressed with the book or the reviews it has gotten. In his review, Richard Clarke’s Cyberwar: File Under Fiction, he writes:

So much of Clarke’s evidence is either easily debunked with a Google search, or so defies common sense, that you’d think reviewers of the book would dismiss it outright. Instead, they seem content to quote the book liberally and accept his premise that cyberwar could flatten the United States, and no one in power cares at all. Of course, the debunking would be easier if the book had footnotes or endnotes, but neither are included — Revelation doesn’t need sources.

It’s brief enough, and refreshing enough. I say read the whole thing.

Sober assessments of computer, network, and data security are far less interesting than the thrillers that would drive Washington policymakers to overreact. This report in Government Computer News, for example, relates the findings of a recent Symantec report on threats to government systems and gives reason to settle down about cyberthreats from China.

China was the top country of origin for attacks against the government sector in 2009, accounting for 14 percent of the total, but too much should not be read into that statistic. The apparent country of origin says little about who actually is behind an attack, said Dean Turner, director of Symantec’s Global Intelligence Network.

China’s ranking is due primarily to the large number of computers in the country, Turner said. Less than a quarter of attacks originating in China were directed at government targets, while more than 48 percent of attacks from Brazil — No. 3 on the hit list — were directed at government. This makes it unlikely that China is specifically targeting government systems.

Compromised computers that are the apparent source of attacks often are controlled from elsewhere, and an attack apparently emanating from China does not necessarily mean that the Chinese government, or even anyone in China, is behind it. Attribution of attacks is notoriously difficult, and statistics do not necessarily indicate that the United States is under cyberattack by China. In fact, the United States ranked second in origin of government attacks in 2009, accounting for 11 percent.

(Symantec is a vendor to governments, so naturally prone to threat inflation itself. GCN reporter William Jackson deserves credit for the sobriety of the story.)

Cybersecurity-related fearmongering could drive unnecessary dischord between the United States and China, leading to actual conflict where none is warranted. Singel again:

[A]rtists of exaggeration … seem to think spinning tall tales is the only way to make bureaucracies move in the right direction. But yelling “Cyberwar” in a crowded internet is not without consequence. Not only does it promote unnecessary fear, it feeds the forces of parochial nationalism and militarism — undermining a communications system that has arguably done more to connect the world’s citizens than the last 50 years of diplomacy.

An Actual Example of “Cyberwarfare”

The good thing about this review of the book “Cyber War” by Richard Clarke and Robert Knake is that it actually mentions attacks on computing and communications during warfare.

Messrs. Clarke and Knake are convinced that an Israeli air strike in 2007 against a secret North Korean-designed nuclear facility being constructed in the Syrian desert was a textbook case of cyber-aided warfare. Israeli computers “owned” Syria’s elaborate air defenses, the authors say, “ensuring that the enemy could not even raise its defenses.”

That might actually be “cyberwarfare.”

The rest of the review, and presumably the book, is threat exaggeration and distortion, wrongly characterizing the wide variety of security issues pertaining to computers, communications, and data as having to do with “war.”

Washington Rakes in the Money

The Washington Post launches a new weekly today, Capital Business, covering business in the Washington area. The cover of the first edition is striking:

As the cover line exults, “There’s a wave of government money headed our way – bringing opportunities in health care, green energy, cybersecurity and education.” Of course, it’s not actually “government money” – it’s money taxed or borrowed from those who produce it in the 50 states and then sprinkled liberally around the Washington area, which now contains 6 of the 10 richest counties in America.

If the Capital Business cover image had a few more arms, it would look like the logo for this year’s Cato University, “Confronting Grasping Government”:

Sick of ‘Cyber’

NPR is running a series of stories on “cybersecurity,” prompting some to express their exasperation with cybertouting of cyberthreats.

Some of my cyberefforts on that cyberscore are cyberhere, cyberhere, and cyberhere. CyberBen CyberFriedman has written cyberthis and cyberthis.

Sick of “cyber” yet? Good.

Securing computers, networks, and data is important. But there’s no such thing as cyberterrorism, “cyberwar” is what might occur in computing and communications during an actual war, and the bulk of the work is, as Bruce Schneier puts it, boring:

Securing our networks doesn’t require some secret advanced NSA technology. It’s the boring network security administration stuff we already know how to do: keep your patches up to date, install good anti-malware software, correctly configure your firewalls and intrusion-detection systems, monitor your networks.

How Can We Be at Cyberwar if We Don’t Know What It Is?

Brilliant column from William Jackson on GCN.com debunking “cyberwar”:

“The United States is fighting a cyberwar today and we are losing it,” former National Security Agency chief and national intelligence director Mike McConnell wrote in a recent op-ed column in the Washington Post. “It’s that simple.”

It is neither simple nor true. Failure to distinguish between real acts of war and other malicious behavior not only increases the risks of war, but also distracts us from more immediate threats such as online crime.

The habit of threat inflation is harmful to the country. Jackson’s welcome take on “cyber” threats earns an accolade I rarely give out: Read the whole thing.

Is the Threat of Cyberattack Growing?

The New York Times dutifully reports that the Director of National Intelligence says it is. But it’s hard to know what that means. The word “cyberattack” has no usefully fixed definition.

And the important questions—plural—include: 1) whether cyberattacks—plural—are growing in number and sophistication more quickly than the capability of infrastructure owners to fend them off and recover from them; 2) which, if any, owners lack incentives to secure their infrastructure and what security externalities they might create; and 3) what levers—such as contract liability, tort liability, or regulation—might correct any such market failures.

Some lines in Director Blair’s statement are quite telling. Compare this:

Terrorist groups and their sympathizers have expressed interest in using cyber means to target the United States and its citizens.

to this:

The cyber criminal sector in particular has displayed remarkable technical innovation with an agility presently exceeding the response capability of network defenders.

Now, which class of actors are you going to worry about—the ones that dream of doing something bad? Or the ones that have the sophistication to do something bad? Probably the latter.

While calling for a federal intelligence-community role in “cybersecurity,” Blair confesses that this is more of a crime problem that the business sector needs to handle than a true national security issue in which the leading role would be played by government.

The good news is that crime syndicates don’t prosper by killing their hosts. Don’t look for catastrophic failure of our technical infrastructures arising from this most serious of “cyber” threats.

There’s no question that cybersecurity is important. But it’s also manageable. I shared my thoughts on “cybersecurity” last year with the House Science Committee.