Tag: cyberwar

Why You Shouldn’t Believe the Cyber-War Hype

Constantine von Hoffman explains it on CIO.com:

Cyber war is not what the Chinese currently appear to be up to. That’s called spying. If you doubt it consider what Rep. Mike Rogers, chair of the House Intelligence Committee, said Sunday on one of those talk shows that no one outside of D.C. watches:

“They use their military and intelligence structure to [steal] intellectual property from American businesses, and European businesses, and Asian businesses, repurpose it and then compete in the international market against the United States.”

If stealing secrets is an act of war then America is currently at war with all of its allies.

That’s some crisp contrarianism, and I like the dig at D.C.’s self-importance.

At around the time I was reading this article yesterday, an email arrived in my inbox touting an upcoming book event on “Cyber Warfare: How Conflicts in Cyberspace Are Challenging America and Changing the World.”

Oh, there’s no shortage of challenges laid before all actors trying to secure computers, networks, and data, but don’t mistake the number of vulnerabilities or threats with the likelihood they will manifest themselves, or the consequence if they do. The “cyberwar” frame is inapt, and looking at cybersecurity through a geopolitical lens is not likely to produce policies that cost-effectively protect our wealth and values.

Friday Links

  • “PBS used to ask, ‘If not PBS, then who?’ The answer now is: HBO, Bravo, Discovery, History, History International, Science, Planet Green, Sundance, Military, C-SPAN 1/2/3 and many more.”
  • “The fiscal problem that is destroying U.S. economic confidence is not the fiscal balance, however. It is the level of government expenditures relative to GDP.”
  • “The Pentagon’s first cyber security strategy… builds on national hysteria about threats to cybersecurity, the latest bogeyman to justify our bloated national security state.”
  • How ‘secure’ do our homes remain if police, armed with no warrant, can pound on doors at will and, on hearing sounds indicative of things moving, forcibly enter and search for evidence of unlawful activity?”
  • National debt is driving the U.S. toward a double-dip recession

OECD: ‘Cyberwar’ Overhyped

(HT: Schneier) Here’s a refreshingly careful report on cybersecurity from the Organization for Economic Cooperation and Development’s “Future Global Shocks” project. Notably: “The authors have concluded that very few single cyber-related events have the capacity to cause a global shock.” There will be no cyber-“The Day After.”

Here are a few cherry-picked top lines:

Catastrophic single cyber-related events could include: successful attack on one of the underlying technical protocols upon which the Internet depends, such as the Border Gateway Protocol which determines routing between Internet Service Providers and a very large-scale solar flare which physically destroys key communications components such as satellites, cellular base stations and switches. For the remainder of likely breaches of cybsersecurity such as malware, distributed denial of service, espionage, and the actions of criminals, recreational hackers and hacktivists, most events will be both relatively localised and short-term in impact.

The vast majority of attacks about which concern has been expressed apply only to Internet-connected computers. As a result, systems which are stand-alone or communicate over proprietary networks or are air-gapped from the Internet are safe from these. However these systems are still vulnerable to management carelessness and insider threats.

Analysis of cybsersecurity issues has been weakened by the lack of agreement on terminology and the use of exaggerated language. An “attack” or an “incident” can include anything from an easily-identified “phishing” attempt to obtain password details, a readily detected virus or a failed log-in to a highly sophisticated multi-stranded stealth onslaught. Rolling all these activities into a single statistic leads to grossly misleading conclusions. There is even greater confusion in the ways in which losses are estimated. Cyberespionage is not a “few keystrokes away from cyberwar”, it is one technical method of spying. A true cyberwar is an event with the characteristics of conventional war but fought exclusively in cyberspace.

The hyping of “cyber” threats—bordering on hucksterism—should stop. Many different actors have a good deal of work to do on securing computers, networks, and data. But there is no crisis, and the likelihood of any cybersecurity failure causing a crisis is extremely small.

Fact-Checking “Cyberwar”

Wired’s Ryan Singel has given a read to Cyberwar, the new cybersecurity book by Richard Clarke and Robert Knake. (I picked out a potential example of actual cyberwarfare in a Glenn Reynolds review of the book last week.)

Singel—a journalist who has been a sophisticated reporter of computer security issues for years now—is not impressed with the book or the reviews it has gotten. In his review, Richard Clarke’s Cyberwar: File Under Fiction, he writes:

So much of Clarke’s evidence is either easily debunked with a Google search, or so defies common sense, that you’d think reviewers of the book would dismiss it outright. Instead, they seem content to quote the book liberally and accept his premise that cyberwar could flatten the United States, and no one in power cares at all. Of course, the debunking would be easier if the book had footnotes or endnotes, but neither are included — Revelation doesn’t need sources.

It’s brief enough, and refreshing enough. I say read the whole thing.

Sober assessments of computer, network, and data security are far less interesting than the thrillers that would drive Washington policymakers to overreact. This report in Government Computer News, for example, relates the findings of a recent Symantec report on threats to government systems and gives reason to settle down about cyberthreats from China.

China was the top country of origin for attacks against the government sector in 2009, accounting for 14 percent of the total, but too much should not be read into that statistic. The apparent country of origin says little about who actually is behind an attack, said Dean Turner, director of Symantec’s Global Intelligence Network.

China’s ranking is due primarily to the large number of computers in the country, Turner said. Less than a quarter of attacks originating in China were directed at government targets, while more than 48 percent of attacks from Brazil — No. 3 on the hit list — were directed at government. This makes it unlikely that China is specifically targeting government systems.

Compromised computers that are the apparent source of attacks often are controlled from elsewhere, and an attack apparently emanating from China does not necessarily mean that the Chinese government, or even anyone in China, is behind it. Attribution of attacks is notoriously difficult, and statistics do not necessarily indicate that the United States is under cyberattack by China. In fact, the United States ranked second in origin of government attacks in 2009, accounting for 11 percent.

(Symantec is a vendor to governments, so naturally prone to threat inflation itself. GCN reporter William Jackson deserves credit for the sobriety of the story.)

Cybersecurity-related fearmongering could drive unnecessary dischord between the United States and China, leading to actual conflict where none is warranted. Singel again:

[A]rtists of exaggeration … seem to think spinning tall tales is the only way to make bureaucracies move in the right direction. But yelling “Cyberwar” in a crowded internet is not without consequence. Not only does it promote unnecessary fear, it feeds the forces of parochial nationalism and militarism — undermining a communications system that has arguably done more to connect the world’s citizens than the last 50 years of diplomacy.

An Actual Example of “Cyberwarfare”

The good thing about this review of the book “Cyber War” by Richard Clarke and Robert Knake is that it actually mentions attacks on computing and communications during warfare.

Messrs. Clarke and Knake are convinced that an Israeli air strike in 2007 against a secret North Korean-designed nuclear facility being constructed in the Syrian desert was a textbook case of cyber-aided warfare. Israeli computers “owned” Syria’s elaborate air defenses, the authors say, “ensuring that the enemy could not even raise its defenses.”

That might actually be “cyberwarfare.”

The rest of the review, and presumably the book, is threat exaggeration and distortion, wrongly characterizing the wide variety of security issues pertaining to computers, communications, and data as having to do with “war.”

How Can We Be at Cyberwar if We Don’t Know What It Is?

Brilliant column from William Jackson on GCN.com debunking “cyberwar”:

“The United States is fighting a cyberwar today and we are losing it,” former National Security Agency chief and national intelligence director Mike McConnell wrote in a recent op-ed column in the Washington Post. “It’s that simple.”

It is neither simple nor true. Failure to distinguish between real acts of war and other malicious behavior not only increases the risks of war, but also distracts us from more immediate threats such as online crime.

The habit of threat inflation is harmful to the country. Jackson’s welcome take on “cyber” threats earns an accolade I rarely give out: Read the whole thing.