Tag: cybersecurity

Sick of ‘Cyber’

NPR is running a series of stories on “cybersecurity,” prompting some to express their exasperation with cybertouting of cyberthreats.

Some of my cyberefforts on that cyberscore are cyberhere, cyberhere, and cyberhere. CyberBen CyberFriedman has written cyberthis and cyberthis.

Sick of “cyber” yet? Good.

Securing computers, networks, and data is important. But there’s no such thing as cyberterrorism, “cyberwar” is what might occur in computing and communications during an actual war, and the bulk of the work is, as Bruce Schneier puts it, boring:

Securing our networks doesn’t require some secret advanced NSA technology. It’s the boring network security administration stuff we already know how to do: keep your patches up to date, install good anti-malware software, correctly configure your firewalls and intrusion-detection systems, monitor your networks.

How Can We Be at Cyberwar if We Don’t Know What It Is?

Brilliant column from William Jackson on GCN.com debunking “cyberwar”:

“The United States is fighting a cyberwar today and we are losing it,” former National Security Agency chief and national intelligence director Mike McConnell wrote in a recent op-ed column in the Washington Post. “It’s that simple.”

It is neither simple nor true. Failure to distinguish between real acts of war and other malicious behavior not only increases the risks of war, but also distracts us from more immediate threats such as online crime.

The habit of threat inflation is harmful to the country. Jackson’s welcome take on “cyber” threats earns an accolade I rarely give out: Read the whole thing.

Is the Threat of Cyberattack Growing?

The New York Times dutifully reports that the Director of National Intelligence says it is. But it’s hard to know what that means. The word “cyberattack” has no usefully fixed definition.

And the important questions—plural—include: 1) whether cyberattacks—plural—are growing in number and sophistication more quickly than the capability of infrastructure owners to fend them off and recover from them; 2) which, if any, owners lack incentives to secure their infrastructure and what security externalities they might create; and 3) what levers—such as contract liability, tort liability, or regulation—might correct any such market failures.

Some lines in Director Blair’s statement are quite telling. Compare this:

Terrorist groups and their sympathizers have expressed interest in using cyber means to target the United States and its citizens.

to this:

The cyber criminal sector in particular has displayed remarkable technical innovation with an agility presently exceeding the response capability of network defenders.

Now, which class of actors are you going to worry about—the ones that dream of doing something bad? Or the ones that have the sophistication to do something bad? Probably the latter.

While calling for a federal intelligence-community role in “cybersecurity,” Blair confesses that this is more of a crime problem that the business sector needs to handle than a true national security issue in which the leading role would be played by government.

The good news is that crime syndicates don’t prosper by killing their hosts. Don’t look for catastrophic failure of our technical infrastructures arising from this most serious of “cyber” threats.

There’s no question that cybersecurity is important. But it’s also manageable. I shared my thoughts on “cybersecurity” last year with the House Science Committee.

House to Get its Own House in Order

The headline strikes fear: “House Takes Steps to Boost Cybersecurity,” says the Washington Post.

What boondoggle are they embarking on now?

Cybersecurity is hundreds of different problems that should be handled by thousands of different actors. The federal government is in no position to “fix” cybersecurity, as I testified in the House Science Committee earlier this year.

But this is a good news story. Realizing that its own cybersecurity practices are not up to snuff, the House of Representatives will be ramping up training for its staff.

Better awareness of the ins and outs of securing computers, data, and networks will disincline Congress to undertake a rash, sweeping “overhaul” of the systems and incentives that produce and advance cybersecurity.

Lock It Down, Centralize It, Federalize It

Speaking of the Center for Democracy and Technology, Leslie Harris gave a terrific quote to Forbes.com for an article on cybersecurity:

The Rockefeller-Snowe Bill represents just the sort of heavy-handed regulation that could stifle innovation and hurt the economy, argues Leslie Harris, president and chief executive of the Center for Democracy and Technology. “If you lock things down too tight and try to centralize and federalize all kinds of standards, you’re on a collision course with the innovators who may be making the next great tech product in their backyard,” she says.

The question is why CDT doesn’t apply this thinking to the field of identification and credentialing.

“Cyberattack” in Perspective

Two very welcome articles skewer breathless reporting and commentary on the recent cyberattack against U.S. government Web sites, among other things.

In a “Costs of War” column entitled “Chasing Cyberghosts,” intrepid reporter Shaun Waterman turns up the excesses that blew the story out of proportion and easily enticed congressional leaders to overreact.

[M]edia coverage of the attacks almost universally attributed them to North Korea, initially on the basis of anonymous sources in the South Korean intelligence services.

“There’s not a shred of technical evidence it was North Korea,” said [Internet Storm Center director Marcus] Sachs… . [M]any lawmakers, apparently anxious to polish their hawkish credentials, were swift, as Sachs put it, “to pound their fists and demand retaliation.”

The North Koreans “need to be sent a strong message, whether it is a counterattack on cyber, [or] whether it is more international sanctions,” said Republican Rep Peter Hoekstra, a ranking member of the House Intelligence Committee. “The only thing they will understand is some kind of show of force and strength.”

Security guru Bruce Schneier puts it all in perspective:

This is the face of cyberwar: easily preventable attacks that, even when they succeed, only a few people notice. Even this current incident is turning out to be a sloppily modified five-year-old worm that no modern network should still be vulnerable to.

Securing our networks doesn’t require some secret advanced NSA technology. It’s the boring network security administration stuff we already know how to do: keep your patches up to date, install good anti-malware software, correctly configure your firewalls and intrusion-detection systems, monitor your networks. And while some government and corporate networks do a pretty good job at this, others fail again and again.

I testified on cybersecurity in the House Science Committee late last month. This episode was a perfect illustration of one of my points to the committee: “Threat exaggeration has become boilerplate in the cybersecurity area.”

Waterman’s and Schneier’s pieces are shorter and eminently more readable so I’ll give them a “read-the-whole-thing.” All three of us participated in the Cato’s January conference on counterterrorism strategy.

This “Cyberwar” Is a Cybersnooze

The AP and other sources have been reporting on a “cyberattack” affecting South Korea and U.S. government Web sites, including the White House, Secret Service and Treasury Department.

Allegedly mounted by North Korea, this attack puts various “cyber” threats in perspective. Most Americans will probably not know about it, and the ones who do will learn of it by reading about it. Only a tiny percentage of people will notice the absence of the Web sites attacked. (An update to the story linked above notes that several agencies and entities “blunted” the attacks, as well-run Web sites will do.)

This is the face of “cyberwar,” which has little strategic value and little capacity to do real damage. This episode also underscores the fact that “cyberterrorism” cannot exist – because this kind of attack isn’t terrifying.

As I said in my recent testimony before the House Science Committee, it is important to secure web sites, data, and networks against all threats, but this can be done and is being done methodically and successfully – if imperfectly – by the distributed owners and controllers of all our nation’s “cyber” assets. Hyping threats like “cyberwar” and “cyberterror” is not helpful.