|
I was browsing CircleID the other day and came across Bruce Schneier’s article on cyberwar. Schneier’s article, and the crux of his point, is that the term cyber war and the threat of cyber warfare has been greatly exaggerated. The real problem in cyberspace is not the threat of cyber warfare wherein a foreign government, or possibly non-state actor, conducts a cyber attack on another nation. Instead, the cyber threat is really that of things like online crime. The people who assert that cyber war is a problem are those in the military who are hyping the threat in order to gain contracts from the government (i.e., it’s about the money) or gain control over others (which ultimately leads to money). In other words, the threat of a hostile government attacking us is small and that these threats are distracting us from the real problem—criminals in cyberspace.
Cyberspace has all sorts of threats, day in and day out. Cybercrime is by far the largest: fraud, through identity theft and other means, extortion, and so on. Cyber-espionage is another, both government- and corporate-sponsored. Traditional hacking, without a profit motive, is still a threat. So is cyber-activism: people, most often kids, playing politics by attacking government and corporate websites and networks.
These threats cover a wide variety of perpetrators, motivations, tactics, and goals. You can see this variety in what the media has mislabeled as “cyberwar.” The attacks against Estonian websites in 2007 were simple hacking attacks by ethnic Russians angry at anti-Russian policies; these were denial-of-service attacks, a normal risk in cyberspace and hardly unprecedented.
A real-world comparison might be if an army invaded a country, then all got in line in front of people at the DMV so they couldn’t renew their licenses. If that’s what war looks like in the 21st century, we have little to fear.
Similar attacks against Georgia, which accompanied an actual Russian invasion, were also probably the responsibility of citizen activists or organized crime. A series of power blackouts in Brazil was caused by criminal extortionists—or was it sooty insulators? China is engaging in espionage, not war, in cyberspace. And so on.
Is Schneier right? Are the cyber threats more benign than we think?
I think that Schneier is correct in asserting that most attacks that are done are financially motivated, or examples of hacktivism (a portmanteau of the words hacking and activism). They are probably not examples of a foreign government attempting to shut down the infrastructure of the United States, or of that other foreign government. Yet the attacks on Georgia in 2008 and Estonia in 2007 were not done by mere teenagers, nor is it akin to getting in line at the DMV.
The attacks in 2007 ultimately had their responsibility claimed by one of the commissars of the Nashi, a Russian youth organization with ties to the Kremlin. Konstantin Goloskokov was the one claiming he drove it, and he was an assistant of Sergei Markov, a politician in the Russian Duma. Furthermore, the attacks did more than shut down the DMV, they shut down all Internet traffic into Estonia. In addition, during the Georgia attacks, the DOS attacks on that country’s Internet web sites prevented the Georgian government from communicating with the outside world. They resorted to using Google Blogspot in order to do so. So, this is not mere teenagers causing a ruckus, but instead are people with nationalistic views with the ability to hurt a country’s infrastructure if they try hard enough.
I suppose my point is not so much that cyber warfare is the problem, but deeply embedded botnets that exist for criminal purposes, and hostile actors with nationalist views can get together and do a lot of damage in a short period of time. It may not be a state actor, but if the state is aware of the potential for threats and turns a blind eye, that doesn’t mean that their liability is eliminated. The word for this is negligence.
It is this potential for collisions in the online crime/nationalist arena that has the military community in the United States up in arms. Those in the military tend to see threats where none potentially exist, but on the other hand, they’re supposed to see threats where none potentially exist because once in a while, they are right. It is a cost/benefit ratio. What happens if no defenses are built and no attack comes vs what happens if no defenses are built and an attack is executed?
His other point, that the term cyber warfare is strewn about ad nauseum, is correct. China did not declare cyber war on Google this year. The term is being used colloquially in the sense that there was a war between the Montagues and the Capulets, or a war between Donald Trump and Martha Stewart, or a war between me and my intestines last night after I had some bad pizza. It’s more like a feud where one side engages in dirty tactics. That China engages in espionage to steal secrets from Google is not war conducted in cyber space, it’s China protecting their turf. It’s not much different than Venezuela nationalizing their oil industry, except nobody calls that conventional warfare (they call it socialism).
So, is there a cyber warfare problem? Maybe. It is state sponsored malicious intent? Less likely. Is there a problem with cyber crime? Definitely. Is this a recipe for disaster? Probably.
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC
Bruce knows enough about this subject to know that keeping the DMV open is not the issue. The real cause for concern are scenarios of the type where an attacker might shut down the electricity grid or the water supply for weeks or months. Sabotage has been used as a force multiplier in conventional warfare for centuries.
There are definitely some individuals who are inflating the risk of attack. There are plenty of beltway contractors who would like to launch a new government gravy-boat. And there are others who seem intent on setting up response plans in which step one is to suspend the constitution and declare martial law.
But that does not mean that everyone who considers cyber-warfare or cybernetic aspects of International Relations is a fraud. The cold war was not fought with guns, it was fought with ideas. The Internet is a tool for unrestricted propagation and distribution of ideas.
This time last year everyone was a-twitter with the aftermath of the election fraud in Iran. Throughout the whole period I never saw one member of the establishment media ever consider the possibility that this might be precisely the type of application that some people had anticipated for the Internet and the Web from the very start.
There are in fact issues that are worth thinking about that fall far short of the possible collapse of civil society. How cyber changes warfare is one of them.
One of the biggest issues in of cyber is the lack of attribution. That means that we are returned to the situation of the late 60s to mid 70s where states started to look at terrorism as a means of consequence-free warfare.
http://www.schneier.com/blog/archives/2008/08/cyberattack_aga.html "Cyberattack Against Georgia Preceded Real Attack" where he comments "Welcome to 21st century warfare." 1. Yes its deniable - and plausible deniablity is quite easy compared to, say, a rogue state using "non state actors" for real life terror. 2. You can't brush it ALL off as hacktivism or non state actors. Not when real tanks and regiments closely follow DDoS attacks on infrastructure in a small border town. Schneier tends to use high voltage security theater (fake boarding pass demos etc) to counter similar theatrical posturing from, say, beltway contractors who hype up the issue of cybersecurity, cyberwar, secure boarding passes, whatever. The problem with his approach is that genuine threats get not just underestimated but simply brushed off as nonexistent. Which is just as wrong as the other side's actions in hyping the threat up. What makes it worse is that yes these are serious threats and there is a high potential for damage that can be caused by these threats, whether invoked by state or non state actors, with or without coordination / direction from a state. Not that Schneier would care for my opinion but my suggestion to him would be to be a bit more balanced in his dismissive approach to such threats. He's a world authority on encryption. Maybe not so much on "other" aspects of security. Again, that's just my opinion, and it is colored by being more than a bit irritated by his brand of security theater, almost as much as by all the hype that's out there.
Bruce is an expert in communications. Or more precisely he is an expert in outbound communication. Listening to others is not a strong point. He does tend to come out with these categorical positions which the press loves on topics that are far more nuanced than his statements allow. And if you corner him in private you can probably get him to agree that the truth lies somewhere between the poles of the discussion he is playing contrarian on.
Says it all, somehow :)
I was at the cyberwar debate in DC Bruce mentions in his post. Kudos to him for admitting that McConnell and Zittrain simply were better at presenting their side of the argument. I wish Bruce and Rotenberg would have been better prepared, b/c I came away thinking there was much validity to what they were trying to say.
My review of the event is here on CircleID:
From Bruce’s blog:
EDITED TO ADD (7/7): Earlier this month, I participated in a debate: “The Cyberwar Threat has been Grossly Exaggerated.” (Transcript here, video here.) Marc Rotenberg of EPIC and I were for the motion; Mike McConnell and Jonathan Zittrain were against. We lost.
We lost fair and square, for a bunch of reasons—we didn’t present our case very well, Jonathan Zittrain is a way better debater than we were—but basically the vote came down to the definition of “cyberwar.” If you believed in an expansive definition of cyberwar, one that encompassed a lot more types of attacks than traditional war, then you voted against the motion. If you believed in a limited definition of cyberwar, one that is a subset of traditional war, then you voted for it.
It is not a question of (re)defining cyberwar at all - it is a question of whether it exists or not. If it exists, yes, it needs to be addressed, at least by coordinated defense. I'm not a believer in "counterattack" forms of cyberwar, that's dumb and an arms race all the way to the bottom. Nor am I a believer in making common cause with malware authors and skript kiddiez just because they're "patriotic citizens of my country". But I'm not going to be utterly stupid and deny outright that it exists. Nor am I going go believe that I alone, with the resources I have at my command, can make a difference. I do wish I was at that debate. Not that I even heard of it before you posted about it and then Terry referenced this Schneier blog post.
... and that's a rathole many people have been into already, till you just decide to move on and start identifying solutions to specific problems that you see. [Note - not a "solution to spam", given that you can't define spam]. Next step is to develop a coherent strategy to see where your threat perceptions and mitigation efforts are going, and those of others, and see if you can't cooperate somewhere, anywhere. The alternative is, of course, the pack of barking dogs approach (or paralysis by analysis) where you can sit and talk about it endlessly, without coming to any sort of conclusion, or making any sort of dent in the actual problems.
There's a difference between defining a term, and getting everyone to agree on a single universal definition of a term. The former is important; the latter is neither feasible nor necessary. In a traditional debate, the opening speaker for each side makes a point of interpreting the topic of debate and offering a definition within which he will argue his case. The two sides do not have to agree on a common definition for this to be possible, and they usually wind up arguing for or against slightly different things as a consequence. As regards spam, Spamhaus (for example) has its own definitions of spam. You don't have to agree with them, but at least you can know what Spamhaus means by "spam". Definition: easy; universal agreement: no, but so what? The same applies for Cyberwar. By all means, make a case for whether it exists or not, and how we should approach it, but start by defining the subject. Is Cyberwar hostile action conducted by a military power in a network environment, or anything that might be condoned or encouraged by a military power. One is narrow, the other is broad. There are other dimensions to the problem which also benefit from clarification like this.
http://projects.washingtonpost.com/top-secret-america/network/#/single/functions/cyber-ops/
seems like the U.S. is gearing up for a cyberwar, and has offensive and defensive capabilities.