ANYONE who follows technology or military affairs has heard the predictions for more than a decade. Cyberwar is coming. Although the long-announced, long-awaited computer-based conflict has yet to occur, the forecast grows more ominous with every telling: an onslaught is brought by a warring nation, backed by its brains and computing resources; banks and other businesses in the enemy states are destroyed; governments grind to a halt; telephones disconnect; the microchip-controlled Tickle Me Elmos will be transformed into unstoppable killing machines.
But how bad would a cyberwar really be Ã¢â‚¬â€ especially when compared with the blood-and-guts genuine article? And is there really a chance it would happen at all?
Whatever the answer, governments are readying themselves for the Big One.
Whatever form cyberwar might take, most experts have concluded that what happened in Estonia earlier this month was not an example.
Still, many in the security community and the news media initially treated the digital attacks against EstoniaÃ¢â‚¬â„¢s computer networks as the coming of a long-anticipated new chapter in the history of conflict Ã¢â‚¬â€ when, in fact, the technologies and techniques used in the attacks were hardly new, nor were they the kind of thing that only a powerful government would have in its digital armamentarium.
James Andrew Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies.
Mr. Lewis stressed. Ã¢â‚¬Å“The idea that Estonia was brought to its knees Ã¢â‚¬â€ thatÃ¢â‚¬â„¢s when we have to stop sniffing glue,Ã¢â‚¬Â he said.
In fact, an attack would have borne real risks for Russia, or any aggressor nation, said Ross Stapleton-Gray, a security consultant in Berkeley, Calif. Ã¢â‚¬Å“The downside consequence of getting caught doing something more could well be a military escalation,Ã¢â‚¬Â he said.
ThatÃ¢â‚¬â„¢s too great a risk for a government to want to engage in what amounts to high-tech harassment, Mr. Lewis said. Ã¢â‚¬Å“The Russians are not dumb,Ã¢â‚¬Â he said.
And yet, in early 2009, CSIS jumped on the cyber-hysteria bandwagon, with a report that cites the Estonia example in a document meant for the President that seems to imply that simple DDoS and/or cyber-espionage should be considered acts of war! – post by TransTracker
Down on earth, by comparison, this correspondent found himself near the Kennedy Space Center in a convenience store without cash and with the credit card network unavailable. Ã¢â‚¬Å“The satelliteÃ¢â‚¬â„¢s down,Ã¢â‚¬Â the clerk said. Ã¢â‚¬Å“ItÃ¢â‚¬â„¢s the rain.Ã¢â‚¬Â And so the purchase of jerky and soda had to wait. At the centerÃ¢â‚¬â„¢s visitor complex, a sales clerk dealt with the same problem by pulling out paper sales slips.
People, after all, are not computers. When something goes wrong, we do not crash. Instead, we find another way: we improvise; we fix. We pull out the slips.
Excellent point. Cyber-doom scenarios assume that people will respond to a massive attack with complete, paralyzing panic. But that didn’t even happen during the massive strategic bombing campaigns of WWII. Instead, Londoners, for example, not only improvised, but they got pissed off…and more determined than ever to defeat their German attackers. – post by TransTracker
We see, for example, that EstoniaÃ¢â‚¬â„¢s computer emergency response team responded to the junk packets with technical aplomb and coolheaded professionalism, while EstoniaÃ¢â‚¬â„¢s leadership Ã¢â‚¬Â¦ well, didnÃ¢â‚¬â„¢t. Faced with DDoS and nationalistic, cross-border hacktivism Ã¢â‚¬â€ nuisances that have plagued the rest of the wired world for the better part of a decade Ã¢â‚¬â€ EstoniaÃ¢â‚¬â„¢s leaders lost perspective.
HereÃ¢â‚¬â„¢s the best quote, from the speaker of the Estonian parliament, Ene Ergma: “When I look at a nuclear explosion, and the explosion that happened in our country in May, I see the same thing.”
Cyberwars were supposed to target critical infrastructures beyond the internet, like the SCADA systems that control elements of the power grid; air traffic control networks; nuclear power plant safety systems. In other words, real cyberwarriors arenÃ¢â‚¬â„¢t interested in clogging the public internet like spammers; they use the internet as a path to sensitive, private networks where sabotage has some hope of causing physical, real-world mayhem that outlasts the attack. (DDoS barely rated a walk-on role in DHSÃ¢â‚¬â„¢s comprehensive Cyber Storm exercise last year.)
IÃ¢â‚¬â„¢m skeptical that real cyberwar, or cyberterrorism, will ever take place. But what is certain is that the Estonia DDoS does nothing to illuminate our risk of it. No new attack techniques surfaced; the level of traffic was not surprising; the mitigation tactics were tried and true and, of course, successful. That EstoniaÃ¢â‚¬â„¢s public internet is small and easily overrun doesnÃ¢â‚¬â„¢t change anything for the U.S.
While cyberhawks fancy themselves Cassandras preaching to an oblivious world, dire predictions of a Red cyberdawn were widely accepted in the halls of power for years. Condaleeza Rice voiced concerns in March 2001; six months later, September 11 provided a grim reminder that AmericaÃ¢â‚¬â„¢s enemies prefer shedding blood over bytes.
If we cast computer attacks in military terms, we invite military thinking where defensive technical solutions are needed. You can see the outline of where this is headed in the magazine. Peters, a former Army intelligence officer, writes not a word in support of the many serious efforts to close vulnerabilities in civilian and military networks. But he laments that in an age of cyberwar, America is burdened by “our own insistence of confining all forms of warfare within antiquated laws.”
We see it in Estonia too. While cooler heads were combating the first wave of EstoniaÃ¢â‚¬â„¢s DDoS attacks with packet filters, we learn, the countryÃ¢â‚¬â„¢s defense minister was contemplating invoking NATO Article 5, which considers an “armed attack” against any NATO country to be an attack against all. That might have obliged the U.S. and other signatories to go to war with Russia, if anyone was silly enough to take it seriously.
Exactly! Framing “cyberwar” as “war” makes it a military issue, leading to military ways of thinking and military forms of response. This, in turn, increases the risk of needless conflict escalation. Hawks like Peters (and many, many others) seek to define cyberwar as entirely new, with all existing laws governing the use of force as “antiquated.” The risk of escalation is real because hawks are working hard to toss existing laws and norms in an attempt to define acts that would not traditionally be considered “use of force” or “acts of war” as precisely that, thus providing justification for launching physical military responses to DDoS attacks. – post by TransTracker
In this hypothetical scenario, a single attack launched by China against the US lasts only a few hours, but a full-scale assault lasting days or weeks could bring an entire modern information economy to its knees.
Classic! A bot net “attack” portrayed in the manner of a Cold War-era ICBM attack! – post by TransTracker
The nationÃ¢â‚¬â„¢s top spy, Michael McConnell, thinks the threat of cyberarmageddon! is so great that the U.S. government should have unfettered and warrantless access to U.S. citizensÃ¢â‚¬â„¢ Google search histories, private e-mails and file transfers, in order to spot the cyberterrorists in our midst.
ThatÃ¢â‚¬â„¢s according to a sprawling 18-page story on the Director of
National Intelligence by Lawrence Wright in the January 21 edition of the New Yorker. (The story is not online).
In the piece, McConnell returns, in flamboyant style, to his exaggerating ways, hyping threats and statistics to further his bureaucratic aims. For example, McConnell regurgitates the hoary myth that computer crime costs America $100 billion a year. THREAT LEVEL traced down the source of that fake-factoid in September to a former privacy officer for the state of Colorado.
Presumably using unsupported stats like that, in May 2007 McConnell convinced President Bush that a massive cyber-attack on a single U.S. bank would be worse for the economy than than the deadly terrorist attacks of September 11, the article reports. In response, the NSA developed a mind-boggling, but still incomplete, plan to eavesdrop on the internet in order to protect it.
In order for cyberspace to be policed, Internet activity will have to be closely monitored. Ed Giorgio, who is working with McConnell on the plan, said that would mean giving the government the authority to examine the content of any e-mail, file transfer, or Web search. “Google has records that could help in a cyber-investigation,” he said. Giorgio warned me, “We have a saying in this business: Ã¢â‚¬ËœPrivacy and security are a zero-sum game.Ã¢â‚¬â„¢”
It says something ominous about McConnellÃ¢â‚¬â„¢s priorities if he believes a DDOS attack on Bank of America, or even a computer intrusion that wiped out its database (and magically purged its backup tapes), would be worse than an attack that killed 3,000 Americans.
Still, itÃ¢â‚¬â„¢s hardly a surprising plan Ã¢â‚¬â€ given that McConnell was one of the main backers of the Clipper Chip, the governmentÃ¢â‚¬â„¢s failed, early 1990Ã¢â‚¬â„¢s proposal to put a backdoor in every encryption product.
If youÃ¢â‚¬â„¢ve been reading Slashdot, youÃ¢â‚¬â„¢re probably stunned to learn that cybercrime has just now ballooned into a $105 billion industry, making it more lucrative than the global trade in illegal drugs. This from David DeWalt, CEO of anti-virus vendor McAfee, who dropped the billion-dollar bombshell at a conference in Tucson, where it was uncritically reported by InformationWeek.
The $105 billion figure has been bouncing around the media like a bad check for two years, being quietly debunked by security experts and the tech press (including InformationWeek, in 2005), even as the more mainstream media nurture and love it.
It all started with a quote in a Reuters story from technology consultant Valerie McNevin the former privacy officer for the state of Colorado
ThereÃ¢â‚¬â„¢s no evidence that McNevin offered anything to back up her claim (and the $105 billion figure for drug profits is flat-out wrong).
Confused? No longer! HereÃ¢â‚¬â„¢s THREAT LEVELÃ¢â‚¬â„¢s flowchart of how this fake news has gotten around, and occasionally encountered resistance.
Chinese hackers may have been responsible for the recent power outage in Florida, and the widespread blackout that struck the northeastern U.S. in 2003, according to a new report in the National Journal that shows the intelligence community taking cyberwar hysteria to new and dizzying heights.
The story, citing computer security professionals, who in turn cite unnamed U.S. intelligence officials, says that ChinaÃ¢â‚¬â„¢s PeopleÃ¢â‚¬â„¢s Liberation Army may have cracked the computers controlling the U.S. power grid to trigger the cascading 2003 blackout that cut off electricity to 50 million people in eight states and a Canadian province.
ItÃ¢â‚¬â„¢s official: Cyberterror is the new yellowcake uranium.
Ever since intelligence chief Michael McConnell decided on cyberterrorism as the latest raison dÃ¢â‚¬â„¢etre for warrantless NSA surveillance, weÃ¢â‚¬â„¢ve seen increasingly brazen falsehoods and unverifiable cyberattack stories coming from him and his subordinates, from McConnellÃ¢â‚¬â„¢s bogus claim that cyberattacks cost the U.S. economy $100 billion a year, to one intelligence officialÃ¢â‚¬â„¢s vague assertion that hackers have caused electrical blackouts in unnamed countries overseas.
This time, though, theyÃ¢â‚¬â„¢ve attached their tale to the most thoroughly investigated power incident in U.S. history.
The detailed 228-page final NERC report found a complex confluence of events responsible, but not a single hacker. It traced the root cause of the outage to the utility company FirstEnergyÃ¢â‚¬â„¢s failure to trim back trees encroaching on high-voltage power lines in Ohio. When the power lines were ensnared by the trees, they tripped.
Or maybe IÃ¢â‚¬â„¢m being naive. Maybe there were no trees. Implicit in this new cyberterror tale is the suggestion that everybody who investigated the 2003 blackout, including FirstEnergy, the Department of Energy, the Federal Energy Regulatory Commission, and the civilian North American Electric Reliability Council, were part of a massive conspiracy to conceal a (pointless) Chinese hack attack from the American people.
Now that weÃ¢â‚¬â„¢re seeing “overgrown trees” between the same scare quotes conspiracy theorists bracket around “lone gunman” and “moon landing,” the cybarmageddon hawks have squarely set foot in the realm of 9/11 truthers. IÃ¢â‚¬â„¢m waiting for them to blame Chinese hackers for “Hurricane” Katrina.
Is hacking a real threat to the United States or is it just the latest overblown threat to national security, whose magnitude is being exaggerated to expand government budgets and power?
Amit Yoran, a former Bush Administration cybersecurity czar, argues the answer is easy.
Ã¢â‚¬Å“Is hacking a national security threat?Ã¢â‚¬Â Yoran said. Ã¢â‚¬Å“The one word answer is Ã¢â‚¬ËœYes.Ã¢â‚¬â„¢Ã¢â‚¬Â
As proof, Yoran pointed to stories about the denial-of-service attacks in Estonia, attacks on government contractor Booz Allen Hamilton and the recently reported breach of defense contractor computers that let hackers get at information on the Joint Strike Fighter.
Ã¢â‚¬Å“Cyber 9-11 has happened over the last 10 years, but itÃ¢â‚¬â„¢s happened slowly so we donÃ¢â‚¬â„¢t see it,Ã¢â‚¬Â Yoran said.
Cyber 9-11 in slow motion! Nice! This is the first time I’ve heard this rationale. All those cyber-doom scenarios we’ve heard for almost 20 years now have yet to come close to being realized. So, take the cyber 9-11, cyber Katrina, cyber Pearl Harbor, etc. and turn them into long, slow events. But, by definition, a long slow 9-11 is NOT 9-11 anymore! – post by TransTracker
Poulsen called the threat of cyber-terrorism Ã¢â‚¬Å“preposterous,Ã¢â‚¬Â citing the long-standing warnings that hackers would attack the power grid Ã¢â‚¬â€ despite the fact that it has never happened. And he argued that calling such intrusions national security threats means information about attacks gets classified unnecessarily.
Dr. Herb Lin, a cyberattack expert at the National Research Council, called the scoffing naive, saying he could imagine hackers getting into classified command-and-control systems, for one.
Yes, so can I. I can IMAGINE all sorts of crazy shit! So can lots of other people. (Authors of sci-fi novels and movies have been making boat loads of money based on this capability for years.) But just because you can imagine it does not mean it is a real threat! So far, cyberwar discourse is long on imagined cyber-doom scenarios and short of real, empirical evidence. – post by TransTracker
But he lamented that much of the current dialogue is about about cyberwar and cyber-terror, when the largest threat is in cyber-espionage Ã¢â‚¬â€ which is not considered an act of war.
So, is he suggesting that espionage, when conducted via cyberspace, should now be considered an “act of war?” If so, that’s complete bullshit. – post by TransTracker
Yoran did admit that cyber-terrorism was improbable, but stuck to his point that there are significant national security threats from hackers.
Lin says the government needs to think about getting its own cyberattack capability.
Translation: “We admit that a large part of what we tried to use to scare you in the past has turned out to be a bunch of BS, but believe us about the new scenarios we’re trying to use to scare you, and then give us lots of money so that we can learn to attack people ourselves.” – post by TransTracker
Lin was dumbstruck by PoulsenÃ¢â‚¬â„¢s dismissal of the examples that the government, including President Obama, have used as evidence that there is a massive cybersecurity threat Ã¢â‚¬â€ specifically ObamaÃ¢â‚¬â„¢s recent description of a November USB thumb-drive virus attack as one of the biggest cyberattacks against the U.S. military.
Ã¢â‚¬Å“Why is something that is an obvious threat not considered a threat to national security?Ã¢â‚¬Â Lin asked.
Ã¢â‚¬Å“The point is that the way you frame these issues matters,Ã¢â‚¬Â Schneier explained.
Classic use of the realist style by Lin. Act as though all of this is just “obvious”; anyone who doesn’t see it that way is just “naive.” And yet, if it really were obvious, he and Yoran, and others, wouldn’t have to work so hard to scare folks with IMAGINED cyber-doom scenarios that never seem to come close to be realized in REALITY. Indeed, Schneier is correct, the “framing” of all of this is important; the process of “securitization” taking place is really the interesting part. – post by TransTracker
In fact, they do matter Ã¢â‚¬â€ since now the government is pouring billions of dollars into cybersecurity for its own networks, and possibly the general publicÃ¢â‚¬â„¢s net Ã¢â‚¬â€ a far change from the governmentÃ¢â‚¬â„¢s relative indifference to such issues until about two years ago.
Exactly! It matters because if we’re going to spend billions of dollars on to combat a threat, that threat needs to be based on something more than an “expert” saying “trust me, it’s real because I can imagine it!” – post by TransTracker