Behind Cyberwar FUD

Nicola Hahn writes "The inevitable occurred this week as The Economist broached the topic of cyberwar with a couple of articles in its July 3rd issue. The first article concludes that 'countries should agree on more modest accords, or even just informal "rules of the road" that would raise the political cost of cyber-attacks.' It also makes vague references to 'greater co-operation between governments and the private sector.' When attribution is a lost cause (and it is), international treaties are meaningless because there's no way to determine if a participant has broken them. The second recommendation is even more alarming because it's using a loaded phrase that, in the past couple of years, has been wielded by those who advocate Orwellian solutions. The other article is a morass of conflicting messages. It presumes to focus on cyberwar, yet the bulk of the material deals with cybercrime and run-of-the-mill espionage. Then there's also the standard ploy of hypothetical scenarios: depicting how we might be attacked and what the potential outcome of these attacks could be. The author concludes with the ominous warning that terrorists 'prefer the gory theatre of suicide-bombings to the anonymity of computer sabotage — for now.' What's truly disturbing is that The Economist never goes beyond a superficial analysis of the topic to examine what's driving all of the fear, uncertainty, and doubt (PDF), a subject dealt with in this Lockdown 2010 white paper."

Yup

[kyrio]

Still posting at -1

Re:So you are taking Economist seriously.

[k10quaint]

Someone is standing a bit to the left of Lenin. Oh, and as far as cyber wars go, the one between 4chan and Youtube seems to be heating up!

Doomsday BS

[Alwin Henseler]

Gotta love this paragraph:

What will cyberwar look like? In a new book Richard Clarke, a former White House staffer in charge of counter-terrorism and cyber-security, envisages a catastrophic breakdown within 15 minutes. Computer bugs bring down military e-mail systems; oil refineries and pipelines explode; air-traffic-control systems collapse; freight and metro trains derail; financial data are scrambled; the electrical grid goes down in the eastern United States; orbiting satellites spin out of control. Society soon breaks down as food becomes scarce and money runs out. Worst of all, the identity of the attacker may remain a mystery.

If you enable above-mentioned critical infrastructure to be controlled over a public network (no matter how well secured), that's a design flaw. Any damage from that should go on the account of the boneheads that designed things that way, not on cybercriminals that find a way in & abuse it. It's okay to use network-connected equipment to help optimize / monitor whatever public utility. But the controls should always go through (on-site) humans and/or network-independent systems.

Such doomsday think is BS anyway: if you keep the above in mind, it couldn't happen as long as attacks are limited to network / cyberwar operations. In case of physical attacks: that's a whole different ballgame. And if systems are designed such that network break-ins alone can disrupt critical infrastructure, then you deserve whatever you get.

Convenience?

[SgtChaireBourne]

What's convenient about electrical grid systems designed to fail [cnet.com]? We've even had the East Coast power grid, which includes part of the midwest and Canada fall down, allegedly related to some idiot using Microsoft products in mission critical situations. We've also had extended air traffic shut downs [techworld.com] for the world's 8th largest economy. But hey check out that spin. The headline says it's the fault of the flunky who needs to reboot the Microsoft "server" every few hours, rather than hanging up the criminals who replaced working systems with Microsoft products.

Secure systems are convenient: they work.

Re:Doomsday BS

[Svartalf]

Unfortunately, your supposition is incorrect.

They DO allow the controls to be accessible in that way. Even with the best designed systems, screwups occur and with disturbing frequency in this space.

I concur that they should be designed in the right way for this sort of stuff, by the way, but again, they're not and probably won't be for a while yet to come. FUD? Perhaps. Perhaps not. The problem is that there's a disturbing amount of truth within it that people keep dismissing here and elsewhere. It IS quite as bad as people have been claiming it is within this space- and unless you work with the segment, whether it be with the utilities or things like subways, you might not get that there REALLY is a problem that needs fixing and think it purely conjecture or outright lies to generate money for themselves.

It's not. With the grid in the shape it's in and with them carelessly exposing the control networks in manners that they can be manipulated via remote, there is a possibility, very real, very distinct, that someone could manage something that'd make the 2003 East Coast Blackout look like a Sunday picnic.

Re:So you are taking Economist seriously.

[slashqwerty]

summary, one can easily say that this time the group they are licking the boots of is RIAA.

While it would not surprise me at all if that's true, the 'whitepaper' referenced in the summary reads like a poorly researched conspiracy theory. It says this about the Wall Street Journal without providing a reference:

So whats going on is that you have one large corporation selling its product to other large corporations, where the product is the eyes and ears of the ruling class.

It also makes claims about attribution being NP Complete without providing a single citation in that entire section.

The driving force behind the cyberwar terminology really does need to be outed, but this paper doesn't do it.

And the schools will make money off of it, too

[langelgjm]

I've been seeing ads for a new degree program in "cybersecurity" at UMUC [umuc.edu] (second-career oriented portion of the University of Maryland). But I really wonder how effective such a degree could be if the person in the program isn't required to do some basic programming. From what I can tell, they aren't... they take "network essentials" and classes that include "penetration testing," but if the graduates of this kind of program are up against skilled hackers who are comfortable with bit-banging, I guess we're kind of screwed.

Re:denial, even on Slashdot == we're boned

[Velex]

Rest assured that this stuff is on the Internet, it's buggy as hell, it's misconfigured, and the passwords are as lame as you can imagine. We're already hacked into, at all levels, both government and private.

The sad thing is that 4 years ago I might have thought you were being a fear-monger. However, after working in a call center that handles gobs of information every day just to see management thinking that setting everyone's passwords to "1234" is a good idea because 1.) it's easy and 2.) having to remember passwords is too technical for pregnant teenagers and 20-somethings I completely believe you.

If a baby-mamma is inconvenienced in any way, especially any way involving using her brain, the stars will move.

Fortunatey at least HIPAA was enough to knock some sense into those idiots.

But then again, after dealing with local hospitals, I've learned that when a CEO is on the warpath and wants to crucify someone, fuck HIPAA. HIPAA doesn't apply when you make shit per hour and a CEO wants to blame you for something and ruin you.

Bizarre articles

[Anynomous Coward]

I've been reading The Economist for a long time now, and, save for some known idiosyncrasies like plugging CO2 taxes/trading and kicking the Euro, found it to be quite neutral, interesting and well-written. I browse a lot during the week, and the articles always catch on to the buzz, while offering real additional insight. About the only thing I don't care for is too much focus on the politics of countries that used to be part of the former British Empire, but hey, give them nostalgic Brits a break.

The articles in the latest edition are really bizarre. They totally deviate from the quality I'm accustomed to, so much that I wondered what's going on and was about to write a LTTE.