Cyberwar: Conflating Threats (confusing ourselves, not the enemy)

Summary:  When cyberwar proponents talk about our vulnerability to attacks, they play on our fears by freely mixing things that are obvious and likely – such as malware and online crime, with things that are highly unlikely — such as an entire country being brought to its knees by an electronic attack.  The third in a series about cyberwar by guest author Marcus J. Ranum.

Article deleted at author’s request.

(5)  For more information about cyberwar

  1. “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats“, James A. Lewis, Center for Strategic and International Studies, December 2002
  2. Meet Your New Commander-in-Geek“, Katherine Mangu-Ward, Reason, 26 May 2010 — “U.S. Cyber Command has no idea why it exists.”  But their fear-mongering PR is first-rate.
  3. China’s Emerging Cyber War Doctrine“, Gurmeet Kanwal, Journal of Defense Studies (Institute for Defense Studies and Analysis), July 2009
  4. They cyber war threat has been grossly exaggerated, NPR, 8 June 2010 — Audio here.
  5. Tehran’s Lost Connection“, Geneive Abdo, Foreign Policy, 10 June 2010 — “Is the Iranian regime’s cyberwar with the United States real, or a paranoid delusion?” — Abdo expects to know if the US waged cyberwar against Iran, ignoring our long history of covert offensive operations.
  6. Reducing Systemic Cybersecurity Risk”, Peter Sommer (London School of Economics) and Ian Brown (Oxford), OECD, 14 January 2011
  7. Cyberwar an exaggerated threat“, UPI, 17 January 2011 — Says Peter Sommer, now of the London School of Economics and author of the Hacker’s Handbook (1985) under the pseudonym Hugo Cornwall.
  8. Cyber war threat exaggerated claims security expert“, BBC, 16 February 2011 — Says Bruce Schneier, chief security officer for British Telecom.
  9. Don’t Believe Scare Stories about Cyber War“, John Horgan, Scientific American, 3 June 2011

.

.

13 thoughts on “Cyberwar: Conflating Threats (confusing ourselves, not the enemy)

  1. As someone who’s just getting their feet wet in the security community, it strikes me that this state of affairs isn’t helped by the media’s propensity to shout “cyberwarfare!” and “hacker!” indiscriminately. In 99% of cases, the ‘hackers’ in news articles are merely the end users of off-the-shelf malware, and many ‘cyber-attacks’ reported in the news seem to have more in common with sit-ins than warfare (I am, of course, referring to the distributed denial of service attacks performed by cyber-activists such as Lulzsec or Anonymous).

    It seems to me that the risk of cyberwarfare is systematically overestimated due to a number of factors:

    1. Cyberwarfare is a novel threat.
    2. Vulnerability to cyber-attack cannot be easily reduced without expert knowledge.
    3. There is no way to prevent attempted attacks on the system if it ‘faces the net’.
    4. The consequences of a successful attack on our infrastructure may be severe.
    5. Few people possess the expert knowledge requisite to make a balanced assessment.

    The reason that we have an intelligence community and agencies like the NSA is because our private sector is not equipped — nor should it be — to engage in counterintelligence against the Chinese or other nation states. It’s not Google’s job to fight off Chinese spies: that’s NSA and CIA’s job.

    Many companies, particularly smaller ones, do not adequately secure their data against common cybercrime attacks. A lot of websites are still vulnerable to basic SQL injection, and I suspect even larger companies may be vulnerable to sophisticated attacks (see Lockheed-Martin and the RSA debacle).

    How accurate are my perceptions?

    1. I’d say your perceptions are pretty accurate.

      The media’s reaction (conflating hackers/malware/cybercrime with cyberwar) is as if someone tried to blur the safety history of commercial airlines with that of the space shuttle – “OMG! 1 in 1000 crash!” The reason we humans use analogies is to clarify problems by searching for illustrative similarities; the media does not do this – it searches for scary similarities in order to magnify the drama of real life.

      Many small companies do not adequately protect themselves against run-of-the-mill cyber attack and crime. Our overall reaction to that should be “so what?” and, as customers, to make sure that their foolish business decisions don’t hit us in the pocketbook. But in the case of larger organizations, their interest is to conceal their incompetence rather than address it (mostly that’s what’s going on with all the “cyberwar scare” in SCADA and smart grid systems) so when we have a large breach it attracts disproportionate attention. Because even technologically unsophisticated users are able to put 2+2 together and ask questions like “WTF? you connected WHAT to the internet?!”

      Existing security technologies are sufficient to achieve tremendous reliability against tampering. For example, a pair of wire-cutters applied to the internet connection of a smart-grid system will instantly make it much much more secure. :) At the cost of removing alot of the “smart”.

      But that’s the problem. There is no super-duper military-grade firewall that Google should have that would somehow help them. The problem is that the more connected you are, the larger your “attack surface” is and, unless you have your act together, the greater the chance that something will go wrong.

      That’s why the big companies are running scared — they’ve connected everything together into vast networks and then connected those to the internet and now they’re going “waah waah protect us!” But the problem is that they made a big mistake and didn’t really think things through until it was too late. That’s why things like the DoD’s SIPRNet are such a disaster: let’s put 300,000+ users onto a network that assumes that anyone who is an “authorized user” is OK and can access ginormous amounts of information. Sound dumb to you? That’s because it is.

      Remember back in the early cold war days when you got access to a compartmented piece of information based on “need to know” and the size of the population with access to the secret was tightly controlled (and more importantly: enumerated) – that was terribly inconvenient and expensive to track and maintain – but it was the right way to protect information. What’s going on today is that the wrong way to protect information has been attempted, is failing, and the people responsible for those bad decisions are now blaming everyone but themselves. It’d be as if a bunch of mechanical engineers screwed up a design and then sat around trying to blame gravity and friction.

  2. I’ve also made the conceptual connection between “Cyber foo” and Y2K as blanket excuses for wild IT spending; the big difference, of course, is that the former doesn’t come with the inconvenience of a built-in fixed end date. “Oceania and Eurasia have always been at war”, quoth Orwell.

    The point about the Govt backbone being 85% private-owned is very well made. I think that’s a fact I’ll be remembering. Also, rather than go to the trouble of busting a bunch of (yes, very) vulnerable SCADA systems – which are likely to be difficult to characterise in real-world context by an attacker – I suspect Johnny home-grown Terrorist would view it as being far easier to have a good look at the mains electricity distribution network (conveniently detailed by the Ordnance Survey on their maps) and topple a few choice unguarded pylons – and I haven’t heard of them trying this, either…

    1. The 85% figure was Bennet’s not mine. I suspect it’s more than 85%. Bennet’s article contains several factual errors (which is odd, since this stuff was supposedly his job!) or disputable figures and that’s one of them.

      Don’t get me wrong about the SCADA systems. They utterly suck. The people who built them will eventually hear the flapping wings of a million lawyers coming to perch and wait for their chance to grab a slice of meat. The SCADA system manufacturers did an OK job of covering their butts: the remote controls can have passwords set, they say in the documentation that the stuff should be on isolated networks, etc. The guys who built out the SCADA systems and ignored those recommendations are the guys who are now running around clutching their temples saying “OMG! The Chineeeze!”

      If I were a ‘domestic terrorist’ I’d get a small team together and have them all apply for jobs at backup/data recovery companies, the IRS, and the outsourcer that does the IRS’ networking. Then we’d figure out how to transparently corrupt the backup media, leave that in place for 5 years, scramble the lot, wipe the databases, and hop on airplanes for places without extradition treaties. OK, that’s my scenario. Now, consider: how does outsourcing facilitate such an attack? How are any of the initiatives that the DoD – which is target-fixated on the myth of a foreign power “attack” going to help against that? Best of all, you can collect a decent salary from your target while you penetrate and destroy them…

      The important thing I’m trying to illustrate with that example is how EASY it is to come up with plausible-sounding threat scenarios. Fiction is nice, that way. Sorting out “what is likely to happen” from “all the possible things that could happen” is what security practitioners are supposed to do, and in the best situations we can offer solid advice so that they can prepare to withstand the right threats, rather than thrashing around trying to do everything poorly. That’s one of the reasons I am so upset by the whole cyberwar-fear-uncertainty-doubt sell-a-thon: the advisors who are banging the drums about this threat are often the same people who oversaw the process of putting ourselves at increased risk and NOW they are saying “be afraid, give us more money, be afraid, give us more money.” I don’t trust them and neither should you.

  3. Summer of lulz: The empire strikes back“, New Scientist, 14 September 2011 — Subscription only. “‘Hacktivists’ have exposed lax security at many of the world’s most powerful organisations. Their actions could change the internet forever.” Excerpt:

    … Hacktivists’ role in internet history could be much bigger than they had ever imagined, and very different too.

    Hacktivism traces its roots back to the late 1990s, when a hacker collective called Electronic Disturbance Theater (EDT) protested against Mexican government policies that it considered oppressive by staging online versions of sit-ins.

    … That culture began to change in 2008, when the Anonymous collective was established. Like EDT, many of Anonymous’s fluid membership see their activities as functionally no different from conventional activism.

    … The satisfaction of exposing the arguably flawed personal security practices of cybersecurity company staff motivated Sabu and five other Anonymous members to form an aggressive splinter cell focused on a new goal. Not long after Lulz Security – more commonly known as LulzSec – had set up its Twitter feed, the group breached the websites of popular culture, video game and media corporations, publicly posting the names, phone numbers, emails and passwords of the sites’ members.

    In short order, LulzSec wreaked havoc on major companies and agencies which had the means to make their websites more robust, if not impregnable: Sony, the US Public Broadcasting Service, The Sun newspaper in the UK and even government agencies like the FBI, the CIA and the UK’s Serious Organised Crime Agency.

    “From a single line of code, we accessed everything,” the group said after one attack. “Why do you put such faith in a company that allows itself to become open to these simple attacks?”

    Through gritted teeth, many security professionals admit that LulzSec had a point. “The state of security is pretty poor,” says Chris Hadnagy, a consultant at cybersecurity firm Offensive Security, whose employees impersonate malicious hackers in order to find vulnerabilities in corporate websites. If Lulzsec could access your information, it meant the information had been available to criminals all along. When it comes to cybersecurity, companies tend to comply as minimally as they can with regulations, he says, begrudgingly admitting that LulzSec and Anonymous are likely to force companies to take responsibility for their customers’ information.

    … But just when it seems that Anonymous’s peculiar brand of tough love is sparking some necessary changes, some worry that there could be unintended consequences.

    … A government’s logical response to a cyber-threat is to make more laws, and that is exactly what’s coming, warns Marcus Rogers. Rogers is a forensic psychologist and digital forensics specialist at Purdue University in West Lafayette, Indiana, and he thinks that we have already hit a point at which the internet’s inherent lack of security has stopped being a boon and could become a fatal roadblock to innovation. As a result, he thinks an increase in regulation is inevitable and necessary. “I’m not a fan of it,” he says. That’s because he thinks such legislation is subject to missteps and overreaching, a danger that can be seen in three recently proposed laws. The proposals range from the benign to the draconian.

    … A third law goes perhaps the furthest to prevent data breaches, but in so doing, would also intrude significantly on the privacy of everyday internet users. Under the US’s ISP Data Retention Bill, which took a crucial step towards becoming law in July, internet service providers (ISPs) would be required to retain every single piece of data about every single move a person has made online for 12 months. Crucially, the law would not require the usual legal hurdles, such as a subpoena, to release your personal information; officials merely need to ask for it.

    1. LulzSec and their attacks provide a great example of the kind of conflation I’m talking about. We can see that a handful of highly skilled motivated attackers can cut through many organizations’ existing security like it’s so much cheese. And, from that, we are expected to extrapolate to their being a gigantic potential threat – “what if LulzSec were 10,000 elite hackers and they set themselves to attacking our economy?”

      Well, yes, “what if” – but that’s not the case. Asking that question (which, I realize, you didn’t) is the same as asking “what if there were 10,000 Timothy McVeighs who coordinated attacks around the US?” Well, obviously, that would be bad, too.

      Perhaps if ‘our’ government continues along its current trajectory toward a police-state, more and more individuals will be motivated to act as LulzSec and, indeed, McVeigh did. I am convinced that that’s the real dialogue playing itself out underneath the “cyberwar” frenzy: they aren’t afraid of the “cyberwar” they are afraid of the “cyberinsurgency”

      While there’s probably a dim level of awareness in the halls of Versailles on The Potomac that China is not going to try a massive “cyberwar” attack against us, they’re realizing that disgusted and irritated citizens may begin an insurgency. All that we’re lacking right now, between Anonymous and LulzSec and Wikileaks is a cogent anti-authoritarian ideology and a justificational moral philosophy. A philosophical Stuxnet, if you will. And I know for a fact that it’s being worked on right now, though I don’t know when/if it will be released.

  4. Alexander Cites Need for Greater Cyber Defenses“, Armed Forces Press Service, 13 September 2011 — Opening:

    Citing the high rate of intrusions against Defense Department networks, the commander of U.S. Cyber Command today said his biggest concern is the threat of destructive attacks yet to be seen.

    A destructive attack from cyberspace “is coming, in my opinion,” Army Gen. Keith B. Alexander told military, government, industry and academic professionals at a conference here called “Maneuvering in Cyberspace.” “It is a question of time,” he said. “What we don’t know is how far out it is,” and whether it will target commercial infrastructure, government networks or mobile platforms.

    Alexander, who also serves as director of the National Security Agency, recognized both the “tremendous opportunities and tremendous vulnerabilities” created through network-enabled technologies. Just as the United States has been on the leading edge in developing many of these capabilities, Alexander said it also needs to be a leader in defending against cyber threats.

    “We were the country that developed the Internet, the iPhone, the iPad [and] some of these other great technologies,” he said. “We ought to be the first to secure it.”

  5. The Threat of Cyberwar Has Been Grossly Exaggerated“, Bruce Schneier (author of several books about computer security), 7 July 2010 — Opening (links not shown):

    There’s a power struggle going on in the U.S. government right now. It’s about who is in charge of cyber security, and how much control the government will exert over civilian networks. And by beating the drums of war, the military is coming out on top.

    “The United States is fighting a cyberwar today, and we are losing,” said former NSA director — and current cyberwar contractor — Mike McConnell. “Cyber 9/11 has happened over the last ten years, but it happened slowly so we don’t see it,” said former National Cyber Security Division director Amit Yoran. Richard Clarke, whom Yoran replaced, wrote an entire book hyping the threat of cyberwar.

    General Keith Alexander, the current commander of the U.S. Cyber Command, hypes it every chance he gets. This isn’t just rhetoric of a few over-eager government officials and headline writers; the entire national debate on cyberwar is plagued with exaggerations and hyperbole.
    Googling those names and terms — as well as “cyber Pearl Harbor,” “cyber Katrina,” and even “cyber Armageddon” — gives some idea how pervasive these memes are. Prefix “cyber” to something scary, and you end up with something really scary.

  6. Update: see the following post for an update on this story.

    Foreign hackers targeted U.S. water plant in apparent malicious cyber attack, expert says“, Washington Post, 18 November 2011 — Excerpt:

    Foreign hackers caused a pump at an Illinois water plant to fail last week, according to a preliminary state report. Experts said the cyber-attack, if confirmed, would be the first known to have damaged one of the systems that supply Americans with water, electricity and other essentials of modern life.

    Companies and government agencies that rely on the Internet have for years been routine targets of hackers, but most incidents have resulted from attempts to steal information or interrupt the functioning of Web sites. The incident in Springfield, Ill., would mark a departure because it apparently caused physical destruction.

    Federal officials confirmed that the FBI and the Department of Homeland Security were investigating damage to the water plant but cautioned against concluding that it was necessarily a cyber-attack before all the facts could be learned. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” said DHS spokesman Peter Boogaard.

    … News of the incident became public after Joe Weiss, an industry security expert, obtained a report dated Nov. 10 and collected by an Illinois state intelligence center that monitors security threats. The original source of the information was unknown and impossible to immediately verify.

    The report, which Weiss read to The Washington Post, describes how a series of minor glitches with a water pump gradually escalated to the point where the pump motor was being turned on and off frequently. It soon burned out, according to the report.

    The report blamed the damage on the actions of somebody using a computer registered to an Internet address in Russia. “It is believed that hackers had acquired unauthorized access to the software company’s database” and used this information to penetrate the control system for the water pump.

    Experts cautioned that it is difficult to trace the origin of a cyber-attack, and that false addresses often are used to confuse investigations. Yet they also agreed that the incident was a major new development in cyber-security. …

    1. All Wiess has to do is publish the report. \

      Attributing the attack to an “IP address in Russia” is extremely bogus. Anyone who as ever heard of “remote desktop” – a capability that is inherent in Microsoft Windows – ought to understand how easy it is to use another system as a jumpoff point for action.

    1. The “expert” reporting this attack is not a credible source; reports such as he describes are never unattributed – if the report is real he would be able to reference it (e.g.: “a report authored by mumble mumble of the department of so-and-so on january such-and-such”) leaving it open for a FOIA. As long as he’s reporting it so vaguely, it shouldn’t be treated as more than unsubstantiated rumor.

      It’s very unfortunate that even “experts” are engaging in self-promotional fear-mongering. It damages the credibility of the security practitioners and SCADA engineers alike.

Leave a Reply