The Hysteria of the Cyber-Warriors

Willfro sends in a piece by Evgeny Morozov at the Boston Review about the hyperbole and the reality of "cyber war." Quoting: "At the end of May, President Obama called cyber-security 'one of the most serious economic and national security challenges we face as a nation.' His words echo a flurry of gloomy think-tank reports. Unfortunately, these reports are usually richer in vivid metaphor — with fears of 'digital Pearl Harbors' and 'cyber-Katrinas' — than in factual foundation. So why is there so much concern about 'cyber-terrorism?' Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies — which need to justify their own existence — and cyber-security companies — which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts."

Ignorance Leads to Fear Leads to Profit

[eldavojohn]

Unfortunately, these reports are usually richer in vivid metaphor -- with fears of 'digital Pearl Harbors' and 'cyber-Katrinas' -- than in factual foundation. So why is there so much concern about 'cyber-terrorism?'

Because no one fully understands it. And not understanding something can easily lead to fear. And those standing to make money off that fear (journalists, contractors, agencies) are unashamed to exploit it.

I'm a computer scientist and I don't even understand or know about every potential vulnerability. It's simply too complex ... and that's easy to turn into fear when you're talking to the people who are in charge of protecting us from threats. And the potential mitigation techniques are another endless myriad of complex software/hardware. All I can say is that it is highly unlikely that a Live Free or Die Hard 'fire-sale' scenario will happen. I can't in good conscious tell you it's impossible. I can tell you that the probability of it happening within a year would most certainly be dealt with in multi-digit negative powers of ten. Then there's the possibility of lesser attacks which are highly probable but I feel that the cost-risk ratio is all messed up. Again, I believe this is due to ignorance.

You get into a weird sort of emperors-new-clothes kind of situation when the only people who understand your problems are also the ones trying to sell you a solution. And they're just not being openly honest nor realistic with you.

Re:Ignorance Leads to Fear Leads to Profit

[FriendlyLurker]

Not to mention that in the process of securing against the "cyber-terrorism" bogeyman, an big added benefit for ruling elites will be removing net anonymity and related speech in the name of national security, bringing all those blogs and uncontrollable information channels under heel in a more hierarchical system - or at least more accountable to an "authorized views", type system - ("Take down that anti-war protest site and uncensored video footage - preempt information warfare against our war, sir") and of course, only authorized p2p channels and protocols allowed in this future we are manufacturing, thanks.

The post-nuclear war threat

[MikeRT]

The US no longer has to worry about nuclear war or even conventional war because we have the means of "winning" a nuclear war and can easily crush any country in a conventional war except, perhaps, the PRC. Even the European Union would not likely hold out against us in a conventional war. Our military knows that, and the majority of the world knows that. We are in a period of relative peace and stability, a Pax Americana. Thus we have to manufacture existential threats to keep the momentum going.

Going back to that post about government IT spending, I'd like to point out something about the military industrial complex that many don't realize. Just keeping the US military ready to go as a kick ass self-defense force with modest offensive capabilities is expensive. There is plenty of money to go around, and you're much more likely to see the agencies that now have to justify their existence like DHS getting in on this bandwagon than the DoD. For the traditional apparatus, it's always business as usual keeping the basic defense of US sovereignty going. For the rest, like DHS which has to find a new enemy under every bush, they have a lot of good reasons to be afraid.

You're wrong.

[Lord+Ender]

It's fear, yes. But it is extremely well-justified fear.

I do penetration tests for large companies. It's bad. Everywhere. The only reason penetration tests are ever unsuccessful is when the tester's hands are tied. Attacker's hands are not tied. Furthermore, denial-of-service flaws are universally ignored because information disclosure is considered a higher priority, and most companies have their hands full dealing with those flaws.

So let me make this as clear as possible: A single individual could shut down pretty much any large company. A group of individuals (say, from a hostile government) could halt operations in multiple simultaneous companies. Target a few large supply-chain management companies and a few large payment-processing/banking companies, and it would be relatively easy to shut down the economy for a while.

That means food rots on delivery trucks while paychecks stop flowing to employees. And don't think we will all switch over to doing things by hand during such an attack. The infrastructure to do so has been dismantled. We are entirely dependent on digital transactions these days.

Why hasn't such an attack happened? Is the probability really "low" as you suggest? It's just a matter of motivation. There isn't much profit in doing such a (tedious) thing for the eastern-european hacker crime groups, nor for the bored teenagers. There is more profitable, lower-hanging fruit. But if we went to war with a sophisticated nation, the motivations are entirely different. Widespread DoS combined with targeted database corruption would do much more damage to the economy (that thing that allows us to have the best military) than similarly-funded missile strikes.

Ignore the sound-bites security companies feed the media, but don't ignore the problem. This is perhaps the weakest part of our nation's defense infrastructure.