Behind Cyberwar FUD

Nicola Hahn writes "The inevitable occurred this week as The Economist broached the topic of cyberwar with a couple of articles in its July 3rd issue. The first article concludes that 'countries should agree on more modest accords, or even just informal "rules of the road" that would raise the political cost of cyber-attacks.' It also makes vague references to 'greater co-operation between governments and the private sector.' When attribution is a lost cause (and it is), international treaties are meaningless because there's no way to determine if a participant has broken them. The second recommendation is even more alarming because it's using a loaded phrase that, in the past couple of years, has been wielded by those who advocate Orwellian solutions. The other article is a morass of conflicting messages. It presumes to focus on cyberwar, yet the bulk of the material deals with cybercrime and run-of-the-mill espionage. Then there's also the standard ploy of hypothetical scenarios: depicting how we might be attacked and what the potential outcome of these attacks could be. The author concludes with the ominous warning that terrorists 'prefer the gory theatre of suicide-bombings to the anonymity of computer sabotage — for now.' What's truly disturbing is that The Economist never goes beyond a superficial analysis of the topic to examine what's driving all of the fear, uncertainty, and doubt (PDF), a subject dealt with in this Lockdown 2010 white paper."

EVERY media outlet.

[AnonymousClown]

Every media outlet, should be read, viewed or listened to with a critical eye or ear. It's not just for media companies with a policy of bias, such as Fox News' conservative bias (American version), but also for normal human bias. To take any media outlet as being 100% unbiased truth is foolish.

The Economist is a bit conservative on the side business, but as far as being their lackey - I'm not so sure about that. Sometimes they come out with things that can be interpreted as almost anti-business. They've also been doing some rather critical pieces on BP lately as an example.

Or is BP behind on their payments to the Economist?

Re:EVERY media outlet.

[jhoegl]

Bandwagons.... everyone has one.

Re:EVERY media outlet.

They use those DC-10 looking spaceships right?

Re:EVERY media outlet.

[hedwards]

Well, here's the thing, Fox News doesn't seem to have any trouble attracting viewers, and it's been pretty much garbage since the day it was created. Likewise AM talk radio doesn't even pretend to accurately portray reality. I don't think that reputation is really something that matters as much as perhaps it should.

Re:So you are taking Economist seriously.

[k10quaint]

Someone is standing a bit to the left of Lenin. Oh, and as far as cyber wars go, the one between 4chan and Youtube seems to be heating up!

"Turn off our electricity"

[betterunixthanunix]

The internet was designed for convenience and reliability, not security.

The logical conclusion should be, "disconnect security sensitive systems from the Internet, go back to the older ways of managing those systems and design more secure networks for those systems." Oh, sorry, I forgot that convenience is actually more important than anything else, so that will never happen.

Re:"Turn off our electricity"

[darkfire5252]

The logical conclusion should be, "disconnect security sensitive systems from the Internet, go back to the older ways of managing those systems and design more secure networks for those systems."

The reason that some people give 'cyberwar' more thought than that is that it's not as simple as you make it out to be. I'm a coauthor on a DOE sponsored paper (under security review, so no citation for now) that covers some more subtle aspects of the problem. The electrical grid can be attacked by compromising the control system if that system is internet connected, true. However, if a significant proportion of the electrical load for any one generator can be controlled via the internet, then that generator can be attacked via the internet without requiring any direct internet contact. Case in point, X10, Google, Microsoft, and many other companies are currently looking into home automation and controlling the home's electrical system via the computer. So, what happens the next time there's a runaway MS worm, but instead of just sending spam it gives control of the home automation system to the attacker? Simply by turning the power off in enough houses in an area, an attacker could actually cause physical damage to the power plant.

That's why we can't just dismiss the problem as "unhook the power plants from the internet." In a world that's increasingly hooked to the internet, we can't afford to overlook how the internet-connected components can possibly have an effect on the non-connected components.

A-ha! A computer terminal! Mwhahahaha!

>I AM THE PRESIDENT OF THE UNITED STATES
>Greetings Mr. President

>DOWNLOAD ALL SECRET FILES TO DISKETTE
Working....Done.

>DEORBIT SURVEILLANCE AND COMMUNICATION SATELLITES
Working...Done.

>TURN OFF NORTH AMERICAN POWER GRID
Working....D


.

Re:So you are taking Economist seriously.

So long as they're not blowing a vuvuzela, who cares.

Doomsday BS

[Alwin+Henseler]

Gotta love this paragraph:

What will cyberwar look like? In a new book Richard Clarke, a former White House staffer in charge of counter-terrorism and cyber-security, envisages a catastrophic breakdown within 15 minutes. Computer bugs bring down military e-mail systems; oil refineries and pipelines explode; air-traffic-control systems collapse; freight and metro trains derail; financial data are scrambled; the electrical grid goes down in the eastern United States; orbiting satellites spin out of control. Society soon breaks down as food becomes scarce and money runs out. Worst of all, the identity of the attacker may remain a mystery.

If you enable above-mentioned critical infrastructure to be controlled over a public network (no matter how well secured), that's a design flaw. Any damage from that should go on the account of the boneheads that designed things that way, not on cybercriminals that find a way in & abuse it. It's okay to use network-connected equipment to help optimize / monitor whatever public utility. But the controls should always go through (on-site) humans and/or network-independent systems.

Such doomsday think is BS anyway: if you keep the above in mind, it couldn't happen as long as attacks are limited to network / cyberwar operations. In case of physical attacks: that's a whole different ballgame. And if systems are designed such that network break-ins alone can disrupt critical infrastructure, then you deserve whatever you get.

Re:Doomsday BS

[Svartalf]

Unfortunately, your supposition is incorrect.

They DO allow the controls to be accessible in that way. Even with the best designed systems, screwups occur and with disturbing frequency in this space.

I concur that they should be designed in the right way for this sort of stuff, by the way, but again, they're not and probably won't be for a while yet to come. FUD? Perhaps. Perhaps not. The problem is that there's a disturbing amount of truth within it that people keep dismissing here and elsewhere. It IS quite as bad as people have been claiming it is within this space- and unless you work with the segment, whether it be with the utilities or things like subways, you might not get that there REALLY is a problem that needs fixing and think it purely conjecture or outright lies to generate money for themselves.

It's not. With the grid in the shape it's in and with them carelessly exposing the control networks in manners that they can be manipulated via remote, there is a possibility, very real, very distinct, that someone could manage something that'd make the 2003 East Coast Blackout look like a Sunday picnic.

Re:So you are taking Economist seriously.

[westlake]

Economist is a private interest mouthpiece that serves whatever their financiers tell them to do, depending on what their backers need as policy at any given period. Judging from the contents of your summary, one can easily say that this time the group they are licking the boots of is RIAA.

The Economist has been around since 1843.

It is anchored in a classically liberal and centrist tradition - and has never been particularly well-known for boot-licking.

Too often when visiting here I find evidence that the eternally adolescent geek simply can't accept that there can be a principled opposition to his own set beliefs.

Convenience?

[SgtChaireBourne]

What's convenient about electrical grid systems designed to fail? We've even had the East Coast power grid, which includes part of the midwest and Canada fall down, allegedly related to some idiot using Microsoft products in mission critical situations. We've also had extended air traffic shut downs for the world's 8th largest economy. But hey check out that spin. The headline says it's the fault of the flunky who needs to reboot the Microsoft "server" every few hours, rather than hanging up the criminals who replaced working systems with Microsoft products.

Secure systems are convenient: they work.

There do have to be consequences

[simonbp]

Before you start dismissing the article without reading it, they do have a very good point that cyberattacks by governments should have consequences for those for those governments. If Russia were to blow up the HQ of a company they didn't like, everybody would up in arms about, but if they hire a bunch of script kiddies to go in an wipe the company's server farm (effectively destroying the company), it probably wouldn't even draw a comment from the State Department. That's not a good precedent to set for the future...

Re:So you are taking Economist seriously.

[Z8]

one can easily say that this time the group they are licking the boots of is RIAA.

The Economist is the world's best weekly newspaper. If you read what they say about the RIAA, including the first article which mentions how the RIAA's agressive tactics aren't working and are a lesson to other industries on what _not_ to do, you'd know that the Economist takes a moderate view on intellectual property.

In particular, they often report on academic research showing that IP laws are too strong. For instance, this article (subscription required) called "Killing Creativity" is about how overly strong IP laws can smother innovation.

Not since the crash

[Kupfernigk]

So called followers of Adam Smith have been reading the old boy a bit since the crash,and realised that he would have disapproved of almost everything they were supporting. The Economist hasn't really admitted that they bet their money on the bob-tailed nag - but they do seem recently to have remembered a bit that AS was opposed to cartels, and supported the free exchange of information.

And the schools will make money off of it, too

[langelgjm]

I've been seeing ads for a new degree program in "cybersecurity" at UMUC (second-career oriented portion of the University of Maryland). But I really wonder how effective such a degree could be if the person in the program isn't required to do some basic programming. From what I can tell, they aren't... they take "network essentials" and classes that include "penetration testing," but if the graduates of this kind of program are up against skilled hackers who are comfortable with bit-banging, I guess we're kind of screwed.

in a word...

[nimbius]

America. America is driving the cyber war nonsense and the reason is clear. the natural progression of our regularly scheduled wars that operate on ~4 year cycle is boring the american public, who are tired of
sending their kids to the meatgrinder in some third world hell-desert. American voters are also tired of high taxes required to pay for these "necessary wars" that drive GDP up, but in the long term which most americans
and politicians dont concern themselves with, bankrupt a nation.

Drones made war more popular by removing the "little johnny isnt coming home" factor from war, but their most recent theatre also made them politically despicable as they became used casually to invade sovereign states to bomb the living shit out of army bases and cars with "suspected" terrorist leaders. This set the precedent for any country with an agenda to disregard national sovereignty because, well, america does too.

  cyberwar is an innocuous catchall thats managed by a US military entity (the airforce,) sufficiently complex as to avoid questioning by the general populous, and can easily be related to americans in terms of website hacks, email hacks, etc...to such an extent as to drive support and backing for cyberwars. Cyberwars, being ambiguous and beyond comprehension by joe six-pack also enjoy the luxury of being cheap, or expensive, depending on the size of the pocketbook and willingness of the nation to spend.

Cyberwar, like the war on terror, is designed as a continued investment by quite likely the very same government entrenched corporations that drove most any of the other wars we've had. it doesnt seek to protect anyone or solve anything, only create new consumer products the likes of the AR-15 and the hummer and line the pockets of the richest and most vile human beings who have ever come under the service of the people of the united states of america. And so long as we have potbellied senators from the carolinas barking cyberwar, there will always be a market for what we fear but do not understand.

denial, even on Slashdot == we're boned

[r00t]

For those of us in-the-know, it's painful to see people like you here on Slashdot. Due to NDA and various laws, we obviously can't go pointing out exactly how the USA truly is at risk.

Rest assured that this stuff is on the Internet, it's buggy as hell, it's misconfigured, and the passwords are as lame as you can imagine. We're already hacked into, at all levels, both government and private.

The main limitations for the attackers are a lack of obscure knowledge and their own preference for quietly stealing information. Why screw with a super-crufty undocumented railroad control system when you could be reading Hillary's email or picking up a copy of the F-35 radar software?

Re:denial, even on Slashdot == we're boned

[Velex]

Rest assured that this stuff is on the Internet, it's buggy as hell, it's misconfigured, and the passwords are as lame as you can imagine. We're already hacked into, at all levels, both government and private.

The sad thing is that 4 years ago I might have thought you were being a fear-monger. However, after working in a call center that handles gobs of information every day just to see management thinking that setting everyone's passwords to "1234" is a good idea because 1.) it's easy and 2.) having to remember passwords is too technical for pregnant teenagers and 20-somethings I completely believe you.

If a baby-mamma is inconvenienced in any way, especially any way involving using her brain, the stars will move.

Fortunatey at least HIPAA was enough to knock some sense into those idiots.

But then again, after dealing with local hospitals, I've learned that when a CEO is on the warpath and wants to crucify someone, fuck HIPAA. HIPAA doesn't apply when you make shit per hour and a CEO wants to blame you for something and ruin you.

Fox news and the right to lie.

[khasim]

http://en.wikipedia.org/wiki/Jane_Akre

What other "news" organization would go to court to defend their right to lie in a "news" story?

If you tell the viewers what the viewers want to hear (regardless of any factual basis) then you will attract a lot of viewers.

Bizarre articles

[Anynomous+Coward]

I've been reading The Economist for a long time now, and, save for some known idiosyncrasies like plugging CO2 taxes/trading and kicking the Euro, found it to be quite neutral, interesting and well-written. I browse a lot during the week, and the articles always catch on to the buzz, while offering real additional insight. About the only thing I don't care for is too much focus on the politics of countries that used to be part of the former British Empire, but hey, give them nostalgic Brits a break.

The articles in the latest edition are really bizarre. They totally deviate from the quality I'm accustomed to, so much that I wondered what's going on and was about to write a LTTE.

Northeast Regional Power Outages 1965-2010

[westlake]

We've even had the East Coast power grid, which includes part of the midwest and Canada fall down, allegedly related to some idiot using Microsoft products in mission critical situations.

1965 Nov 9 Northeast Blackout Cascading series of transmission line overloads traced to safety relay at Niagara's Adam Beck station. (human error)

1977 July 13 New York City Blackout of 1977 (Lightning strikes take out four transmission lines)

1998 January (ice storms)

1999 July 5 (Boundary Waters-Canadian Derecho)

2003 August 14 Northeast Blackout of 2003

In February 2004, the U.S.-Canada Power System Outage Task Force released their final report, placing the main cause of the blackout on FirstEnergy Corporation's failure to trim trees in part of its Ohio service area. The report states that a generating plant in Eastlake, Ohio (a suburb of Cleveland) went offline amid high electrical demand, putting a strain on high-voltage power lines (located in a distant rural setting) which later went out of service when they came in contact with "overgrown trees". The cascading effect that resulted ultimately forced the shutdown of more than 100 power plants.

Computer failure

A software bug known as a race condition existed in General Electric Energy's Unix-based XA/21 energy management system. Once triggered, the bug stalled FirstEnergy's control room alarm system for over an hour. System operators were unaware of the malfunction; the failure deprived them of both audio and visual alerts for important changes in system state. After the alarm system failure, unprocessed events queued up and the primary server failed within 30 minutes. Then all applications (including the stalled alarm system) were automatically transferred to the backup server, which itself failed at 14:54. The server failures slowed the screen refresh rate of the operators' computer consoles from 1-3 seconds to 59 seconds per screen. The lack of alarms led operators to dismiss a call from American Electric Power about the tripping and reclosure of a 345 kV shared line in northeast Ohio. Technical support informed control room personnel of the alarm system failure at 15:42.

2003 Sept 29 (Hurricane Isabel)

2005 Dec 19 (ice storms)

2006 July 17-18 (severe thunderstorms)

2006 Oct 12 "October Surprise" (lake-effect snow storm, Buffalo, NY)

List of notable wide-scale power outages

Not one of the - world's great - power outages on the Wikipedia's list is linked in any way to Microsoft or Windows.

On Tuesday, FAA officials had insisted that the more than three-hour system shutdown posed no safety risks. But they acknowledged Wednesday that they were investigating five incidents in which planes lost the required separation distance during the first 15 minutes of the communications breakdown.
In two cases, large airliners -- a UPS cargo plane and a Northwest Airlines flight bound for Southern California airports -- came much closer to small corporate jets than federal guidelines allow, requiring at least one pilot to take corrective action. FAA officials repeated Wednesday that they did not believe lives were ever at risk.
The agency's radio system in Palmdale shut itself down Tuesday afternoon because a technician failed to reset an internal clock -- a routine maintenance procedure required every 30 days by the FAA. Then a backup system failed, also as a result of technician error, officials said.
The radar system in Palmdale, contrary to what some FAA and union officials had said Tuesday, did not shut down.
FAA officials said they had known for more than a year that a software glitch could shut down radio communications and were in the process of fixing it. In the m