Behind Cyberwar FUD

Nicola Hahn writes "The inevitable occurred this week as The Economist broached the topic of cyberwar with a couple of articles in its July 3rd issue. The first article concludes that 'countries should agree on more modest accords, or even just informal "rules of the road" that would raise the political cost of cyber-attacks.' It also makes vague references to 'greater co-operation between governments and the private sector.' When attribution is a lost cause (and it is), international treaties are meaningless because there's no way to determine if a participant has broken them. The second recommendation is even more alarming because it's using a loaded phrase that, in the past couple of years, has been wielded by those who advocate Orwellian solutions. The other article is a morass of conflicting messages. It presumes to focus on cyberwar, yet the bulk of the material deals with cybercrime and run-of-the-mill espionage. Then there's also the standard ploy of hypothetical scenarios: depicting how we might be attacked and what the potential outcome of these attacks could be. The author concludes with the ominous warning that terrorists 'prefer the gory theatre of suicide-bombings to the anonymity of computer sabotage — for now.' What's truly disturbing is that The Economist never goes beyond a superficial analysis of the topic to examine what's driving all of the fear, uncertainty, and doubt (PDF), a subject dealt with in this Lockdown 2010 white paper."

EVERY media outlet.

[AnonymousClown]

Every media outlet, should be read, viewed or listened to with a critical eye or ear. It's not just for media companies with a policy of bias, such as Fox News' conservative bias (American version), but also for normal human bias. To take any media outlet as being 100% unbiased truth is foolish.

The Economist is a bit conservative on the side business, but as far as being their lackey - I'm not so sure about that. Sometimes they come out with things that can be interpreted as almost anti-business. They've also been doing some rather critical pieces on BP lately as an example.

Or is BP behind on their payments to the Economist?

"Turn off our electricity"

[betterunixthanunix]

The internet was designed for convenience and reliability, not security.

The logical conclusion should be, "disconnect security sensitive systems from the Internet, go back to the older ways of managing those systems and design more secure networks for those systems." Oh, sorry, I forgot that convenience is actually more important than anything else, so that will never happen.

Re:"Turn off our electricity"

[darkfire5252]

The logical conclusion should be, "disconnect security sensitive systems from the Internet, go back to the older ways of managing those systems and design more secure networks for those systems."

The reason that some people give 'cyberwar' more thought than that is that it's not as simple as you make it out to be. I'm a coauthor on a DOE sponsored paper (under security review, so no citation for now) that covers some more subtle aspects of the problem. The electrical grid can be attacked by compromising the control system if that system is internet connected, true. However, if a significant proportion of the electrical load for any one generator can be controlled via the internet, then that generator can be attacked via the internet without requiring any direct internet contact. Case in point, X10, Google, Microsoft, and many other companies are currently looking into home automation and controlling the home's electrical system via the computer. So, what happens the next time there's a runaway MS worm, but instead of just sending spam it gives control of the home automation system to the attacker? Simply by turning the power off in enough houses in an area, an attacker could actually cause physical damage to the power plant.

That's why we can't just dismiss the problem as "unhook the power plants from the internet." In a world that's increasingly hooked to the internet, we can't afford to overlook how the internet-connected components can possibly have an effect on the non-connected components.

A-ha! A computer terminal! Mwhahahaha!

>I AM THE PRESIDENT OF THE UNITED STATES
>Greetings Mr. President

>DOWNLOAD ALL SECRET FILES TO DISKETTE
Working....Done.

>DEORBIT SURVEILLANCE AND COMMUNICATION SATELLITES
Working...Done.

>TURN OFF NORTH AMERICAN POWER GRID
Working....D


.

Doomsday BS

[Alwin+Henseler]

Gotta love this paragraph:

What will cyberwar look like? In a new book Richard Clarke, a former White House staffer in charge of counter-terrorism and cyber-security, envisages a catastrophic breakdown within 15 minutes. Computer bugs bring down military e-mail systems; oil refineries and pipelines explode; air-traffic-control systems collapse; freight and metro trains derail; financial data are scrambled; the electrical grid goes down in the eastern United States; orbiting satellites spin out of control. Society soon breaks down as food becomes scarce and money runs out. Worst of all, the identity of the attacker may remain a mystery.

If you enable above-mentioned critical infrastructure to be controlled over a public network (no matter how well secured), that's a design flaw. Any damage from that should go on the account of the boneheads that designed things that way, not on cybercriminals that find a way in & abuse it. It's okay to use network-connected equipment to help optimize / monitor whatever public utility. But the controls should always go through (on-site) humans and/or network-independent systems.

Such doomsday think is BS anyway: if you keep the above in mind, it couldn't happen as long as attacks are limited to network / cyberwar operations. In case of physical attacks: that's a whole different ballgame. And if systems are designed such that network break-ins alone can disrupt critical infrastructure, then you deserve whatever you get.

Re:Doomsday BS

[Svartalf]

Unfortunately, your supposition is incorrect.

They DO allow the controls to be accessible in that way. Even with the best designed systems, screwups occur and with disturbing frequency in this space.

I concur that they should be designed in the right way for this sort of stuff, by the way, but again, they're not and probably won't be for a while yet to come. FUD? Perhaps. Perhaps not. The problem is that there's a disturbing amount of truth within it that people keep dismissing here and elsewhere. It IS quite as bad as people have been claiming it is within this space- and unless you work with the segment, whether it be with the utilities or things like subways, you might not get that there REALLY is a problem that needs fixing and think it purely conjecture or outright lies to generate money for themselves.

It's not. With the grid in the shape it's in and with them carelessly exposing the control networks in manners that they can be manipulated via remote, there is a possibility, very real, very distinct, that someone could manage something that'd make the 2003 East Coast Blackout look like a Sunday picnic.

Re:So you are taking Economist seriously.

[westlake]

Economist is a private interest mouthpiece that serves whatever their financiers tell them to do, depending on what their backers need as policy at any given period. Judging from the contents of your summary, one can easily say that this time the group they are licking the boots of is RIAA.

The Economist has been around since 1843.

It is anchored in a classically liberal and centrist tradition - and has never been particularly well-known for boot-licking.

Too often when visiting here I find evidence that the eternally adolescent geek simply can't accept that there can be a principled opposition to his own set beliefs.

Convenience?

[SgtChaireBourne]

What's convenient about electrical grid systems designed to fail? We've even had the East Coast power grid, which includes part of the midwest and Canada fall down, allegedly related to some idiot using Microsoft products in mission critical situations. We've also had extended air traffic shut downs for the world's 8th largest economy. But hey check out that spin. The headline says it's the fault of the flunky who needs to reboot the Microsoft "server" every few hours, rather than hanging up the criminals who replaced working systems with Microsoft products.

Secure systems are convenient: they work.

There do have to be consequences

[simonbp]

Before you start dismissing the article without reading it, they do have a very good point that cyberattacks by governments should have consequences for those for those governments. If Russia were to blow up the HQ of a company they didn't like, everybody would up in arms about, but if they hire a bunch of script kiddies to go in an wipe the company's server farm (effectively destroying the company), it probably wouldn't even draw a comment from the State Department. That's not a good precedent to set for the future...

Re:So you are taking Economist seriously.

[Z8]

one can easily say that this time the group they are licking the boots of is RIAA.

The Economist is the world's best weekly newspaper. If you read what they say about the RIAA, including the first article which mentions how the RIAA's agressive tactics aren't working and are a lesson to other industries on what _not_ to do, you'd know that the Economist takes a moderate view on intellectual property.

In particular, they often report on academic research showing that IP laws are too strong. For instance, this article (subscription required) called "Killing Creativity" is about how overly strong IP laws can smother innovation.