Slashdot Mirror
Threat of Cyberwar Is Over-Hyped
nk497 writes "A new OECD report suggests the cyberwar threat is over-hyped. A pair of British researchers have said states are only likely to use cyberattacks against other states when already involved in military action against them, and that sub-state actors such as terrorists and individual hackers can't really do much damage. Dr. Ian Brown said, 'We think that describing things like online fraud and hacktivism as cyberwar is very misleading.'"
Good thing the US isn't at involved in any military action with anyone.
Oh wait. is that WoT thing still going?
Perhaps the "movie science/actual science" effect is going on here...example: people see "Hackers", and think that's what "hacking" is. People then see either a script kiddy in their mom's basement or a government techie with sky-high stacks of paper on his desk (or working at a scarily-clean desk), and realize the actual act is pretty damn boring.
Living With a Nerd
Yes, describing fraud and hackivism as cyber war is misleadg.
No, it's not over-hyped.
Cyber-war is cheap, the knowledge on how to do it is free, and it doesn't need to take much manpower, as compared to conventional war.
The Kruger Dunning explains most post on
There's no real threat of cyberwar. And there's no real threat of me being blown by an airplane terrorist. But that's completely irrelevant for government leaders desiring to control everything within their sight.
So enjoy your slef-portrait porn, scanner-induced skin cancer, your breast/penis fondling by the SA, and the eventual limitations placed upon the internet/free speech. It's inevitable.
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Perhaps they are unaware that the US and Israel have just recently made a computer attack against Iran, where there is no actual military confrontation.
I guess they didn't read yesterday's new york times: http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html
Story at 11!
sub-state actors such as terrorists and individual hackers can't really do much damage.
Considering the presence of many brands of botnets for hire, I'd strongly disagree with that. Anyone with the cash can launch a cyber-attack.
Or look at what "Anonymous" has been doing lately. Or are they a state now?
I work for the Department of Redundancy Department.
Is that the term "cyberwar" is pretty stupid. In fact, it isn't just stupid, it is so misleading(intentionally or otherwise) that letting it slip into your lexicon makes you dumber.
"war" carries with it a strong series of historical associations, lessons learned, rules of thumb, rules, likelihoods, etc. Virtually none of them really map all that well into the area of computer security. If you use the term "cyberwar", though, you are implicitly trying to mash those (comfortingly familiar) concepts into a badly-fitting new environment. In a much less serious vein, this is why most movies that feature a "hacking" sequence usually make hacking look like beating a video game- because video games are "computery"; but they work very hard to simulate familiar rules.
Electronic attacks are a costly problem and, if some idiot connects the wrong control systems to the internet, or a laptop to the wrong control systems, potentially a dangerous one; but trying to map them into the historical concepts of "war" just doesn't work very well.
The cyberwar is already ON between state actors. Stuxnet, for instance. Certainly targeted at Iran, almost certainly developed by the US, Israel, or both. There's the attack on Google and other non-Chinese companies from China in 2009 as well.
IMO, now that Stuxnet has paved the way, we WILL see cyberterrorism directed at other SCADA systems.
Granted that Cyberwar (sound of clashing cymbols) is overhyped, but a key assumption in this article is that governments and key private organizations (power grid operators, network operators, etc) are doing everything they can to protect their systems. I find this assumption to be laughably naive. The point to be made here is that cyberwar is often used as a bludgeon to obtain resources, or persue hackers in court (Wikileaks, anyone?), and is a bit over-hyped. There are, however, clear dangers in this area which can be avoided if prudent steps are taken (not putting power-grid controlling on the Internet, for example). Given the US's penchant for letting private industry do what it wants, and given that private industry only cares about this-quarter bottom-line earnings, I still see even the "small fry" identified in this article as being capable of some nasty mischief.
I mean their example of what they consider cyberwar is the estonia thing, which pretty much means they couldn't have done much research considering the US and China have been battling it out for well over 10 years.
But beyond that, they're economics professors! Why do educated people try to convey messages about stuff they're not educated in? Isn't that how the whole 'thermite did 9/11' thing started? By not realizing that thermite is more or less a fancy word for 'finely crushed aluminum', sorta like what you would expect to find at a plane crash !
even more absurd is that they wont end up eating the words that non-nation-states couldn't be effective in this arena. I think they think it requires multi-billion dollar rocket research or something.
states are only likely to use cyberattacks against other states when already involved in military action against them
Ho, that's rich! There is speculation that the U.S. and Israel are behind Stuxnet which is dedicated to screwing up Iran. And why not? Why wait until military action? In fact in this case if you can screw the Iran infrastructure up enough, you may not even need to have a military action against them.
Also a lot of this depends on your definition of cyberwar.
China is doing the smart thing right now by backing cyber attacks against the US infrastructure. Before engaging an opponent, it's good to know their weaknesses. The US government uses a lot of Microsoft products as does China now. (China bought shared source years ago). If I were the Chinese I would be setting up servers and hacking them down just to record things like recovery time, etc.
This ain't your daddy's cyberwar. It's all about probing and sizing up an opponent these days.
Since the news media likes to repeat the same thing over, and over, and over, just about anything that hits the national press is either over-hyped or about to be over-hyped. That's just the way it is. Cyberwar is no different.
Oh come now, we need all the hype to keep our unsatisfactory, unhappy, dull and routine days mildly entertaining. Media sensationalism is the new opiate of the masses. How dare a research study take that away from us, by blatantly stating facts?!
I guess they didn't read yesterday's new york times:
http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html
No.
So, who was actually hurt? Were there any casualties?
No one was hurt. Most Persian civilians went about their business. The Government had one of their projects set back. BFD.
Comparing that to war just dilutes what war really means just as much as the "War on Drugs", "War on Terrorism", and every other hyperbolic statement made by media, government and anyone else who has an agenda - like computer security people selling their services and wares.
Sorry, we already have a counterexample in Stuxnet: a highly enginnered, highly malicious 'cyber-warface' class attack, launched outside of open hostilities with the intended aim of destroying portions of the target's infrastructure.
Stuxnet has now said 'if you don't get caught, its open season'.
Test your net with Netalyzr
Wait...are they saying that the media over-hyping something so that people constantly feel that there is/are imminent threat(s)? Sounds totally different than the war on drugs/terror/immigration/[insertscarythinghere]!
"Hey, look at us, we have a report."
The cost of securing is much greater than the losses will ever be. There's good money to be made and jobs to be created on both sides.
Why the hell would states restrict usage to conflicts that they're already prepared to engage in with conventional militaries? Dr. Brown himself admits that it's hard to tell the source of an attack, which creates plausible deniability for a state actor to engage in all sorts of conduct they otherwise might not get away with, including (potentially) both of the attacks Brown mentions which might have involved Russia, and all of the Chinese attacks against the US for the past 2 or 3 years, and of course Stuxnet. Why would countries turn down an opportunity to use these types of attacks on their enemies? Just because they're not officially fighting? Yeah, right. Granted cyber-warfare is much more likely to be used for black ops than for a full-scale long-term attack on another country's infrastructure, but that's warfare too. It's "unconventional warfare", but warfare nonetheless.
"I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
So what happens 20 Years from now when we all have robots connected to the internet living in our offices and houses?
Would be a much better name for it. Infact I would go as far as to call it espionage.
Nothing to see here, move along, your unsecured networks are perfectly safe as they stand.
I swear to God...I swear to God! That is NOT how you treat your human!
Do they mean like when, during the incident in Georgia, Russian hackers brought down the primary bank used by most Georgians for about a week? Look at what happened at 9/11. In physical terms, the damage was slight. A couple planes, a few buildings, and several thousand people gone. The actual act didn't really affect anything. It was the response generated by the attack-the fear, the anger-that prompted the stock market to drop, and the US to invade 2 countries. Terrorists do not care about physical damage, they go after symbolic targets that will create the most psychological damage. Say al-Qaeda brought down Bank of America's online systems for a few days. Economically it would not have much of an impact overall. However, it would shake people's confidence in the system, cause huge overreactions, and the damage would come not from the attack but from the response.
Consider this example: you want to attack the population of a walled city, and you have something that will make a water supply useless. What is going to have the bigger impact, poisoning the stream that runs by the walls, or poisoning the well in the middle of the town? With cyber attacks, a terrorist can essentially do this without ever having to set foot inside the walls. You want to really cause problems in the US and the rest of the West? You don't attack an embassy, or a military convoy. You don't even have to directly, physically attack the civilian populace. You simply attack their wallets. Make people worried that they can't get to their money, and you will have caused real problems.
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
If "Cyberwar" is war, then we should bomb China?
Or Iran has justification to bomb Israel and the US?
Anyone who leaves their machines open to invasion deserve what they get. My machines are well protected and will never be &*^#&%^#&
Buy our H3RB4L V14GR4. Is the bestest availleable.
Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
Where's my check?
it's not overhyphed
I'm glad someone's already mentioned the Georgian incident
it seems how little of an idea people have how much countries depend on electronic means to communicate
you nuke a country's comms in some shape or form, you can march right in and start to claim while they can't even holler for backup
And this is why it is still in use. It's about TV specials, movies, and instilling enough fear to protect government IT sector jobs -and thus necessitating the lumping of enough bad guys together to justify contractor expenditures.
states are only likely to use cyberattacks against other states when already involved in military action against them
Well Stuxnet has already blown that theory. Network intrusions and system compromises are only part of the equation. Cyber espionage is alive and well and extremely prevalent. The only difference between a cyber-attack and cyber-espionage is whether you're just stealing valuable info or actively damaging things. China is only interested in acquiring technical knowledge at this point. Also by quietly exfiltrating data as they are, it makes it much harder to find out just how deep they are. If they start breaking things, their methods and access gets discovered. Better to be quiet and maintain access in case they want to turn malicious and actively disrupt things..
I wish the Chinese or some other capable country for that matter, would hack into the credit card companies and wipe away people's debt. That would sure cause serious trouble -- not to mention dancing in the streets -- because the companies weren't paid real money.
...also apply to what the authors discard as "less capable states and sub-state actors".
First, there are plenty of non-states that would like to, and indeed are this moment planning to, cause harm to the United States, its people, and other nations that are generally considered our allies. Even some that are not. This motivation has, in the past, been expressed by actions that are not those of a conventional military, nor of even fairly unconventional war. Trying to dismiss 'cyberwar' as something that is not likely because it would not be termed 'war' misses the point and wastes my time.
War by technical manipulation of the Internet, etc., would be damaging, and it is not inconceivable that it could cost lives directly and indirectly. This meets any definition of war that I'm interested in working with. Parsing the words will not change the outcomes, so let's stop that, ok?
And it should be obvious that adversaries that are not 'states' will certainly not be less motivated to do us harm by 'cyberwar' means just because such means don't involve massive visible, physical damage and attendant casualties. Indeed, many will see this as a method that can yield them substantial gains for what is limited exposure to retaliation.
I'm left thinking that not only do many Slashdotters buy into this 'no cyberwar threat' campaign, but that our leaders may. Discounting a new weapon is not a good military strategy. Perhaps we won't be using guns and bullets to fight this fight, but actually a well-placed explosive could isolate any number of cyberwar forces if they are limiting themselves to their home states. Needless to say, these combatants will be dispersing themselves to avoid being cut off, literally, from their battlefield. Finding them will be the challenge. Deflecting and mitigating the attacks will be needed, but finding the actual perpetrators will be a challenge. The question will be if this is necessary.
deleting the extra space after periods so i can stay relevant, yeah.
you don't want your friends to see you on one...
Who would admit to Windows on industrial controllers? It is embarrassing, to say the least.
emacs -batch -l CYBERWAR #You have joined WAR WITH CHIRAN >Attack Router You find yourself in a very cold room with lots of wires there is an Ogar guarding the door >Attack Servers You begin to attack servers, and notice a Firwall intrusion alert. As you try to block it, you are logged out of the remote host. You are dead. You have scored 0 out of a possible 90 points.
I've always thought, wrongly perhaps, that 'Cyberwar' which supposedly only includes actions that take place on the internet, is actually something that's been done for a while. It was/is known as 'Electronic warfare'.
Jamming transmissions of various sorts while maintaining your own working network for battlefield communications, among other things.
The two things seem to go hand in hand to me as being high tech, spooky type stuff. Maybe I've been watching too many movies, and playing too many video games. lol.
BUT...if the US was to attack a nation of significant technical prowess, you can bet your ass there will be some 'cyber-E-war' involved. Whatever it takes basically. This also works in reverse...
Maybe someone just needs to come up with a less cheesy term for it? The word Cyber is thrown around way too much. Cybersex and Cyberwar are just too close for comfort IMHO.
The threat of "cyber-" anything is overhyped.
Ya think!? Seriously, the thing that concerns me the most is very caustic blend between any give management team and IT. I've been around a long time and have seen way too many occurances of exceptions in Infosec that are just unbelievable. I just recently had to make a payment on something and asked the bank how I could contact someone to arrange the details. I got a nice little e-mail from someone in management that I could call anyone with the payment details or I could just "e-mail" my name cc#, cvc, and exp date of my card. What? Are you kidding? A financial institution and a management person committing the cardinal sin of the banking business? I am still highly PO'd and still wondering what the F to do with that. I'd like to make an example out of all of this, but I fear I am much to small to have a big enough voice. However, if the very people we expect to maintain our financial information can't; how are we to expect anything more from anyone else unless there is a price to pay for such lunacy. Back on track, the reason we are so hackable; there is no accountability except for those poor folks in the basement trying to secure things. The public side doesn't give a sh*t, management doesn't until they are embarrased, and the guy in the basement turning the gears loses his/her job. The American way, no?
Online fraud is not usually terroristic. I have no issue at all with that. But when the combined effect of online fraud is considered it places a huge economic burden on some nations. Sex sites are similar. By themselves those sites are harmless. But the combined effect is eating half of the net alive. The power use for sex sites alone is a burden on society. So to what degree do we know that foreign powers are involved in promoting such things with war like intentions?
StuxNet is only a glimpse of the big picture. There are others used at defense & aerospace systems. See Slide #37:
http://events.ccc.de/congress/2010/Fahrplan/attachments/1767_SAP_SECURITY-Ertunga_Arsal-Rootkits_and_Trojans-SLIDES.pdf
> Oh wait. is that WoT thing still going?
Yeah, I think they are still making Wheel of Time books, but what's that got to do with anything?
"A pair of British researchers have said states are only likely to use cyberattacks against other states when already involved in military action against them"
That is a ridiculously stupid assertion.
IANAG, and...
I haven't studied every war in history but I'm pretty sure they all
started when "another state" instigated military action. Now the
journalistic view of a war starting is a jet taking off or a tank rolling
into town. But it can just as easily be started by someone hitting the
ENTER key.
Best thing you could do for your war is to do some meat tenderizing
on every computer system you can gain access to, immediately
preceding a military movement into another territory. Keep them
imbalanced and busy. Potentially blind. If you knock their internet
off, no tweeting/email/FB about the insurgency, etc. Keep the civis
in the dark.
I have no reason to believe that "CyberWarfare" won't be just as
an effective tool in the WarToolChest as any other society disrupting
attacks.
-AI
For me, it is far better to grasp the Universe as it really is than to persist in delusion
Instead, you can catch it on alt.com
Be seeing you...