When it comes to cyber defence, assessing the risk of online warfare, or even of a “cyber Pearl Harbor”, as opposed to common-or-garden crime or espionage, is made more difficult by the lack of detail around cyber attacks and the conflation of unrelated attacks.
The revelations this week about “Operation Shady RAT”, the multi-year Chinese effort to spy on a host of foreign governments and corporations, plainly related to regulated security and commercial espionage. That is, it was a continuation of ordinary spying activities — particularly by China, where impressive levels of education don’t seem to have yet produced a strong culture of technological innovation — online, rather than a peculiarly online form of attack, and certainly not any “cyber war”. Specific details of that spying campaign, however, are typically scarce, because neither governments nor corporations are eager to reveal the extent to which they have been penetrated or the amount and type of information that has been stolen.
Worse is the tendency to lump together quite different forms of online activity. Take an AP article from a fortnight ago. After reporting the breathless urgency of the need to “achieve cyber security”, the report admits that in fact there’s been a significant fall in “the number of records compromised in data breaches” in the past year. Nonetheless, there were “3 billion malware attacks last year”. And the FBI, the report notes, recently arrested Anonymous members for “hacking into” PayPal’sweb site.
Not merely is the claim about Anonymous simply wrong — there was no “hacking” into PayPal’s site, but a DDOS attack — but the “3 billion malware attacks” relates to private and corporate exposure to viruses and Trojans, rather than any strategic cyber attacks or systematic espionage such as Operation Shady RAT. And the “records compromised in data breaches”? Well, if the report used by the journalist is anything to go by (it’s here, and it’s surprisingly readable), the next “cyber Pearl Harbor” is coming soon to a restaurant near you — 65% of the recorded breaches were in retail or hospitality — criminals looking for credit card or identity details. Only 4% of attacks targeted government.
That is, despite the impression conveyed by the Shady RAT revelations, the vast majority of illicit cyber activity is criminal, and has little to do with governments, let alone constituting any “cyber war”.
This dollop of cyber warfare stupidity was recycled ad nauseum by newspapers and websites across the world, including by Fairfax here, with no effort to see if its evidence or internal logic stood up, or why it conflated credit card theft with online activism, common-or-garden viruses and cyber warfare. Similarly, Lieberman’s “digital Pearl Harbor” piece conflated attacks on Sony — carried out by 1. criminals stealing data, 2. Anonymous as part of #oppayback for Sony’s persecution of the man who jailbroke the Playstation 3, and 3. Lulzsec for, well, the lulz — with the Iranian government’s successful raid on a Comodo affiliate to stealSSL certificates to enable it to pursue dissidents online and Chinese attacks (inevitably either done by or with the approval of the Chinese government) on the IMF. Then Lieberman threw Stuxnet — which was made by or with the assistance of the US government — in to top it off.
We get this lack of detail, and conflation of quite different forms of online attack to justify the call to cyber arms here as well. In a recent speech launching the Cyber White Paper, Attorney-General Robert McClelland talk vaguely about “cyber crime”, cited UK figures and placed the development of the White Paper in the context of intellectual property (i.e. the copyright industry). At least MacClelland avoided using the inflammatory rhetoric of “cyber warfare”. But judging by the vast volume of traffic, filesharing is plainly not regarded as cyber crime by most citizens, despite the best efforts of the copyright industry and its agents in government.
Even the supposed assessments of cyber warfare exercises are devoid of detail. The report from the 2010 Cyberstorm 3 exercise that was recently made public only has two — count ‘em, two — pages of text, all of which is bureaucratic boilerplate.
All this works to vague up and conflate extraordinarily different types of activity, including the translation online of traditional crimes such as fraud, and spying, with activities such as filesharing that offend a powerful industry determined to keep gouging its customers, and online-native political activism.
This may merely be the cluelessness of politicians and journalists. But it takes on a different hue when one considers the sorts of bills being put forward by governments to address cyber threats. Lieberman’s “Pearl Harbor” claim was to advance the cause of a cyber security bill before Congress that, though absent its original “internet kill switch” proposal — hastily abandoned following the Arab Spring — would give the Department of Homeland Security control over private networks and enable information sharing about users between ISPs and network operators and the DHS with no privacy protections.
In May, the infamous Patriot Act, which contains a series of assaults on the basics liberties of Americans, was extended on the eve of expiry, amid speculation the Obama administration, like that of his predecessor, was using it to justify using mobile phone data to track people.
The overriding of privacy concerns in the name of cyber security is also reflected in the new Cybercrime Legislation Amendment Bill 2011 here, designed to bring Australia into line with the draconian European Convention on Cybercrime, which allows foreign governments to demand that Australian ISPs and telcos preserve user data, including emails, voicemails and SMSs.
And readers will recall a similar process of threat conflation went on with the recently-passed “WikiLeaks” amendment extending the ability of ASIO to gather foreign intelligence, which the government justified by explaining it was designed, variously, to address the problems of weapons proliferation and illegal fishing.
The reflexive tendency of lawmakers in “cyber war” mode — similar to their reaction to terrorism — is to tighten internet controls and remove privacy protections, and hand more money to the cyber defence industry. The Lieberman bill — which is backed by the Obama administration — would require extensive use of consultants by the Department of Homeland Security — and thus more funding for industry. Insights into the operations of the cyber defence industry continue to emerge from the Anonymous crack of HBGary Federal in February, which reveal that firm’s struggles to break into the lucrative cyber security tender market overseen by the US Departments of Defence and Homeland Security.
Most recently, Barrett Brown’s research revealed a large outsourced program, Romas/COIN, to systematically spy on Arab mobile and internet users on a vast scale. HB Gary Federal of course also proposed to team with other cyber security contractors to conduct operations against domestic US targets including journalists and trade unions.
The irony is that at the same time as the cyber defence industry is enjoying a boom in government funding and cyber war rhetoric, its own vulnerabilities are being exposed like never before. HBGary Federal was merely the first of a string of cyber defence companies, including major defence contractors, law enforcement and government agencies that have been cracked or socially engineered this year. The HBGary Federal crack remains the standout in terms of information — Anonymous tends to overhype the material it frequently obtains — but the attacks have revealed widespread problems with security basics such as shared passwords or vulnerability to exploits derided by hacking veterans as “script kiddie” efforts.
The combined result is an industry sector that is being given greater power, greater access to information, including personal information, greater freedom in its activities including explicit briefs to engage in espionage, and most of all greater taxpayer funding, while there remain real questions over how secure that industry itself is.
Update: The original version of this article incorrectly stated that an Iranian attack had occurred on RSA Security to obtain SecurID okens; in fact that attack related to an affiliate of Comodo which produced SSL certificates.