tip off

Eleven reasons to be sceptical of warnings of cyber warfare

A new “Cyber Security Centre”? Do we really need it? Crikey’s Canberra correspondent details why you shouldn’t believe the hype on the risks of cyber warfare and cybercrime.

Cyber warfare and cybersecurity are the most heavily hyped threats in public policy since the war on terror began.

This morning, Prime Minister Julia Gillard toured the Cyber Security Operations Centre in Canberra to show off the new ”Australian Cyber Security Centre” she is establishing. In the last two years, the war to shore up cybersecurity has been the basis for numerous policies, strategies and white papers across the world, and even an extension of the ANZUS alliance. Moreover, the media displays no scepticism in its reporting of claims about cyber attacks. Cybersecurity is also a huge industry. According to two of the best US researchers on the issue, Jerry Brito and Tate Watkins:

The U.S. government is expected to spend $10.5 billion per year on information security by 2015, and analysts have estimated the worldwide market to be as much as $140 billion per year. The Department of Defense has also said it is seeking more than $3.2 billion in cybersecurity funding for 2012.”

Accordingly, it pays to be sceptical whenever politicians, commentators or companies talk about the massive threat cyber warfare poses. To help, Crikey has compiled a reading guide to some of the claims made both about cyber warfare and cybersecurity generally, and to some of the specific incidents that are used by advocates of “cybersecurity” …

Claim: 1982, Siberia: A major Soviet pipeline was destroyed by a CIA “logic bomb” (Thomas Reed, At The Abyss, 2004)

Reality: “There are also no media reports from 1982 that confirm such an explosion, though accidents and pipeline explosions in the Soviet Union were regularly reported in the early 1980s. Something likely did happen, but Reed’s book is the only public mention of the incident and his account relied on a single document. Even after the CIA declassified a redacted version of Reed’s source, the agency did not confirm that such an explosion occurred.” (Thomas Rid, “Think Again: Cyberwar”, April 2012.)

Claim: August 2003: The major north-eastern blackout that left 55 millions American and Canadian people without power was caused in part by the “Blaster” worm

Reality: Wrong.

Claim: 2007: A blackout in Brazil that left millions in darkness was the result of criminal hacking of the power system

Reality: Wrong (it was soot).

Claim: 2007: Russian denial of service attacks crippled the digital economy of Europe’s most wired state, Estonia

Reality: Wrong — the attacks on networks and government websites only briefly disrupted commerce for a few days. The online services of the country’s largest bank were only taken offline for 90 minutes on one day, and two hours the next. The Estonian economy grew at 7.1% in 2007.

Claim: 2009: The US power grid was penetrated by Chinese and Russian hackers and laced with logic bombs for later use

Reality: Unverified. The only source for the article was unnamed “current and former national-security officials”.

Claim: 2009: Spies infiltrated Pentagon computers and stole terabytes of top-secret data related to the F-35 Joint Strike Fighter ”potentially making it easier to defend against the craft”

Reality: Wrong. Information was unclassified data such as maintenance and self-diagnostic schedules.

Claim: 2011: The Sayano-Shushenskaya power station disaster was “an example of what could happen in a cyberattack” (Gen. Keith Alexander, head of US Cyber Command)

Reality: Wrong  — the disaster was an example of what can result from poor maintenance and management: “The ill-fated turbine had been malfunctioning for some time, and the plant’s management was notoriously poor. On top of that, the key event that ultimately triggered the catastrophe seems to have been a fire at Bratsk power station, about 500 miles away. Because the energy supply from Bratsk dropped, authorities remotely increased the burden on the Sayano-Shushenskaya plant. The sudden spike overwhelmed the turbine, which was two months shy of reaching the end of its 30-year life cycle, sparking the catastrophe.”

Claim: 2010: Stuxnet is revealed — a “miracle weapon” that opened a new era of war (various, but one example)

Reality: Wrong  — Stuxnet “destroyed perhaps a tenth of the Iranian centrifuges at Natanz and delayed some uranium enrichment for a few months, but the vulnerabilities it exposed were soon repaired. Its limited and fleeting success will also have led Iran to take measures to hinder future attacks.”

Claim: 2013: The number of cyber incidents is increasing (Julia Gillard, January 2013, among many others)

Reality: It’s impossible to get specific data, or the definitions on which data are based, about cyber attacks from independent sources — claims about rising attacks come from security software companies or from governments themselves. As CRN’s John Hilvert has noted, Australian cybersecurity data has been thin on the ground until DSD’s Cyber Security Operations Centre gave some figures last year (the same ones used by the PM) — but we still don’t know what constitutes an “incident” eg: is a hacker probing a site for a weakness, finding it secured and then moving on, an “attack”?.

Because of this lack of clarity, it’s impossible to test the government’s claim that the number of incidents is on the rise. But Crikey has previously debunked a claim by the Attorney-General about rising cybercrime. Polling by Essential suggests “identity theft” that results in actual loss of money is negligible in Australia (0.6%) while around 7% of Australians had experienced some online fraud in which they’d lost money. For more serious “cyber warfare” attacks, two academics have recently tried to break down the actual numbers:

Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception. Only 20 of 124 active rivals — defined as the most conflict-prone pairs of states in the system — engaged in cyberconflict between 2001 and 2011. And there were only 95 total cyberattacks among these 20 rivals. The number of observed attacks pales in comparison to other ongoing threats: a state is 600 times more likely to be the target of a terrorist attack than a cyberattack.”

Claim: June 2012: “Cyber weapons are the most dangerous innovation of this century”, “thousands of times cheaper” than conventional armaments (Eugene Kaspersky)

Reality: “A closer examination of the record, however, reveals three factors … First is the high cost of developing a cyberweapon, in terms of time, talent, and target intelligence needed. Stuxnet, experts speculate, took a superb team and a lot of time. Second, the potential for generic offensive weapons may be far smaller than assumed for the same reasons, and significant investments in highly specific attack programs may be deployable only against a very limited target set. Third, once developed, an offensive tool is likely to have a far shorter half-life than the defensive measures put in place against it. Even worse, a weapon may only be able to strike a single time; once the exploits of a specialized piece of malware are discovered, the most critical systems will likely be patched and fixed quickly. And a weapon, even a potent one, is not much of a weapon if an attack cannot be repeated”. (Thomas Rid)

Claim: A cyber attack could send western countries back to the Stone Age (various)

Reality:Few nations have yielded to trade embargoes alone, even to universal trade embargoes. It is unclear that a cyberwar campaign would have any more effect than even a universal trade embargo, which can affect all areas of the economy and whose effects can be quite persistent. Even a complete shutdown of all computer networks would not prevent the emergence of an economy as modern as the U.S. economy was circa 1960 — and such a reversion could only be temporary, since cyberattacks rarely break things. Replace —  computer network in the prior sentence with —  publicly accessible network (on the thinking that computer networks under attack can isolate themselves from the outside world) and — circa 1960 becomes — circa 1995. Life in 1995 provided a fair measure of comfort to citizens of developed nations.” (Martin Libicki, Cyberdeterrence and Cyberwar, RAND Corporation, 2009)

14
  • 1
    Simon Mansfield
    Posted Thursday, 24 January 2013 at 2:18 pm | Permalink

    Take a look at the Crikey server’s secure and message logs - they will be filled with break in attempts from China. Nowadays 99% of brute force attacks come from China. To the point where it’s probably a good idea to simply block China IPs completely and leave the Middle Kingdom behind the firewall.

  • 2
    Gail
    Posted Thursday, 24 January 2013 at 3:19 pm | Permalink

    This release from the PMs office today is claiming 5.4 million Australians “fell victim to” cyber crime in 2012 at an estimated cost of $1.65 billion. Where do these figures come from? If 80% of Australian adults have internet access and there are around 11 million homes with internet connections, unless my maths is failing me, those 5.4 million victims would be between 30% and 50% of the internet using adult population. I simply don’t believe it….sorry!!

    No definition of what cyber crime is comprised of - data leaks, failed corporate security or counting of IP numbers from spam operators? Could be anything really.

    Release is here
    http://www.pm.gov.au/press-office/australian-cyber-security-centre

    I think there may be a few too many external consultants with shiny power point presentations around and not enough real research or use of ACMA’s own published data.

    ACMA reports with lots of stats (and they publish heaps of information) are here
    http://www.acma.gov.au/WEB/STANDARD/pc=PC_311301

  • 3
    Harry Rogers
    Posted Thursday, 24 January 2013 at 5:52 pm | Permalink

    Simon,

    Nowadays 99% of brute force attacks come from China.”

    Some evidence please.

  • 4
    Mike Flanagan
    Posted Thursday, 24 January 2013 at 6:23 pm | Permalink

    Google ‘CIA” Harry

  • 5
    john2066
    Posted Thursday, 24 January 2013 at 7:25 pm | Permalink

    yep, its all bullshit, designed to hype up the security services budget. When there is an actual cybersecurity intrusion, they do nothing, and never prosecute anyone. Bit like the rubbish overpriced ‘report’ Robert Cornall and Rufus Black did on ASIO, just lots of pompous windbaggery pumping up threats to keep the well paid jobs coming.

  • 6
    john2066
    Posted Thursday, 24 January 2013 at 7:32 pm | Permalink

    This national security rot is all rubbish!

  • 7
    Simon Mansfield
    Posted Thursday, 24 January 2013 at 8:40 pm | Permalink

    Easy Harry - look at any secure log file - it’s filled with brute force attacks from China. Crikey.com.au servers will show that - especially given its a subscription service with passwords involved. On our servers we ignore most attacks - except when they overload SSH and make our own access slow - then you go in find the offending IP and block it. Boring stuff. But almost in every case it’s some twerp out of China.

  • 8
    Ramsay Smith
    Posted Friday, 25 January 2013 at 8:48 am | Permalink

    The threat is real - speak to any Whitehat hacker, and they will explain how incredibly easy it is to break into systems, and leave absolutely no evidence that you have done so. Most of the reported instances are where hackers have made mistakes, or been sloppy - and any specialist in this field will state that protection is a moving target - once you block and fix an access method, they simply try another route.

  • 9
    alistairj
    Posted Friday, 25 January 2013 at 9:55 am | Permalink

    3.2 BILLION Defence wants? that’s a lot of infrastructure that the citizenry wont get- this whole issue smacks of Y2K and the chicken little cry that made some glib geeks a lot of money, for no good reason. Cheap encyrption exists for ultra sensitive data- the rest should take its chances- opaque fear porn is the staple of too much of our public policy.

  • 10
    Harry Rogers
    Posted Friday, 25 January 2013 at 10:51 am | Permalink

    Ignoring hyperbole (typically used in politic relating to security) AlertLogic in 2012 identified the source (IP address) of attacks as spread over 165 countries USA 33%,China 16%,Germany 3%, India Korea and Russia 8%.

    If you are going to argue against these pathetice laws get some facts to back up your statements.

    Some more facts tell me how many times any attack has succeded against 256 bit encryption??

  • 11
    Simon Mansfield
    Posted Friday, 25 January 2013 at 12:04 pm | Permalink

    Harry - in my direct experience - I rarely see a brute force attack from a US IP. My guess is those numbers relate to DOS attacks rather than SSH dictionary attacks - which is what I was specifically referring to. I’d be interested to see an analysis of the Crikey log files - I’d be amazed if more than a handful of SSH attacks were from the US - and instead the vast majority would from come IPs in China. Do you have a URL reference for those numbers - I could not find such in any google search

  • 12
    Harry Rogers
    Posted Friday, 25 January 2013 at 4:26 pm | Permalink

    Simon,
    The paranoia regarding China is typical government hype. Russia and a few other countries are much more educated in the computer industry and are often paid by government to formulate viruses.

    One wonders just what simple software security measures the Australian government dont install! Perhaps intead of the millions spent on other rubbish how about a couple of classes in very simple computer security.

    BE AMAZED

    The PDF report is here:
    http://www.rackspace.com/knowledge_center/whitepaper/alert-logic-state-of-cloud-security-report-fall-2012

  • 13
    Redolent
    Posted Saturday, 26 January 2013 at 9:29 pm | Permalink

    Thank you Bernard, I will now take as fanciful my IT department’s warning that our server has been yet again compromised from within the Middle Kingdom… Is this mendacity pure job-justification and analogous to the cultural and creative industries as reported within this website? I can see it now, flustered Arts graduates putting down their ‘Idiots Guide to HTML’ and instead picking up a John Le Carre novel - a cunning plan indeed to which I will no longer put up with, up with which I will no longer put!

  • 14
    Greg Crikeydotcom
    Posted Tuesday, 29 January 2013 at 1:19 am | Permalink

    Yeah, and what about all the money we spend on guns, tanks, submarines, etc. when there’s never any countries trying to invade us? What a waste.

    Although, we do use alot of that hardware for “offencive defence” in other countries, in order to make the world a more stable place.

    Perhaps some of this cyber-warfare defence money will also be used in pro-active defence measures. Pity I got such a big mouth, I could use some of ASIO’s money.

Womens Agenda

loading...

Smart Company

loading...

StartupSmart

loading...

Property Observer

loading...