Cyber warfare and cybersecurity are the most heavily hyped threats in public policy since the war on terror began.
This morning, Prime Minister Julia Gillard toured the Cyber Security Operations Centre in Canberra to show off the new “Australian Cyber Security Centre” she is establishing. In the last two years, the war to shore up cybersecurity has been the basis for numerous policies, strategies and white papers across the world, and even an extension of the ANZUS alliance. Moreover, the media displays no scepticism in its reporting of claims about cyber attacks. Cybersecurity is also a huge industry. According to two of the best US researchers on the issue, Jerry Brito and Tate Watkins:
“The U.S. government is expected to spend $10.5 billion per year on information security by 2015, and analysts have estimated the worldwide market to be as much as $140 billion per year. The Department of Defense has also said it is seeking more than $3.2 billion in cybersecurity funding for 2012.”
Accordingly, it pays to be sceptical whenever politicians, commentators or companies talk about the massive threat cyber warfare poses. To help, Crikey has compiled a reading guide to some of the claims made both about cyber warfare and cybersecurity generally, and to some of the specific incidents that are used by advocates of “cybersecurity” …
Claim: 1982, Siberia: A major Soviet pipeline was destroyed by a CIA “logic bomb” (Thomas Reed, At The Abyss, 2004)
Reality: “There are also no media reports from 1982 that confirm such an explosion, though accidents and pipeline explosions in the Soviet Union were regularly reported in the early 1980s. Something likely did happen, but Reed’s book is the only public mention of the incident and his account relied on a single document. Even after the CIA declassified a redacted version of Reed’s source, the agency did not confirm that such an explosion occurred.” (Thomas Rid, “Think Again: Cyberwar“, April 2012.)
Claim: August 2003: The major north-eastern blackout that left 55 millions American and Canadian people without power was caused in part by the “Blaster” worm
Claim: 2007: A blackout in Brazil that left millions in darkness was the result of criminal hacking of the power system
Reality: Wrong (it was soot).
Claim: 2007: Russian denial of service attacks crippled the digital economy of Europe’s most wired state, Estonia
Reality: Wrong — the attacks on networks and government websites only briefly disrupted commerce for a few days. The online services of the country’s largest bank were only taken offline for 90 minutes on one day, and two hours the next. The Estonian economy grew at 7.1% in 2007.
Claim: 2009: The US power grid was penetrated by Chinese and Russian hackers and laced with logic bombs for later use
Reality: Unverified. The only source for the article was unnamed “current and former national-security officials”.
Claim: 2009: Spies infiltrated Pentagon computers and stole terabytes of top-secret data related to the F-35 Joint Strike Fighter “potentially making it easier to defend against the craft”
Reality: Wrong. Information was unclassified data such as maintenance and self-diagnostic schedules.
Claim: 2011: The Sayano-Shushenskaya power station disaster was “an example of what could happen in a cyberattack” (Gen. Keith Alexander, head of US Cyber Command)
Reality: Wrong — the disaster was an example of what can result from poor maintenance and management: “The ill-fated turbine had been malfunctioning for some time, and the plant’s management was notoriously poor. On top of that, the key event that ultimately triggered the catastrophe seems to have been a fire at Bratsk power station, about 500 miles away. Because the energy supply from Bratsk dropped, authorities remotely increased the burden on the Sayano-Shushenskaya plant. The sudden spike overwhelmed the turbine, which was two months shy of reaching the end of its 30-year life cycle, sparking the catastrophe.”
Claim: 2010: Stuxnet is revealed — a “miracle weapon” that opened a new era of war (various, but one example)
Reality: Wrong — Stuxnet “destroyed perhaps a tenth of the Iranian centrifuges at Natanz and delayed some uranium enrichment for a few months, but the vulnerabilities it exposed were soon repaired. Its limited and fleeting success will also have led Iran to take measures to hinder future attacks.”
Claim: 2013: The number of cyber incidents is increasing (Julia Gillard, January 2013, among many others)
Reality: It’s impossible to get specific data, or the definitions on which data are based, about cyber attacks from independent sources — claims about rising attacks come from security software companies or from governments themselves. As CRN’s John Hilvert has noted, Australian cybersecurity data has been thin on the ground until DSD’s Cyber Security Operations Centre gave some figures last year (the same ones used by the PM) — but we still don’t know what constitutes an “incident” eg: is a hacker probing a site for a weakness, finding it secured and then moving on, an “attack”?.
Because of this lack of clarity, it’s impossible to test the government’s claim that the number of incidents is on the rise. But Crikey has previously debunked a claim by the Attorney-General about rising cybercrime. Polling by Essential suggests “identity theft” that results in actual loss of money is negligible in Australia (0.6%) while around 7% of Australians had experienced some online fraud in which they’d lost money. For more serious “cyber warfare” attacks, two academics have recently tried to break down the actual numbers:
“Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception. Only 20 of 124 active rivals — defined as the most conflict-prone pairs of states in the system — engaged in cyberconflict between 2001 and 2011. And there were only 95 total cyberattacks among these 20 rivals. The number of observed attacks pales in comparison to other ongoing threats: a state is 600 times more likely to be the target of a terrorist attack than a cyberattack.”
Claim: June 2012: “Cyber weapons are the most dangerous innovation of this century”, “thousands of times cheaper” than conventional armaments (Eugene Kaspersky)
Reality: “A closer examination of the record, however, reveals three factors … First is the high cost of developing a cyberweapon, in terms of time, talent, and target intelligence needed. Stuxnet, experts speculate, took a superb team and a lot of time. Second, the potential for generic offensive weapons may be far smaller than assumed for the same reasons, and significant investments in highly specific attack programs may be deployable only against a very limited target set. Third, once developed, an offensive tool is likely to have a far shorter half-life than the defensive measures put in place against it. Even worse, a weapon may only be able to strike a single time; once the exploits of a specialized piece of malware are discovered, the most critical systems will likely be patched and fixed quickly. And a weapon, even a potent one, is not much of a weapon if an attack cannot be repeated”. (Thomas Rid)
Claim: A cyber attack could send western countries back to the Stone Age (various)
Reality: “Few nations have yielded to trade embargoes alone, even to universal trade embargoes. It is unclear that a cyberwar campaign would have any more effect than even a universal trade embargo, which can affect all areas of the economy and whose effects can be quite persistent. Even a complete shutdown of all computer networks would not prevent the emergence of an economy as modern as the U.S. economy was circa 1960 — and such a reversion could only be temporary, since cyberattacks rarely break things. Replace — computer network in the prior sentence with — publicly accessible network (on the thinking that computer networks under attack can isolate themselves from the outside world) and — circa 1960 becomes — circa 1995. Life in 1995 provided a fair measure of comfort to citizens of developed nations.” (Martin Libicki, Cyberdeterrence and Cyberwar, RAND Corporation, 2009)