Yesterday m’colleague Bernard Keane listed in this journal “Eleven reasons to be sceptical of warnings of cyber warfare“, observing that “cyber warfare and cybersecurity are the most heavily hyped threats in public policy since the war on terror began” and that the security industry, governments and others have a vested interest in talking up the imminent danger.
He’s mostly right. Cyberwar is indeed over-hyped, and security vendors are guilty of misinformation.
Last April I interviewed Dr Thomas Rid, reader in war studies at King’s College London and one of Keane’s sources. “There has never been a casualty, there’s never been significant damage that would compare with a conventional act of war. Because of that lack of physical impact so far, I think the term ‘cyberwar’ has still somewhat of a metaphorical quality. It’s more like the War on Obesity or the War on Drugs,” he said.
Where Rid works, it ain’t a war until there’s a thousand corpses. “Cyberwar?” Call him when someone breaks an arm.
But Keane is right only to a point, and that point is the stupid term “cyber warfare”. If we drop that, and “cybersecurity” with it — the cyber prefix seems to be used non-ironically only by policymakers and the mentally feeble — and instead use more traditional terms like “information security” or even “computer security”, then we do discover that attacks are on the rise. But they’re best characterised as espionage (which is a national security issue), sabotage (which may or may not be), or crime (which probably shouldn’t be). Meanwhile, defences are broken.
So to counter Keane, 11 of my own reasons why you really do have to care about cybersecurity …
1: Mikko Hypponen, chief research officer at Finnish information security firm F-Secure, has noted that Western defence contractors such as Lockheed Martin and SAIC have been hiring thousands of people with top secret clearances to write malicious software. China, Russia, Iran and every other major player is doing the same.
2. Sabotage tools like Stuxnet, which attacked Iran’s uranium enrichment program, or espionage tools like Flame, also deployed against Iran, are certainly useless once they’ve been detected, but they’re also cheap by military standards. Hundreds are being stockpiled.
3. Flame was running loose in Middle East networks undetected for five, maybe eight years — and it’s far from being the only example. Hypponen says it represents a failure of the anti-virus industry. Sourcefire founder and CTO Martin Roesch says that many of the defences are inadequate to the task. Other technical leaders echo these comments.
4. A key cause of the failure is that firewalls and anti-virus techniques are really perimeter defences. They’re IT’s Maginot Line.
5. A cybergeddon of industrial system hacks causing the simultaneous failure of everything from power grids to railways is unlikely. For every facility you’d have to know what controller #88484 does and plan your attack. Nevertheless, these systems were never designed for security. “The problem is pervasive throughout the industry,” said James Arlen, a Canadian control system security expert, last October.
6. Countries are now prepared to do significant damage. In August 2012, Saudi oil company Saudi Aramco had 30,000 computers wiped in a way that required a technician to visit every one. It took weeks to recover. Hackers backed by Iran are blamed.
7. A Romanian gang busted in November was found with half a million Australian credit card numbers — just one example of the scale and sophistication of organised crime online. “That’s one cybergang doing one bit of cybercrookery getting away with $30 million if you don’t mind … I call that pretty draining on the economy, and I think that’s where we need to be focusing our collective efforts,” said Paul Ducklin, Sophos’ head of technology for this region.
8. In most of the industry there’s a dangerous disconnect. Vendors will tell you that security comes from buying their boxes with blinking lights and expensive consulting services. But practitioners know that humans are the weakest link, and that organisations need to develop a security culture.
9. The cultural problems even extend to major equipment manufacturers, who continue to make fundamental security mistakes — such as leaving undocumented back doors in networking equipment and even printers.
10. IT managers continue to ignore security because actually doing security is boring, at least when compared with building shiny new websites.
11. Security is really, really hard. The defenders have to imagine every possible attack and make sure they’re safe from it now — and they need to get it right every time. The attackers have to get it right just once. Penetration testers, the white-hat hackers who make sure the defences are OK, will tell you a determined attacker will never fail to find a way in — it’s just a matter of whether they’ve got the budget and patience to find that way in when the potential reward is balanced against the risk of getting caught.
Whether any of this justifies moving Australia’s geek-warriors into a new Australian Cyber Security Centre is a separate question. As I wrote at ZDNet yesterday, the Centre looks more like an election-year announceable to help Julia Gillard look tough on national security.
From the defenders’ point of view, the distinction between cyberwar and cybercrime makes little practical difference. Whatever their motive, the bad guys shouldn’t be in your network and you need to de-tent them and kick them out. But the distinction does become important when governments decide whether to classify the defenders as law enforcers subject to public scrutiny, or national security agents shrouded in darkness.