Sophos Cloud Optix
“There is a cyberwar going on”, according to the UN’s telecoms boss Hamadoun Toure.
Cyber terrorism is capable of causing “mass destruction”, says former director of the FBI Louis Freeh.
Vladimir Putin, no less, thinks digital attacks could be more damaging than conventional weapons.
But so far there seem to be no human casualties from this ‘cyber war’, no physical effects from cyber terror. So why all the hype?
Dire warnings of the threat from digital attacks seem to come in cycles. The last major surge was a few months ago, in the wake of a report claiming China’s army hosted highly-organised cyber espionage gangs.
There was another a year or so back, shortly after a meeting of world leaders where collaboration on cyber defence was discussed.
This current round seems to be jointly fed by the ever-mushrooming PRISM frenzy, and recent events in Korea where squabbling between the two halves of the country spilled over into attacks on TV station and bank computer systems.
Of course, frequent comparisons have been drawn with what seems to be universally referred to as “the first real cyberwar” five years back, when physical fighting between Russia and Georgia was accompanied by some DDoS attacks and defacement of government websites.
The cyber terror side of things is generally linked back to the mighty spectre of Stuxnet, hailed by some at the time as the most sophisticated malware ever, which might possibly have broken some parts in a nuclear processing plant and may or may not have been government-sponsored.
The ex-FBI chief Louis Freeh, in an interview last week, apparently claimed terrorist hackers could do more damage than 9/11, rather tastelessly.
But again, other than the possible damage caused by Stuxnet, so far at least there’s been nothing worse than a few websites being taken down or fiddled with, some useful but not critical systems in TV stations and banks being damaged.
Admittedly, there seem to be new potential avenues for the bad guys to look at every day, from power and transport systems to hospitals to military secrets, the most recent example being weaknesses in emergency broadcast systems. But these are all potential problems, with no indication that any of them have really been blown up by their network cards.
At this rate, the war movies of the future are going to look pretty lame – the era’s equivalent of Clint Eastwood heroically taking down a webserver, blocking people from looking up which days to put their bins out and drawing a moustache on a picture of the enemy president; The Graffiti of Navarone.
So why are these big honchos getting all lathered up about an imminent danger which has so far proven rather short on actual danger?
As usual, it’s all about the money. Defense budgets run into the billions. Defense contractors, which now include IT firms of course, rake in huge amounts from their government masters, and so put heavy pressure on politicians to hype the danger and ensure increased budgets.
They also want to ensure their valuable R&D work is protected and their ideas aren’t stolen by the bad guys (aka foreign competitors), denting their hefty profits.
Cyber warriors may not sound as pricey as sophisticated modern weapons – after all, they only really need a laptop, a comfy chair and plenty of caffeine, right?
Running a cyber army is an ongoing cost though; with a nuclear missile, say, most of the cash is in upfront development and building the thing, with storage, maintenance, staff training and so on costing peanuts by comparison.
Cyber weapons tend to be less durable. You can have a team working for months on a targeted attack, investing in the most expensive bleeding-edge vulnerabilities to exploit, only to find the target has decided to move to Ubuntu and scuppered all your plans.
So you need more cyber grunts working on more scenarios, to ensure that when World War 3G does break out you have the best weapons available, each one honed to target a specific system in a specific potential enemy state and kept up to date to bypass their current security.
What we have is an everlasting arms race, the ideal situation for any arms supplier.
There’s no problem with investing in defensive measures – best practices plans, intrusion detection techniques, even attack simulations. Improvements in general security should trickle down to help us all out.
The problem is with the idea of attack forces. Their main purpose so far seems to be to snoop on foreign businesses, possibly defense contractors but really anyone with any ideas that can be ripped off. This isn’t far removed from what the bulk of cybercrime is about – again, the money.
This is another area where the politicians come under pressure from cash-rich lobbyists, to protect the intellectual property of the mega-corporations, perhaps even allow them to strike (or snoop) back.
Indeed, it’s entirely possible that the attacks and attackers so far observed, and believed to be government-sponsored, are really just more-than-usually-organised cyber crooks.
My view: Don’t believe the hype. There’s no cyber war under way. There’s not really much by way of cyber terrorism, unless defacing and DDoS-ing websites counts.
What there is is a fair amount of cyber espionage, snooping on government, corporate and personal secrets, some of it state-run (as the PRISM leaks make clear) but the huge bulk of it perpetrated with a clear profit motive, by cybercriminals, not cyber warriors.
We need to focus on stopping the crooks every way we can, with education being a big part of it. Filling people’s heads with fears of digital ninjas making our PCs ooze Sarin gas isn’t helping a bit. Unless you happen to be a fat-cat defense IT contractor of course.
Don’t have nightmares.
Image of cyber war and chess game courtesy of Shutterstock.
I don't agree with this article for reasons you mention smack dab in the middle:
Physical control systems/SCADA.
Each of those systems are tied to people's lives and can cost people their lives if they stop working, or start working in ways that they're not supposed to. You say that those systems aren't being attacked? Hospitals are breeding grounds for viruses and bot nets, emergency broadcast systems have been hacked publicly and recently, and the US has demonstrated that SCADA systems can make things spin themselves into oblivion.
We don't see these attacks in great numbers, but they're out there, and they're dangerous to ignore.
In the same vein, water supply systems, for example, are very vulnerable to attack, some local water supplies get polluted each year, and yet although there's a large potential for disaster, you don't hear of an aquawar.
The fact that there are attacks out there doesn't mean that we have a global war on our hands (just like an outbreak of SARS doesn't mean we have a pandemic on our hands).
From what I understood, the main thrust of this article was that people are getting concerned about state-sponsored digital attacks designed to kill thousands and take out infrastructure, when they SHOULD be more concerned about what's actually happening… theft and tainting of information for profit, and criminal gangs taking advantage of individuals in bulk for profit.
They aren't holding the world hostage for 1 million dollars… they're just skimming the money and secrets off the top while nobody notices*, and letting the global economy continue to support them in the manner to which they have become accustomed.
In short, none of the current big players (government, multinational corporations, organized crime) really have incentive to destroy the global economy with a "cyber attack" — they just want a bigger piece of the economic pie, and more hooks into the control structure.
*or very few notice, and aren't about to bring it to public view.
There is certainly something in the idea that the hype is generated by security consultancies for their own ends but the NSA and GCHQ (at least) are sufficiently alarmed by the level of state sponsored hacking to spend large sums anyway. They didn't need the Mandiant report to persuade them – they'd almost certainly come to the same conclusions and more, quite some while ago.
However, whereas cyber-warfare is a real potential threat, I don't believe it's more. But neither side can be sure, so of course they will invest heavily in both defensive and offensive capability because the impact of getting it wrong could be very high. You could see the same thing in the Cold War when the military invested in parapsychology, not that they seriously believed in it, but if it had turned out to be real and the other side mastered it first …
The reason why I don't believe the threat of a major cyber-war is real is that national economies are too tightly interconnected, so you can't hurt your enemy without hurting yourself. Thomas L. Friedman postulated that there's never been a war between two nations both having a McDonalds in their capitals, and whilst probably not quite true, it illustrates the point. China needs us to continue buying all those iThingys and what-nots they manufacture, so they're not going to turn the lights out in London. To do so would hurt their own interests as well as ours, quite apart from the complete uncertainty as to what reaction it might solicit.
I've heard it suggested that they might want to turn the lights out in London, just for an hour or two, to force a diplomatic point. And very likely, they could turn the lights out in London, but they'd never be able to turn them back on again because that would need a huge amount of coordination between many different control centres. It's easy to smash an egg, but you can never put it back together again. Like chemical and biological weapons, once a cyber -attack is launched, it's out of control. It's fire and forget – forget about any chance of de-escalation.
The threat we do have to be concerned about, though, is from rogue states such as N Korea and Iran, which are not tightly bound into the world economy. For the present, at any rate, whatever capability they have (and I wouldn't belittle it), my guess is that Western government agencies could match it and either neutralise it or deliver a heavy counter-blow. Nevertheless, the threat from a long range nuclear-tipped N Korean missile any time in the next 10 years is probably matched by the threat of a cyber-attack from the same quarter.
"…but really anyone with any ideas that can be ripped off."
That. Right there. It's the most profound statement in the entire article. In fact, it demonstrates that there is a war, despite the article's (justifiable) attempt to quell any potential waves of panic or hysteria.
In fact, the war has been going on for so long that the vast majority of people are inured to it. But it's nonetheless real. It's the war on innovation by thieves who value other people's ideas enough to steal them, but don't value their own self-esteem and integrity enough to pay for them.
Theft of ideas is an epidemic. As far as I can tell, most people accept it as a fact of life…something inevitable, something unpreventable. That's where the problem starts.
With regards to cyber warfare targeting critical infrastructure, there is an obvious threat but one which must be taken in the context of the broader HLS landscape. Each year, storms, tornadoes, and hurricanes physically destroy large swaths of our infrastructure from power lines, to roads, to bridges, etc.
Hurricane Sandy knocked out power for the NY metro area for about 11-13 days. The 2003 Blackout only disabled systems for <48hrs. There was no armageddon, there was no collapse of civil society. Even in the case of Hurricane Katrina in which local governance did fail for some time in the immediate aftermath, the city is up and running again and the country as a whole was only marginally affected.
The power system which everyone frets about is actually remarkably resilient. It may not be secure from attack, natural or manmade, but we have gotten use to having to replace these systems and thus life can go on.
The financial market is much more fragile and susceptible to attack, with the slightest glitch causing billions to evaporate. However, things involving money are probably some of the most well guarded items in the country in terms of cyber security.
It’s also political. No one wants to flush their career down the drain by refuting the importance of “cyber”-whatever. All it takes is one incident and they’re torpordoed. The old Pascal wager in action.
How many of you remember the documentary about cyber attacks that show items like generators being unbalanced by software or nuclear fuel centrifuge doing the same. So much is controlled by software and a change can happen very quickly. I have no doubt that it will happen in some sort of altercation.
One of the problems that I see is controlling the attack, it is like a biological virus that gets out of control. How do you prevent it from infecting your own devices. Released on a platform that can communicate with others may well return to bite you back…
Jack
The article is too dismissive of the problem.
As Mark Twain said, progress is not nearly as important as direction.
The direction in cyberwar and cyber threats is very troubling.
In strategic weapns and strategic defense there is a fine line between being secure and suffering catastrophic loss.
Just ask the survivors of Hiroshima and Nagasaki.
A nuclear weapon wasn't possible, until it was.
Or the Maginot line. Kept the peace between France and Germany,until it didn't.
The Maginot Line itself might indeed have stopped a frontal assault, WW1 style, but when Germany was ready to make war, they simply did an end run around it, through The Netherlands and Belgium. You know the old maxim about generals preparing to fight the next war using the strategy and methods of the last war. The Germans re-invented warfare as a highly mechanized, highly coordinated blitzkrieg, and no one was ready for it.
If there's a lesson there in the ongoing cyber-war, it might well be that much of what we do in "protecting" against cyber-attacks is reactive rather than proactive. In that sense, much of what we do is like preparing for the next attack based on what happened in the last one.
I suppose it's the nature of these attacks that we don't know how (or when) they'll happen, because the bad guys aren't even visible, like weapons and munitions factories, and large armies showing their hand across two years (Austria, Czechoslovakia, Poland) before they attack us.
Consequently, we're always on the defensive, trying to lock down and bulletproof our systems, and where possible anticipate the attacks, often thanks to the efforts of a small army of independent white hat researchers. But the cyber-war provides no opportunities like the one the western allies blew in NOT preventing Hitler from occupying the Rhineland, when victory would have been "sure and not too costly", as Churchill wrote.
It seems to me that there has been an alarming lack of security preparedness and vigilance on the part of people who should know better. Google and Apple have been hacked; Tumbler (now a Yahoo property) screwed up big-time; Sony has compromised the security of millions of its customers…and the list goes on.
Are they all complacent? Probably not, but that's the point. You don't know how exposed you are until someone finds a hole. Assume nothing. Until human nature changes (don't hold your breath), the price of security will continue to be eternal vigilance.
I maintain a document server for a fixed group of users who are in geographically diverse locations. A few days ago, Little Snitch (a network monitoring app for OS X) displayed a dialog on my server host reporting that someone from IP address “219.159.(remainder redacted)” was trying to access the server. A quick whois lookup revealed that the IP address was located in China.
I have no users who are located in China.
The connection attempt was the equivalent of some scumbag walking around the neighborhood trying doors to see if any are unlocked, so can walk in, look around, and steal whatever looks appealing.
Oh, It's war, all right. Don't doubt it for a minute. Complacency and assumptions don't work. Keep your towel handy and Don't Panic, but be prepared, stay alert, and above all educate yourself about what it means to be a responsible computer user.