“There is a cyberwar going on”, according to the UN’s telecoms boss Hamadoun Toure.
Cyber terrorism is capable of causing “mass destruction”, says former director of the FBI Louis Freeh.
Vladimir Putin, no less, thinks digital attacks could be more damaging than conventional weapons.
But so far there seem to be no human casualties from this ‘cyber war’, no physical effects from cyber terror. So why all the hype?
Dire warnings of the threat from digital attacks seem to come in cycles. The last major surge was a few months ago, in the wake of a report claiming China’s army hosted highly-organised cyber espionage gangs.
There was another a year or so back, shortly after a meeting of world leaders where collaboration on cyber defence was discussed.
This current round seems to be jointly fed by the ever-mushrooming PRISM frenzy, and recent events in Korea where squabbling between the two halves of the country spilled over into attacks on TV station and bank computer systems.
Of course, frequent comparisons have been drawn with what seems to be universally referred to as “the first real cyberwar” five years back, when physical fighting between Russia and Georgia was accompanied by some DDoS attacks and defacement of government websites.
The cyber terror side of things is generally linked back to the mighty spectre of Stuxnet, hailed by some at the time as the most sophisticated malware ever, which might possibly have broken some parts in a nuclear processing plant and may or may not have been government-sponsored.
The ex-FBI chief Louis Freeh, in an interview last week, apparently claimed terrorist hackers could do more damage than 9/11, rather tastelessly.
But again, other than the possible damage caused by Stuxnet, so far at least there’s been nothing worse than a few websites being taken down or fiddled with, some useful but not critical systems in TV stations and banks being damaged.
Admittedly, there seem to be new potential avenues for the bad guys to look at every day, from power and transport systems to hospitals to military secrets, the most recent example being weaknesses in emergency broadcast systems. But these are all potential problems, with no indication that any of them have really been blown up by their network cards.
At this rate, the war movies of the future are going to look pretty lame – the era’s equivalent of Clint Eastwood heroically taking down a webserver, blocking people from looking up which days to put their bins out and drawing a moustache on a picture of the enemy president; The Graffiti of Navarone.
So why are these big honchos getting all lathered up about an imminent danger which has so far proven rather short on actual danger?
As usual, it’s all about the money. Defense budgets run into the billions. Defense contractors, which now include IT firms of course, rake in huge amounts from their government masters, and so put heavy pressure on politicians to hype the danger and ensure increased budgets.
They also want to ensure their valuable R&D work is protected and their ideas aren’t stolen by the bad guys (aka foreign competitors), denting their hefty profits.
Cyber warriors may not sound as pricey as sophisticated modern weapons – after all, they only really need a laptop, a comfy chair and plenty of caffeine, right?
Running a cyber army is an ongoing cost though; with a nuclear missile, say, most of the cash is in upfront development and building the thing, with storage, maintenance, staff training and so on costing peanuts by comparison.
Cyber weapons tend to be less durable. You can have a team working for months on a targeted attack, investing in the most expensive bleeding-edge vulnerabilities to exploit, only to find the target has decided to move to Ubuntu and scuppered all your plans.
So you need more cyber grunts working on more scenarios, to ensure that when World War 3G does break out you have the best weapons available, each one honed to target a specific system in a specific potential enemy state and kept up to date to bypass their current security.
What we have is an everlasting arms race, the ideal situation for any arms supplier.
There’s no problem with investing in defensive measures – best practices plans, intrusion detection techniques, even attack simulations. Improvements in general security should trickle down to help us all out.
The problem is with the idea of attack forces. Their main purpose so far seems to be to snoop on foreign businesses, possibly defense contractors but really anyone with any ideas that can be ripped off. This isn’t far removed from what the bulk of cybercrime is about – again, the money.
This is another area where the politicians come under pressure from cash-rich lobbyists, to protect the intellectual property of the mega-corporations, perhaps even allow them to strike (or snoop) back.
Indeed, it’s entirely possible that the attacks and attackers so far observed, and believed to be government-sponsored, are really just more-than-usually-organised cyber crooks.
My view: Don’t believe the hype. There’s no cyber war under way. There’s not really much by way of cyber terrorism, unless defacing and DDoS-ing websites counts.
What there is is a fair amount of cyber espionage, snooping on government, corporate and personal secrets, some of it state-run (as the PRISM leaks make clear) but the huge bulk of it perpetrated with a clear profit motive, by cybercriminals, not cyber warriors.
We need to focus on stopping the crooks every way we can, with education being a big part of it. Filling people’s heads with fears of digital ninjas making our PCs ooze Sarin gas isn’t helping a bit. Unless you happen to be a fat-cat defense IT contractor of course.
Don’t have nightmares.Follow @NakedSecurity