Cybersecurity: Be afraid! But how much afraid?
Monday, May 17, 2010 at 12:11AM 
Evgeny Morozov piece in the weekend WSJ a bit back, and recent Bloomberg BusinessWeek story on Richard Clarke's latest tome. Morozov rails against the "cyber warmongers," in whose ranks one must definitely include Clarke, for reasoning both valid and hyperbolic.
I like Morozov in general: he is snarky in a good way, solid in his reasoning, and he likes to poke holes in the usual conventional wisdom. Here, let's say, Morozov is less than impressed with the usual "wargames" that prove, as they are designed to, that the US is COMPLETELY naked and unprepared for an electronic Pearl Harbor.
It's one of those inescapable predictions that must inevitably someday be right--right? The question is, How bad will it be? Will it constitute a whole new monster or just another degree of failure/collapse that's marginally bigger than the usual stuff we inflict upon ourselves with great regularity due to accidents, poor practices and bad design?
Morozov targets Clarke right off, who claims in his new book that "the cyberwar has already begun." That's a prediction you have to love, because no matter what happens, the man has got to be proven right by events, because, what the hell! By his logic, there's no such thing as a cyberpeace. So McConnell (former NSA head) says we'll automatically lose any cyberwar that happens (Really? Then who automatically wins? Oh, THEY do, of course.) and Panetta (CIA) goes bravely on the record to say that the next Pearl Harbor will be a cyber Pearl Harbor (of course it will, because we said so and we get to determine these things in advance--just like 9/11!).
Morozov says spending on cybersecurity is higher than ever ($55B between now and 2015), but so is our angst. He wonders out loud if the biggest scare-mongers on the subject tend to benefit from it, by selling books, and winning cybersecurity contracts from the USG (like McConnell's new employer, Booz Allen, or Clarke's new firm, Good Harbor Consulting).
This is why I don't make enough money consulting, let me tell you. I really need to focus on scaring people more.
Clarke defends his record by saying that the U.S. has created a very large and very expensive cybersecurity command, so that proves it's a huge problem that the government is trying to take seriously. Both his firm and Booz denies any connections between what their poster boys say and what the company earns, but you know the visibility and the connections and the message and the product all go together.
As Morozov says, we don't want "to hold our policy-making hostage to the rhetorical ploys of better-informed government contractors."
Best-bit award goes to Obama's current cybersec czar, Howard Schmidt, who said that "there is no cyberwar," and that the term is "a terrible metaphor" and a "terrible concept." I think he's right, but I think those can easily become words to regret.
The web, Morozov points out, is a wild place still--a real frontier will few lawmen. We've democratized the connectivity and so too the criminality and malicious behavior--big surprise.
Here's where Morozov gets to the logic I usually employ in Q&A when I get this question: "Why don't you emphasize cyberwar more in your brief?":
Why have such tactics—known in military parlance as "computer network attacks"—not been used more widely? As revolutionary as it is, the Internet does not make centuries-old laws of war obsolete or irrelevant. Military conventions, for example, require that attacks distinguish between civilian and military targets. In decentralized and interconnected cyberspace, this requirement is not so easy to satisfy: A cyberattack on a cellphone tower used by the adversary may affect civilian targets along with military ones. When in 2008 the U.S. military decided to dismantle a Saudi Internet forum—initially set up by the CIA to glean intelligence but increasingly used by the jihadists to plan on attacks in Iraq—it inadvertently caused disruption to more than 300 servers in Saudi Arabia, Germany and Texas. A weapon of surgical precision the Internet certainly isn't, and damage to civilians is hard to avoid. Military commanders do not want to be tried for war crimes, even if those crimes are committed online.
I also tend to add: even if you, the weaker guy, shut down my nets for a bit and get some surprise attack accomplished, at the end of the day, I will still be there with my superior conventional military force, and I am likely to be able to make clear my unhappiness regarding whatever trick you just pulled. Fait accompli or no, you will now have me as a more committed enemy, and when I decide to strike back, the cybertricks won't be enough to protect you.
So Morozov says, quite sensibly: "We probably want very strong protection against cyberterror, moderate protection against cybercrime, and little to no protection against juvenile cyber-hooliganism."
Why? Perfect security would come with huge social, political and economic costs--all of which, I would add, would eventually translate to military weakness.
Best point: "Recasting basic government problems in terms of a global cyber struggle won't make us any more secure."
So no, Mr. President, please don't turn cyberattacks into "weapons of mass disruption" because you'll be "diverting national attention from more burning problems while promoting extremely costly solutions."
Better to focus on promoting Internet freedom, Morozov says. He has a book coming out on the Internet and democracy, so he's hawking too, but in a non-hypeish way I instinctively admire.
And yet, Clarke's four big fixes aren't so bad either:
- Get serious about industrial espionage
- Create information quarantines (if it's super-secret, keep it totally disconnected from the Web!)
- Build, don't buy, security (if your security needs are unique, so too should be your solutions) and
- get started on cyber-arms control treaties (like one on nobody attacks each other's banks).
Pretty decent, actually.
My take remains the same: nets always race ahead of security, and since we're still--despite the Great Global Recession!--in a period of globalization's stunningly rapid expansion (what else do you call Asian investment everywhere across the Gap while the West's money pours into Asia?), it'll be that way for a long time to come. So, expect a lot of cyber stuff to happen. Get used to it. It'll be a natural part of our world.
But yeah, we'll get smarter and more resilient over time. Just because the criminals and baddies are able to exploit these new techs and nets faster and better than the rest of us right now doesn't signal their supremacy for all time--nor their omnipotence now. Frontiers get settled, rules catch up, life goes on.
So cybersecurity is real and important and we need to spend on it. It just ain't the sum total of our existence or even of the fights and conflicts that define our age. It's like the Web, part of damn near everything but hardly the hard core of anything--except pornography.
Reader Comments (2)
The WWW can be used as a WMD, Some of the weaknesses are not just
little tricks and inconveniences.
YES I'd like to practice some cyber war with you.
Lets play:
I pull up cornfliker bot net, millions of zombies, and attack all 13 Internet nodes,
with advanced, force multiplier Dos attacks from my millions of zombies,
in effect shutting down the WWW , well ok maybe only 85% of it.
And since you als have a strong cyber force you counter attack, inadvertently taking out more or the residual 15% capacity of the WWW.
But your not worried you have "superior conventional military force" with its secure
intra nets, but of course your WWW cable plug is DEAD, You can't communicate,
with your "superior conventional military force" Cell phones out,land lines out,
Banks down, ATMs dead,of course CB and short wave work.
And If I can keep the WWW down long enough ,or just knock it back down every
time you bring it back up I can watch the world Economies Crash, and the WWW
is the lubricant for Globalization, so that grinds to a halt.
But you have your "superior conventional military force".which is addicted
to the WWW, attached to an electronic nipple.
As I watch the core dissolve into a morass of 1950's technology.
Of course the Gap bumbles alomg un connected to the WWW.
The Gap is best prepared for a WMD strike on the WWW.
Now if that isn't a WMD strike I don't know what is.
"cyber warmongers," or Paul Revere?
Please discredit me, show me the error in my hypothesis,
punch it full of holes, PLEASE, I'll sleep better tonight if you
do.
Gerald
Internet Anthropologist
Tactical Internet Systems analyst.
The robustness of the internet is tested regularly, and regularly proven stronger than it has any right to be. Many Windows servers are rebooted regularly, because if left alone they crash. Sites like Amazon and CNN go away and come back, maybe due to malicious action, maybe due to accident. Nearly all of the country of Germany (the .de domain) goes away because an admin accidentally loads a truncated file into the top-level domain.
It's like a major seaport being shutdown because the channel is blocked by a ship run aground. Is it due to to cyberwar interfering with GPS or is it due to a drunken third mate at the wheel who wasn't familiar with the landmarks?
The days of the single point of failure in the internet that was the Microsoft monopoly will soon be over, though the polite monopoly that is Cisco will remain for awhile. The difference that makes this not so much of a worry is that network protocols are rigorously defined and not extensible like operating systems, and can be exhaustively tested with reasonable amounts of effort. Nevertheless, there remain serious weaknesses these days that are held together by lots of manual effort by very smart sysadmins and netadmins. But like all humans, they make mistakes, and these mistakes are more creative than any malicious mischief could be, because they are fully random, and not constrained by any patterns of thought.
With friends like this, who needs enemies? Only consultants who collect big bucks with scary stories.