[Infowarrior] - The Last Cyber Threat Article You ¹ ll Ever Read

[Richard Forno]

(Disclaimer:  I helped write this........rf)


The Last Cyber Threat Article You¹ll Ever Read

http://haftofthespear.com/2008/01/the-last-cyber-threat-article/#more

I¹m tired of hearing about all the ³new² things going on in the cyber-war,
cyber-terrorism, cyber-insert-your-term-here business. Nothing I¹ve read on
these issues in the last few years is any different from anything I read
fifteen years ago. Issues that make headlines today were actually new when
the IBM XT was a hot piece of hardware. So as a public service your author
provides you with five factors to evaluate when deciding on whether or not
to buy the next book or magazine with an article that suggests iDeath or
e-horror is imminent. Take a pass if you detect any two in a scan of the
dust jacket or lede.

Nothing is New. Any time someone talks about how new a given cyber issue is,
watch out for wet paint. Winn Schwartau¹s 1994 book Information Warfare was
essentially the tipping point for the cyberspace-is-a-dangerous-place genre.
Years earlier Cliff Stoll¹s The Cuckoo¹s Egg laid out what evils were in
store for the nascent Internet (contrary to popular opinion, Latvia is just
the latest target upon which Russian¹s have unleashed hackers). Phishing and
man-in-the-middle attacks are just variations on a theme; Computer Capers (©
1978!) talks about how people were using computers to commit financial
crimes back when a portable computer required a fork lift.

More Metaphors = More B.S. Any story you read that has someone fusing a lot
of physical-world terms with Internet-related terms should invoke one
reaction: check your wallet. The military are particularly egregious abusers
in this area. After years of studying the issues, the Pentagon still has few
sound ideas about how to fight and win a battle in cyberspace. That hasn¹t
stopped the Air Force from setting up new cyber warfighting command (watch
for the other Services to follow the money). Among the many unanswered
questions: If we are about to launch an attack, do we have to get fly-over
rights from Verizon? If an apparent foreign source takes out a purely
commercial concern in the US, do we attack said foreign nation¹s capitol?
Since accurately identifying the source of a cyber attack is near
impossible, how do we minimize friendly-fire or collateral damage? Scratch
beneath the surface and you find no solid answers.

Net-centricity is as dangerous as it is helpful. Data is not knowledge and
being able to process a lot of data does not provide wisdom. Careless
application of technology ­ particularly in a military context, though you
find parallels in business as well - threatens to send us into a retrograde
spin to the days of the ³squad leader in the sky.² The phrase refers to the
practice of some military commanders in Viet Nam who would fly above an
operation and attempt to direct action on the ground (much to the dismay of
those who were actually being shot at). Does having a lot of data on a
dashboard fundamentally improve our ability to make decisions, or does it
simply foster the illusion of situational awareness and operational control?
More importantly, how wise is it to pursue such efforts given the fact that
we can barely secure the networks we have now?

The ³Expert² Probably Isn¹t. Who do you see quoted in stories about
cyber-Armageddon? Sometimes they¹re white hat hackers, sometimes engineers,
sometimes soldiers, but more often than not they¹re people who know a lot of
buzz-words and not a lot of details. I belong to a professional organization
that addresses issues related to conflict in cyberspace, but there is no one
in this diverse and august group who knows it all - and more importantly
they would never pretend to. Being able to crack passwords doesn¹t make you
a digital soldier; an ex-pilot assigned to an INFOSEC job while awaiting
retirement is no cyber-warrior; and a General who read Strategic Warfare in
Cyberspace isn¹t the information age¹s Sun Tzu. The ³expert² who sounds like
an evangelist on this stuff isn¹t a holy man; he¹s a con man.

The World Doesn¹t End if the Internet Goes Dark. Cyberwar breaks out
tomorrow and then what? The sun will still come up and life will still go
on. Everything will become more tedious and time-consuming, but for those
raised in the analog age, life will seem very familiar indeed. This is not
to say that there will not be economic and other implications that will hurt
us as a nation, but we¹re not facing life in a new dark ages or a war
against the CHUDs. Coloradans dealt with the snow storm of 2007; New
Englanders dealt with the ice storm of 1998; levels of individual
preparedness vary, but the country doesn¹t suddenly become one big
post-Katrina New Orleans (especially since New Orleans post-Katrina wasn¹t
as bad as some made it out to be) just because connectivity drops off.

Lector Caveo should be your watchwords every time you pick up a book or
magazine that purports to tell you something you don¹t already know with
regards to the hazards of cyberspace. Variations on well-worn themes are as
multitudinous as there are bits stored on a 40 TB RAID. There is nothing
revolutionary about coming up with a new way to waste money on an old idea
dolled up in lipstick and pancake makeup. Threats in cyberspace are real,
but what is actually scary is the fact that we readily rush headlong to
expose ourselves for convenience or merely for cachet. Done properly
technology should enable us to do things effectively and safely, but since
security is hard, people are lazy, and hope is cheap; we usually end up
hoping for the best. We¹re in our second decade of cyber threats being on
the national security radar and we are still not dramatically better off
today than we were when we started. For an issue that should be moving at
Internet time, we are still clearly operating at the speed of government.

===
Thanks to Rick Forno, Bob Gourley, and Joel Harding for their help in
putting this together. All the good parts are theirs; all the bad parts are
mine.