[Infowarrior] - Is Hacking Threat To Nation Overblown?

Richard Forno rforno at infowarrior.org
Wed Jun 3 18:42:39 UTC 2009 

Is Hacking Threat To Nation Overblown?

    * By Ryan Singel Email Author
    * June 3, 2009  |
    * 2:19 pm  |

http://www.wired.com/threatlevel/2009/06/is-hacking-threat-to-nation-overblown/

Is hacking a real threat to the United States or is it just the latest  
overblown threat to national security, whose magnitude is being  
exaggerated in order to expand government agencies’ budgets and powers?

That’s the question asked by Threat Level editor Kevin Poulsen at a  
panel in Computers, Freedom and Privacy in Washington, D.C. Wednesday.  
And it’s important because the government is spending billions of  
dollars on computer security and President Obama is elevating cyber- 
security to a national priority, using language that makes even  
security experts wince.

Amit Yoran, a former Bush Administration cybersecurity czar, argues  
the answer is easy.

“Is hacking a national security threat?,” Yoran said. “The one word  
answer is yes.”

As proof, Yoran pointed to stories about the denial-of-service attacks  
in Estonia, attacks on government contractor Booz Allen Hamilton and  
the recently reported breach of a defense contractor that let hackers  
get at information on the Joint Strike Fighter.

“Cyber 9-11 has happened over the last ten years, but it’s happened  
slowly so we don’t see it,” Yoran said.

Poulsen called the threat of cyber-terrorism “preposterous,” citing  
the long-standing warnings that hackers would attack the power grid —  
despite the fact that it has never happened. And he argued that  
calling such intrusions national security threats means information  
about attacks gets classified unneccessarily.

“If we can’t publicly share info that the attackers already have  
(since it’s about them) then we are doing far more harm than good,”  
Poulsen said, arguing that makes it impossible for the security  
community at large to analyze or prepare defenses for such attacks.

Moreover, he pointed out the Joint Strike fighter example involved  
only unclassified information and the denial-of-service attacks in  
Estonia have never been proven to be anything other than the work of  
nationalist Russian citizens.

But security expert Bruce Scheiner (a former Wired.com columnist) said  
there’s going to be cyber-attacks that actually affect the real world,  
even though such threats are currently overblown.

“Remove the word cyber. Its just a new theater,” Scheiner said. “Of  
course there is espionage and as data moves online, there is cyber- 
espionage. But is it a real threat?”

Schneier’s answer is yes, but not as big a threat to infrastructure as  
natural disasters or bad code.

“We have to be robust against hackers and Murphy,” Schneier said,  
referring to Murphy’s law.

Dr. Herb Lin, a cyber-attack expert at the National Research Council,  
called the scoffing naive, saying he could imagine hackers getting  
into classified command-and-control systems, for one.

But he lamented that much of the current dialogue is about about cyber- 
war and cyber-terror, when the largest threat is in cyber-espionage —  
which is not considered an act of war.

“We can see why the press and government agencies talk about cyber- 
terror and cyber-war,” Lin said, referring ostensibly to page views  
and budgets, respectively. “But we don’t consider spies inside the  
United States to be an attack on the United States.”

Yoran did admit that cyber-terrorism was improbable, but stuck to his  
point that there are significant national security threats from hackers.

Lin says the government needs to think about getting its own cyber- 
attack capability.

“Passive defenses alone are not sufficient,” Lin said. “You have to  
impose costs on an attacker and maybe the only way to do that is a  
cyber-attack yourself. The good guys have always had some sort of  
offense too.”

Lin was dumbstruck by Poulsen’s dismissal of the examples that the  
government, including President Obama, have used as evidence that  
there is a massive cyber-security threat — specifically Obama’s recent  
description of a November USB thumb-drive virus attack as the biggest  
cyber-attack on the U.S. military.

“Why is something that is an obvious threat not considered a threat to  
national security?” Lin asked.

“The point is that the way you frame these issues matters,” Schneier  
explained.

In fact, they do matter — since now the government is pouring billions  
of dollars into cyber-security for its own networks, and possibly the  
general public’s net, a far change from the government’s relative  
indifference to such issues until about two years ago.

Indeed, even Amit Yoran, who quit his post in the Bush Administration  
as cyber-czar in October 2004 after having gotten little support  
during his year tenure, admitted his job might have been easier and he  
might not have quit if cyber-attacks had the media attention then that  
they do now.

More information about the Infowarrior mailing list