[Infowarrior] - Is Hacking Threat To Nation Overblown?
Richard Forno
rforno at infowarrior.org
Wed Jun 3 18:42:39 UTC 2009
Is Hacking Threat To Nation Overblown?
* By Ryan Singel Email Author
* June 3, 2009 |
* 2:19 pm |
http://www.wired.com/threatlevel/2009/06/is-hacking-threat-to-nation-overblown/
Is hacking a real threat to the United States or is it just the latest
overblown threat to national security, whose magnitude is being
exaggerated in order to expand government agencies’ budgets and powers?
That’s the question asked by Threat Level editor Kevin Poulsen at a
panel in Computers, Freedom and Privacy in Washington, D.C. Wednesday.
And it’s important because the government is spending billions of
dollars on computer security and President Obama is elevating cyber-
security to a national priority, using language that makes even
security experts wince.
Amit Yoran, a former Bush Administration cybersecurity czar, argues
the answer is easy.
“Is hacking a national security threat?,” Yoran said. “The one word
answer is yes.”
As proof, Yoran pointed to stories about the denial-of-service attacks
in Estonia, attacks on government contractor Booz Allen Hamilton and
the recently reported breach of a defense contractor that let hackers
get at information on the Joint Strike Fighter.
“Cyber 9-11 has happened over the last ten years, but it’s happened
slowly so we don’t see it,” Yoran said.
Poulsen called the threat of cyber-terrorism “preposterous,” citing
the long-standing warnings that hackers would attack the power grid —
despite the fact that it has never happened. And he argued that
calling such intrusions national security threats means information
about attacks gets classified unneccessarily.
“If we can’t publicly share info that the attackers already have
(since it’s about them) then we are doing far more harm than good,”
Poulsen said, arguing that makes it impossible for the security
community at large to analyze or prepare defenses for such attacks.
Moreover, he pointed out the Joint Strike fighter example involved
only unclassified information and the denial-of-service attacks in
Estonia have never been proven to be anything other than the work of
nationalist Russian citizens.
But security expert Bruce Scheiner (a former Wired.com columnist) said
there’s going to be cyber-attacks that actually affect the real world,
even though such threats are currently overblown.
“Remove the word cyber. Its just a new theater,” Scheiner said. “Of
course there is espionage and as data moves online, there is cyber-
espionage. But is it a real threat?”
Schneier’s answer is yes, but not as big a threat to infrastructure as
natural disasters or bad code.
“We have to be robust against hackers and Murphy,” Schneier said,
referring to Murphy’s law.
Dr. Herb Lin, a cyber-attack expert at the National Research Council,
called the scoffing naive, saying he could imagine hackers getting
into classified command-and-control systems, for one.
But he lamented that much of the current dialogue is about about cyber-
war and cyber-terror, when the largest threat is in cyber-espionage —
which is not considered an act of war.
“We can see why the press and government agencies talk about cyber-
terror and cyber-war,” Lin said, referring ostensibly to page views
and budgets, respectively. “But we don’t consider spies inside the
United States to be an attack on the United States.”
Yoran did admit that cyber-terrorism was improbable, but stuck to his
point that there are significant national security threats from hackers.
Lin says the government needs to think about getting its own cyber-
attack capability.
“Passive defenses alone are not sufficient,” Lin said. “You have to
impose costs on an attacker and maybe the only way to do that is a
cyber-attack yourself. The good guys have always had some sort of
offense too.”
Lin was dumbstruck by Poulsen’s dismissal of the examples that the
government, including President Obama, have used as evidence that
there is a massive cyber-security threat — specifically Obama’s recent
description of a November USB thumb-drive virus attack as the biggest
cyber-attack on the U.S. military.
“Why is something that is an obvious threat not considered a threat to
national security?” Lin asked.
“The point is that the way you frame these issues matters,” Schneier
explained.
In fact, they do matter — since now the government is pouring billions
of dollars into cyber-security for its own networks, and possibly the
general public’s net, a far change from the government’s relative
indifference to such issues until about two years ago.
Indeed, even Amit Yoran, who quit his post in the Bush Administration
as cyber-czar in October 2004 after having gotten little support
during his year tenure, admitted his job might have been easier and he
might not have quit if cyber-attacks had the media attention then that
they do now.
More information about the Infowarrior
mailing list