[Infowarrior] - More Cyberwar Hype: Gov't Fear Mongering To Get More Control Over The Network

[Richard Forno]

More Cyberwar Hype: Gov't Fear Mongering To Get More Control Over The Network

from the where's-the-evidence? dept

http://techdirt.com/articles/20100611/1818399791.shtml

We've been discussing the nature of the hype around the concept of a "cyberwar." There still has been no credible evidence presented that any such thing exists. There certainly has been computer based espionage. And there have been various vandalism attempts. But that's hardly a "war" and doesn't amount to all that much. But politicians and defense contractors have been playing up a few stories of vandalism to make it sound like foreign hackers are going to shut down critical services. And journalists are eating it up. Take, for example, a recent MSNBC blog post, that describes the following "scenario":

Imagine this scenario: Estonia, a NATO member, is cut off from the Internet by cyber attackers who besiege the country's bandwidth with a devastating denial of service attack. Then, the nation's power grid is attacked, threatening economic disruption and even causing loss of life as emergency services are overwhelmed. As international outcry swells, outside researchers determine the attack is being sponsored by a foreign government and being directed from a military base. Desperate and outgunned in tech resources, Estonia invokes Article 5 of the NATO Treaty -- an attack against one member nation is an attack against all. It requests an immediate response from its military allies: Bomb the attacker's command-and-control headquarters to stop the punishing cyber attack. 

Now, the U.S. government is faced with a chilling question: Should it get dragged into a shooting war by a cyber attack on an ally? Or should it decline and threaten the fiber of the NATO alliance? 

About half this fictional scenario occurred in 2007, when Estonian government and financial Web sites were crippled by a cyber attack during a dispute with Russia. That incident never escalated to this hypothetic level, however: The source of the attack was unclear, physical harm did not occur and Estonia never invoked Article 5.
I'd say that's a lot less than "half" of the scenario. Basically, there was a denial of service attack. It's not good, but it happens, and it's hardly a "war." No power grid was attacked. No one was harmed. People and businesses were certainly inconvenienced, but that's not the same thing. It's not war. But, adding in the hypotheticals, suddenly the "reality" that never happened seems so much closer. 

And then there's NPR. It recently ran a whole long article about cyberwar that repeatedly suggests that the way to deal with this is to solve the "attribution problem" so that everyone online can be identified. Privacy? Anonymity? Not important, because of this threat -- even though no one can provide any proof actually exists. The NPR piece uses Mike McConnell as a key source, highlighting (as everyone does) his former public service positions: former director of the National Security Agency and later the director of national intelligence. What NPR leaves out? Oh, that McConnell is now a Vice President at defense contracting giant Booz Allen Hamilton -- a firm that recently scored contracts worth hundreds of millions of dollars around this whole bogus cyber war threat. 

Wouldn't you think that a news organization like NPR would at least mention that whopping conflict of interest? It doesn't. 

Instead, it lets McConnell go on and on about his favorite idea: re-architecting the internet to get rid of anonymity:
Security experts focus on the "attribution problem" -- the challenge of identifying and tracking down the source of a cyberattack. Under current conditions, cybercrime, cyber-espionage, and cyberattacks can be directed remotely, with the perpetrator's identity and location a secret.
This totally overhypes how much of a problem "attribution" really is. If people want to figure out a way to be anonymous, they'll do so. Worst case, they hijack someone else's line and attack that way. Attribution is not the issue. Having reasonable security is. And that doesn't require taking away anonymity or changing the nature of the internet.
"One side couldn't attack the other side without the side being attacked knowing who it is and from where it came," says retired Vice Adm. Mike McConnell, a former director of the National Security Agency and later the director of national intelligence. 

McConnell argues that deterrence is needed to prevent countries today from waging cyberwar on each other. An attack on U.S. computer networks could knock out power grids, telecommunications, transportation and banking systems in a matter of seconds.
Note, yet again, the lack of a mention of his current job. Note also no explanation of why any critical infrastructure would be connected to the internet? Also, there's no mention of how serious this threat really is. After all, we currently do have this so-called "attribution" problem, and based on other fear mongering reports, there are tens of thousands of "cyberwarriors" conducting attacks around the globe. And we haven't heard of a single case of such an attack knocking any of those things offline. Yes, there have been temporary denial of service attacks that blocked some internet sites. But that's not the same thing.
Such an attack could be deterred if the attacking country knew it would bring immediate retaliation. But first it would be necessary to attribute the attack to someone. 

"Some level of confidence that you know from where a transaction originated is a requirement," McConnell says.
Except that's not true. In pretty much every case of such hacking/DDoS attempts, people have been pretty quick to figure out where they're really originating from. No one actually seems confused by that -- and, again, if the lack of such attribution means more attacks, why aren't there more attacks now?

McConnell highlighted the "attribution problem" in a recent interview with NPR. He advocates "re-engineering the Internet" to make more transactions there traceable. 

"There is a need for investment in technology that would allow you to achieve a level of attribution," McConnell says, "[so you could know] who's engaged in this transaction."
Why? He doesn't say. He just tells NPR so, and NPR says ok. At least NPR quotes a few people are are skeptical of the fix, but no one who questions either the actual size of the problem or why NPR is letting McConnell spin the story for his employer's benefit, without even the most basic level of disclosure. 

And, of course, with all this fear mongering going on in the press -- a very high percentage of which you can trace back to McConnell --  Congress is eager to act. It's put together a new "cybersecurity" bill that will give the White House the power to declare a "cyber emergency" and step in and take control over certain "assets." It will also involve creating an "Office of Cyberspace Policy." Yes, we'll soon have a Cyber Czar. I thought we already had an Office of Science and Technology Policy in the White House. We need a separate Cyberspace office too?