[Infowarrior] - Cyberwar Rhetoric Is Scarier Than Threat of Foreign Attack

Richard Forno rforno at infowarrior.org
Tue Mar 30 02:49:01 UTC 2010 

Cyberwar Rhetoric Is Scarier Than Threat of Foreign Attack
Military industry uses fear to grab money; Americans and the Chinese  
are not stupid
By Marcus Ranum
Posted March 29, 2010
http://www.usnews.com/opinion/articles/2010/03/29/cyberwar-rhetoric-is-scarier-than-threat-of-foreign-attack.html

Marcus Ranum is an expert on security system design and chief security  
officer for Tenable Network Security.

I've worked on information security for more than 20 years, and during  
that time, there hasn't been a year that has gone by without news like  
"hacker breaks into Department of Defense computer networks" or  
"industrial spies access high-tech plans." Suddenly, the steady  
drumbeat of computer/network security has been pushed to center stage,  
and now our government is talking about "cyberwar" and pointing a  
finger at China. Unless you've been asleep for a decade, you ought to  
be worried when our government starts using the rhetoric of warfare— 
especially vocabulary like "pre-emptive" and "deterrence." Why the  
sudden change?

Anyone involved in sales knows the "FUD sell"—based on fear,  
uncertainty, and doubt. Some of the talking heads who are declaring us  
to be in danger want to sell billions of dollars of solutions to the  
problem. They are often the same people who had "ownership" of the  
problem before they stepped through the revolving door into private- 
sector executive positions. Now they'll get it right? I'm skeptical.

Let's consider what they're saying. The notion of cyber war is that it  
would serve as a "force multiplier" for conventional operations.  
Preparatory to attacking a target, communications networks and command/ 
control systems would be disrupted, power systems might be temporarily  
crashed, navigation systems confused, etc. Proponents of cyberwar  
claim that it might save lives; I've even heard them claim it's more  
effective to recoverably crash a nation's power grid than to bomb it  
with precision airstrikes. The misdirection works, however. We're now  
down into the technical weeds and lose track of the main question:  
"What war?"

When some pundit says that we're losing a cyberwar to China, is he  
saying that China is preparing to crash our electronic infrastructure  
so that it can invade? The mind boggles. The last time I asked a  
cyberwar proponent that question, he quickly explained that, no, we  
were talking about potential economic warfare. But isn't there already  
an ongoing economic war we call "the global economy"? Assuming China  
would try to deliberately crash our economy presupposes that the  
Chinese are so stupid that they'd want to devalue the huge chunk of  
the U.S. economy that they already own, and crater their own economy  
while they were at it. I keep waiting for a spokesperson of the  
Chinese government to officially say, "Please stop assuming we're  
idiots." If China wanted to drop the hammer, it would start trading in  
euros instead of dollars. But who has the time and energy to invade,  
disrupt, or destroy? We're business partners, we're competitors, and  
there's money to be made!

Isn't it absurd that the FBI announces that our "smart power grid"  
systems are massively penetrated by cyberwarriors from "hostile  
powers" even as U.S. energy companies are bidding on multibillion- 
dollar contracts with the Chinese to sell them their own smart power  
grid?

All websites are constantly probed for weaknesses by robotic worms,  
spammers, hackers, and maybe even a government agent or two.  
Complaining will not work. Making threats will not work. If cyberwar  
changes one thing about the military landscape, it's that we can  
finally put away the hoary old saying, "The best defense is a strong  
offense." The only defense in cyber war is having a good defense.

Intelligence—cyberespionage, if you will—is not cyberwar. It's just  
business as usual. But the cyberwar pundits lump every thing in the  
same bucket, pointing the finger at another nation-state and saying  
we're under attack. What's scary is that the accusations are coming  
from places they shouldn't be. I think we're seeing a bureaucratic  
attempt at budget and turf enlargement by the FBI. But someone needs  
to ask why the nation's cops are suddenly involved in international  
diplomacy. That's the State Department's job.

And accusations should be accompanied and supported by publicly  
accessible facts, not just leaked classified reports. The reports  
apparently contain bizarre inaccuracies. According to journalist  
Gerald Posner, the FBI's classified report indicates that China has  
developed an army of 180,000 cyberspies. Were the Chinese planning  
human-wave attacks? Or did the FBI count every student studying  
computer science in China as a government-sponsored cyberwarrior? That  
might seem like a facetious question, but recently we learned that, in  
one of those reports, a computer science graduate student's paper on  
power-grid security was magically transformed into a road map for  
cyberattacks on the United States. Elsewhere, fevered claims that  
cyberwar could have "WMD-like effects" are offered, an insult to any  
reader's intelligence.

The Estonian cyberwar of 2007 is another good example. Initially, wild  
claims were that it was a Russian-sponsored attack of incredible  
sophistication, a possible preparation for a real assault. It turned  
out to be more a case that the Estonian government's defenses were  
weak, a handful of individuals caused all the trouble, and Russia  
wasn't involved.

Or consider the July 2009 attacks that initially appeared to come from  
North Korea, leading Republican Rep. Peter Hoekstra of Michigan to  
call for U.S. retaliation. Researchers determined that the attacks  
originated with a handful of individuals in the United Kingdom. If you  
can't be sure who is attacking you, retaliation is not just stupid,  
it's immoral.

As taxpayers, we have a problem: Give more money to someone who built  
a disaster, and you'll get a bigger, more expensive disaster. The need  
for a mature, national-level approach to cybersecurity is painfully  
clear, and it starts with leadership, rational assessment of our  
problems, cessation of finger-pointing and yellow-peril screeching,  
and an honest after-action review of how we got to where we are today.

More information about the Infowarrior mailing list