[Infowarrior] - The Great Cyberscare

[Richard Forno]

ForeignPolicy.com
March 13, 2013

The Great Cyberscare

Why the Pentagon is razzmatazzing you about those big bad Chinese hackers.

By Thomas Rid

The White House likes a bit of threat. In his State of the Union address,
Barack Obama wanted to nudge Congress yet again into passing meaningful
legislation. The president emphasized that America's enemies are "seeking
the ability to sabotage our power grid, our financial institutions, and our
air traffic control systems." After two failed attempts to pass a
cybersecurity act in the past two years, he added swiftly: "We cannot look
back years from now and wonder why we did nothing in the face of real
threats to our security and our economy." Fair enough. A bit of threat to
prompt needed action is one thing. Fear-mongering is something else:
counterproductive. Yet too many a participant in the cybersecurity debate
reckons that puffery pays off.

The Pentagon, no doubt, is the master of razzmatazz. Leon Panetta set the
tone by warning again and again of an impending "cyber Pearl Harbor." Just
before he left the Pentagon, the Defense Science Board delivered a
remarkable report, Resilient Military Systems and the Advanced Cyber Threat.
The paper seemed obsessed with making yet more drastic historical
comparisons: "The cyber threat is serious," the task force wrote, "with
potential consequences similar to the nuclear threat of the Cold War." The
manifestations of an all-out nuclear war would be different from
cyberattack, the Pentagon scientists helpfully acknowledged. But then they
added, gravely, that "in the end, the existential impact on the United
States is the same."

A reminder is in order: The world has yet to witness a single casualty, let
alone fatality, as a result of a computer attack. Such statements are a
plain insult to survivors of Hiroshima. Some sections of the Pentagon
document offer such eye-wateringly shoddy analysis that they would not have
passed as an MA dissertation in a self-respecting political science
department. But in the current debate it seemed to make sense. After all a
bit of fear helps to claim -- or keep -- scarce resources when austerity and
cutting seems out-of-control. The report recommended allocating the stout
sum of $2.5 billion for its top two priorities alone, protecting nuclear
weapons against cyberattacks and determining the mix of weapons necessary to
punish all-out cyber-aggressors.

Then there are private computer security companies. Such firms, naturally,
are keen to pocket some of the government's money earmarked for
cybersecurity. And hype is the means to that end. Mandiant's much-noted
report linking a coordinated and coherent campaign of espionage attacks
dubbed Advanced Persistent Threat 1, or "APT1," to a unit of the Chinese
military is a case in point: The firm offered far more details on
attributing attacks to the Chinese than the intelligence community has ever
done, and the company should be commended for making the report public. But
instead of using cocky and over-confident language, Mandiant's analysts
should have used Words of Estimative Probability, as professional
intelligence analysts would have done.

An example is the report's conclusion, which describes APT1's work:
"Although they control systems in dozens of countries, their attacks
originate from four large networks in Shanghai -- two of which are allocated
directly to the Pudong New Area," the report found. Unit 61398 of the
People's Liberation Army is also in Pudong. Therefore, Mandiant's computer
security specialists concluded, the two were identical: "Given the mission,
resourcing, and location of PLA Unit 61398, we conclude that PLA Unit 61398
is APT1." But the report conspicuously does not mention that Pudong is not a
small neighborhood ("right outside of Unit 61398's gates") but in fact a
vast city landscape twice the size of Chicago. Mandiant's report was useful
and many attacks indeed originate in China. But the company should have been
more careful in its overall assessment of the available evidence, as the
computer security expert Jeffrey Carr and others have pointed out. The firm
made it too easy for Beijing to dismiss the report. My class in
cybersecurity at King's College London started poking holes into the report
after 15 minutes of red-teaming it -- the New York Times didn't.

Which leads to the next point: The media want to sell copy through threat
inflation. "In Cyberspace, New Cold War," the headline writers at the Times
intoned in late February. "The U.S. is not ready for a cyberwar," shrieked
the Washington Post earlier this week. Instead of calling out the
above-mentioned Pentagon report, the paper actually published two supportive
articles on it and pointed out that a major offensive cyber capability now
seemed essential "in a world awash in cyber-espionage, theft and
disruption." The Post should have reminded its readers that the only
military-style cyberattack that has actually created physical damage--
Stuxnet -- was actually executed by the United States government. The Times,
likewise, should have asked tough questions and pointed to some of the
evidential problems in the Mandiant report; instead, it published what
appeared like an elegant press release for the firm. On issues of
cybersecurity, the nation's fiercest watchdogs too often look like hand-tame
puppies eager to lap up stories from private firms as well as anonymous
sources in the security establishment.

Finally, the intelligence community tags along with the hype because the NSA
and CIA are still traumatized by missing 9/11. Missing a "cyber 9/11" would
be truly catastrophic for America's spies, so erring on the side of caution
seems the rational choice. Yes, Director of National Intelligence James
Clapper's recent testimony was more nuanced than reported and toned down the
threat of a very serious cyberattack. But at the same time America's top
spies are not as forthcoming with more detailed information as they could
be. We know that the intelligence community, especially in the United
States, has far better information, better sources, better expertise, and
better analysts than private companies like Symantec, McAfee, and Kaspersky
Lab. But for a number of reasons they keep their findings and their analysis
classified. This means that the quality of the public debate suffers, as
experts as well as journalists have no choice but to rely on industry
reports of sometimes questionable quality or anonymous informants whose
veracity is hard to assess.

The tragedy is that Obama actually has it right: Something needs to be done,
urgently. But Washington's high-octane mix of profiteering, protectiveness,
and politics is sadly counterproductive for four reasons:

First, the hype actually makes it harder to focus on crucial engineering
details. Security standards in industrial control systems and SCADA networks
-- the networks that control stuff that physically moves around, from trains
to gas to elevators -- are shockingly low. The so-called Programmable Logic
Controllers widely used in critical infrastructure are designed to be safe
and reliable in tough factory-floor conditions and harsh weather, not secure
against outside attack. This year's S4-conference in Miami Beach, organized
by the small and specialized security outfit Digital Bond, again showcased
how vulnerable these systems are. But Washington is too busy screaming havoc
and too ill-informed to do something meaningful about concrete engineering
issues. Just sharing information, as the inspector general of the Department
of Homeland Security recommended in a report last month, is useful but it
will not deliver security. Connecting critical infrastructure that was never
designed to be linked to the Internet is also not the root of the problem --
the built-in security flaws and fragility of these systems needs to be
fixed, as Digital Bond's Dale Peterson pointed out last week in response to
the timid DHS report. The political dynamic behind this logic is clear: The
more is declared critical, the harder it becomes to act on the really
critical.

Second, the hype clouds badly needed visibility. A fascinating project at
Free University Berlin has produced a vulnerability map. The map uses
publicly available data from Shodan, the Google for control system hackers,
and adds a layer of information crawled from the web to geo-locate the
systems that often should not be connected to the Internet in the first
place. Red dots on the map show those systems. The United States looks as if
it has the measles. But note that the map is incomplete: It is biased
towards German products, the project's founder told me. If that flaw can be
fixed, the United States and other countries would look as bloody red as
Germany does already. The U.S. government's attention-absorbing emphasis on
offensive capabilities means it has very little visibility into what this
vulnerability map would actually look like.

Third, sabotage and espionage are rather different things -- technically as
well as politically. SCADA systems are highly specific kit, often old and
patched together over years, if not decades. That means these systems are
highly specific targets, not generic ones. Affecting critical operations
requires reprogramming these systems, not just disrupting them; the goal is
modifying output parameters in a subtle way that serves the saboteur's
purpose. With Stuxnet, the U.S. government provided the -- so far -- most
extreme and best-documented case study. The operation showed that successful
sabotage that goes beyond just deleting data is far more difficult than
successful espionage: It requires testing and fine-tuning an attack over
many iterations in a lab environment, as well as acquiring highly specific
and hard-to-get target intelligence. Stealing large volumes of intellectual
property from a commercial competitor, by contrast, is a technically rather
different operation -- there is little to no valuable IP hidden inside
control systems. To put it bluntly: China and others have a high commercial
incentive to steal stuff, but they have no commercial incentive to break
stuff. All threats are not created equal. What's needed is nuance, surgical
precision, differentiation, and sober analysis -- not funk, flap, and
fluster.

Finally, hype favors the offense over the defense. The offense is already
sexier than the defense. Many software engineers who consider a career in
public administration want to head north to the dark cubicle at Fort Meade,
not bore themselves in the Department of Homeland Security -- if they are
not working happily in the Googleplex on bouncing rubber balls already. If
the NSA sucks up most of the available talent and skill and puts it to work
on the offense, the defense will continue to suffer. By overstating the
threat, and by lumping separate issues into one big bad problem, the
administration also inadvertently increases the resistance of powerful
business interests against a regulatory over-reaction.

As President Obama mentioned in his State of the Union address, if we look
back years from now and wonder why we did nothing in the face of real
threats, the answer may be straightforward: too much bark, not enough bite.

Thomas Rid, reader in war studies at King's College London, is the author of
Cyber War Will Not Take Place.


---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.