Are we talking "cyber war" like the Bush admin talked WMDs?
By Matthew Lasar | Last updated about 10 hours ago
http://arstechnica.com/security/news/2011/04/are-we-talking-cyber-war-like-the-bush-admin-talked-wmds.ars
Turn any corner in the complex metropolis that is Internet policy and you'll
hear about the "cybersecurity" crisis in two nanoseconds. As a consequence, the
public is treated to a regular diet of draconian fare coming from Sixty Minutes
and Fresh Air about the "growing cyberwar threat."
Former National Security Adviser Richard A. Clarke suggests a thought exercise
in his hit book Cyber War: imagine you are the assistant to the president for
Homeland Security. The National Security Agency has just sent a critical alert
to your BlackBerry: "Large scale movement of several different zero day malware
programs moving on Internet in US, affecting critical infrastructure."
As you get to your HQ, one of the DoD's main networks has already crashed;
computer system failures have caused huge refinery fires around the country;
the Federal Aviation Administration's air traffic control center in Virginia is
collapsing, and that's just the beginning.
"The Chairman of the Fed just called," the Secretary of the Treasury tells you.
"Their data centers and their backups have had some sort of major disaster.
They have lost all their data." Power blackouts are sweeping the country.
Thousands of people have already died. "There is more going on," Clarke
narrates, "but the people who should be reporting to you can't get through."
This sort of scare-the-children prose has become something close to the norm,
complain George Mason University Mercatus Center researchers Jerry Brito and
Tate Wakins in a new working paper about what they see as the real
problem—"threat inflation."
"The rhetoric of 'cyber doom'," Brito and Watkins write, "lacks clear evidence
of a serious threat that can be verified by the public. As a result, the United
States may be witnessing a bout of threat inflation similar to that seen in the
run-up to the Iraq War. Additionally, a cyber-industrial complex is emerging,
much like the military-industrial complex of the Cold War. This complex may
serve to not only supply cybersecurity solutions to the federal government, but
to drum up demand for them as well."
Our past experience
The paper's title is "Loving the Cyber Bomb? The Dangers of Threat Inflation in
Cybersecurity Policy." As that last paragraph suggests, these authors see a
clear and present parallel between the cyberwar debate and the rhetoric of the
Bush administration after September 11, 2001.
First, the paper notes, the White House implied that Iraq's then dictator
Sadaam Hussein had something to do with the attacks on New York City and the
Pentagon. Then the government convinced influential newspapers like The New
York Times to favorably quote administration leaks suggesting that Iraq
possessed weapons of mass destruction.
Both of these assertions were ultimately debunked, but the damage was done. As
late as 2006, polls indicated that 40 percent of the US population still
thought that Hussein was somehow in on 9/11.
As with that story, "there is very little verifiable evidence" to back up the
cyber threats claimed now, "and the most vocal proponents of a threat engage in
rhetoric that can only be characterized as alarmist," Brito and Watkins write.
"Cyber threat inflation parallels what we saw in the run-up to the Iraq War."
Probed daily
The paper is particularly hard on the report of the Commission on Cybersecurity
for the 44th Presidency. Launched by the Center for Strategic and International
Studies, it came complete with a distinguished panel of academics, consultants,
IT industry biggies, and former government officials. What it didn't come with,
the Mercatus study contends, was much evidence for the dire situation it
posited—that the protection of cyberspace "is a battle we are losing."
For example, the CSIS report warned that Department of Defense computers are
"probed hundreds of thousands of times each day." But of course that's true,
the paper notes. Probing and scanning are the norm in cyberspace, with software
constantly trying the doors of websites and portals.
Then the blue ribbon document contended that "porous information systems have
allowed opponents to map our vulnerabilities and plan their attacks."
Depriving Americans of electricity, communications, and financial services may
not be enough to provide the margin of victory in a conflict, but it could
damage our ability to respond and our will to resist. We should expect that
exploiting vulnerabilities in cyber infrastructure will be part of any future
conflict.
Where, the Mercatus researchers ask, was the evidence that America's opponents
have "mapped vulnerabilities" and "planned attacks"? These sort of reports
often imply that they're working from classified sources. But: "If our past
experience with threat inflation teaches us anything, it is that we cannot
accept the word of government officials with access to classified information
as the sole source of evidence for the existence or scope of a threat."
Clarke and the present danger
Richard Clarke's doomsday scenarios are next on the Mercatus paper's takedown
list. Clarke's book cites the distributed denial of service attacks on Estonian
and Georgian websites in 2007 and 2008 as particularly ominous. Obviously these
assaults were serious and consequential, Brito and Wakins agree. But how do we
get from botnet-infested computers or networks to the blackout, fire, and
infrastructure collapse scenarios that Cyber War posits?
We just don't, they insist, and they also take Clarke to task for citing the
Brazil blackout of 2007 as another Exhibit A for future cyber eschatologies.
The going thesis for a while was that the disaster was prompted by a criminal
hacking. But subsequent probes of the crisis by the power company and its
regulator concluded that dirt on high voltage insulators caused the outage.
Ditto for the Northeast power blackout of 2003, suspected of being part of a
worm-based cyberattack, found to be no such thing in a subsequent investigation.
It's pretty obvious that these researchers deplore Clarke's book, especially
speculations that the Russians "are probably saving their best cyber weapons
for when they really need them, in a conflict in which NATO and the United
States are involved."
This sort of prose is "eerily reminiscent of the suggestion before the invasion
of Iraq that although we lacked the type of evidence of WMD that might lead us
to action, we would not want 'the smoking gun to be a mushroom cloud'," Brito
and Watkins write.
Cyber pork
The Mercatus authors see very little good in this rhetoric, and many bad
outcomes. They see unjustified regulation of the Internet as one possibility,
and as Ars readers know, Congress has considered a bill that at one point would
have given the president the authority to shut the 'Net down in the event of a
cyberattack.
They also see corporations ratcheting up the volume on the issue to bring in
defense contracting dollars, and politicians joining the panic party to deliver
federal money to their districts. But ultimately what they see is a scare
mongering discourse that will make it impossible to realistically assess the
cybersecurity situation.
"Let us be very clear," their essay acknowledges: "although we are skeptical of
the scope of the threat as presented by the proponents of regulation, we do not
doubt that cyber threats do exist, nor would we suggest that regulation can
never be appropriate. What we do propose is that before we rush to regulate
cyberspace we should first demand verifiable evidence of the threat and its
scope and, second, we should use any such evidence to conduct a proper analysis
to determine whether regulation is necessary and if it will do more good than
harm."
_______________________________________________
Infowarrior mailing list
[email protected]
https://attrition.org/mailman/listinfo/infowarrior
