The last few paragraphs are spot-on rational observations and recommendations.
Which means, of course, they'll be marginalised by those in charge. -- rick
Cyberwar Is the New Yellowcake, Fueling a Cybersecurity-Industrial Complex
• By Jerry Brito and Tate Watkins
• Email Author
• February 14, 2012 |
• 6:30 am |
http://www.wired.com/threatlevel/2012/02/yellowcake-and-cyberwar/
In last month’s State of the Union address, President Obama called on Congress
to pass “legislation that will secure our country from the growing dangers of
cyber threats.” The Hill was way ahead of him, with over 50 cybersecurity bills
introduced this Congress. This week, both the House and Senate are moving on
their versions of consolidated, comprehensive legislation.
The reason cybersecurity legislation is so pressing, proponents say, is that we
face an immediate risk of national disaster.
“Today’s cyber criminals have the ability to interrupt life-sustaining
services, cause catastrophic economic damage, or severely degrade the networks
our defense and intelligence agencies rely on,” Senate Commerce Committee
Chairman Jay Rockefeller (D-W.Va.) said at a hearing last week. “Congress needs
to act on comprehensive cybersecurity legislation immediately.”
Yet evidence to sustain such dire warnings is conspicuously absent. In many
respects, rhetoric about cyber catastrophe resembles threat inflation we saw in
the run-up to the Iraq War. And while Congress’ passing of comprehensive
cybersecurity legislation wouldn’t lead to war, it could saddle us with an
expensive and overreaching cyber-industrial complex.
In 2002 the Bush administration sought to make the case that Iraq threatened
its neighbors and the United States with weapons of mass destruction (WMD). By
framing the issue in terms of WMD, the administration conflated the threats of
nuclear, biological, and chemical weapons. The destructive power of biological
and chemical weapons—while no doubt horrific—is minor compared to that of
nuclear detonation. Conflating these threats, however, allowed the
administration to link the unlikely but serious threat of a nuclear attack to
the more likely but less serious threat posed by biological and chemical
weapons.
Similarly, proponents of regulation often conflate cyber threats.
In his 2010 bestseller Cyber War, Richard Clarke warns that a cyberattack today
could result in the collapse of the government’s classified and unclassified
networks, the release of “lethal clouds of chlorine gas” from chemical plants,
refinery fires and explosions across the country, midair collisions of 737s,
train derailments, the destruction of major financial computer networks,
suburban gas pipeline explosions, a nationwide power blackout, and satellites
in space spinning out of control. He assures us that “these are not
hypotheticals.” But the only verifiable evidence he presents relates to several
well-known distributed denial of service (DDOS) attacks, and he admits that
DDOS is a “primitive” form of attack that would not pose a major threat to
national security.
When Clarke ventures beyond DDOS attacks, his examples are easily debunked. To
show that the electrical grid is vulnerable, for example, he suggests that the
Northeast power blackout of 2003 was caused in part by the “Slammer” worm. But
the 2004 final report of the joint U.S.-Canadian task force that investigated
the blackout found that no virus, worm, or other malicious software contributed
to the power failure. Clarke also points to a 2007 blackout in Brazil, which he
says was the result of criminal hacking of the power system. Yet investigations
have concluded that the power failure was the result of soot deposits on
high-voltage insulators on transmission lines.
Clarke’s readers would no doubt be as frightened at the prospect of a cyber
attack as they might have been at the prospect of Iraq passing nuclear weapons
to al Qaeda. Yet evidence that cyberattacks and cyberespionage are real and
serious concerns is not evidence that we face a grave risk of national
catastrophe, just as evidence of chemical or biological weapons is not evidence
of the ability to launch a nuclear strike.
The Bush administration claimed that Iraq was close to acquiring nuclear
weapons but provided no verifiable evidence. The evidence they did
provide—Iraq’s alleged pursuit of uranium “yellowcake” from Niger and its
purchase of aluminum tubes allegedly meant for uranium enrichment
centrifuges—was ultimately determined to be unfounded.
Despite the lack of verifiable evidence to support the administration’s claims,
the media tended to report them unquestioned. Initial reporting on the aluminum
tubes claim, for example, came in the form of a front page New York Times
article by Judith Miller and Michael Gordon that relied entirely on anonymous
administration sources.
Appearing on Meet the Press the same day the story was published, Vice
President Dick Cheney answered a question about evidence of a reconstituted
Iraqi nuclear program by stating that, while he couldn’t talk about classified
information, The New York Times was reporting that Iraq was seeking to acquire
aluminum tubes to build a centrifuge. In essence, the Bush administration was
able to cite its own leak—with the added imprimatur of the Times—as a rationale
for war.
The media may be contributing to threat inflation today by uncritically
reporting alarmist views of potential cyber threats. For example, a 2009 front
page Wall Street Journal story reported that the U.S. power grid had been
penetrated by Chinese and Russian hackers and laced with logic bombs. The
article is often cited as evidence that the power grid is rigged to blow.
Yet similar to Judith Miller’s Iraq WMD reporting, the only sources for the
article’s claim that infrastructure has been compromised are anonymous U.S.
intelligence officials. With little specificity about the alleged
infiltrations, readers are left with no way to verify the claims. More
alarmingly, when Sen. Susan Collins (R-Maine) took to the Senate floor to
introduce the comprehensive cybersecurity bill that she co-authored with Sen.
Joe Lieberman (I-Conn.), the evidence she cited to support a pressing need for
regulation included this very Wall Street Journal story.
Washington teems with people who have a vested interest in conflating and
inflating threats to our digital security. The watchword, therefore, should be
“trust but verify.” In his famous farewell address to the nation in 1961,
President Dwight Eisenhower warned against the dangers of what he called the
“military-industrial complex”: an excessively close nexus between the Pentagon,
defense contractors, and elected officials that could lead to unnecessary
expansion of the armed forces, superfluous military spending, and a breakdown
of checks and balances within the policy making process. Eisenhower’s speech
proved prescient.
Cybersecurity is a big and booming industry. The U.S. government is expected to
spend $10.5 billion a year on information security by 2015, and analysts have
estimated the worldwide market to be as much as $140 billion a year. The
Defense Department has said it is seeking more than $3.2 billion in
cybersecurity funding for 2012. Lockheed Martin, Boeing, L-3 Communications,
SAIC, and BAE Systems have all launched cybersecurity divisions in recent
years. Other traditional defense contractors, such as Northrop Grumman,
Raytheon, and ManTech International, have invested in information security
products and services. We should be wary of proving Eisenhower right again in
the cyber sphere.
Before enacting sweeping changes to counter cyber threats, policy makers should
clear the air with some simple steps.
Stop the apocalyptic rhetoric. The alarmist scenarios dominating policy
discourse may be good for the cybersecurity-industrial complex, but they aren’t
doing real security any favors.
Declassify evidence relating to cyber threats. Overclassification is a widely
acknowledged problem, and declassification would allow the public to verify the
threats rather than blindly trusting self-interested officials.
Disentangle the disparate dangers that have been lumped together under the
“cybersecurity” label. This must be done to determine who is best suited to
address which threats. In cases of cybercrime and cyberespionage, for instance,
private network owners may be best suited and have the best incentives to
protect their own valuable data, information, and reputations.
Photo:Nextors/Flickr
---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.
_______________________________________________
Infowarrior mailing list
[email protected]
https://attrition.org/mailman/listinfo/infowarrior
