Forwarded from: Richard Forno <[EMAIL PROTECTED]> Security Through Soundbyte: The 'Cybersecurity Intelligence' Game Richard Forno
Essay #2002-12 (c) 2002 Richard Forno. Permission granted to reproduce and distribute in entirety with credit to author. Full article with in-line URLS is available at: http://www.infowarrior.org/articles/2002-12.html Some say that cyberspace is the new battlefield, with its own unique rules, challenges, and concerns for those charged with defending it. If one does consider cyberspace a modern battlefield, intelligence must naturally play a key role in developing appropriate, proactive defenses. Regarding battlefield intelligence, military strategist Sun Tzu wrote that "what is called foreknowledge cannot be elicited from spirits, nor from gods, nor by analog with past events, nor from calculations. It must be obtained from men who know the enemy situation." That's sound advice. During recent months, hardly a week goes by without some reference to some firm's findings or statistics on hackers, crackers, cyberterrorists, and the general state of internet security as they see it. Many times these reports are marketed as cybersecurity "intelligence." The latest player in the internet security industry is UK-based mi2g, and the subject of this article. mi2g offers a suite of security products (essentially they're a systems integrator focused on security), but is best known perhaps as a "security intelligence provider" providing research, assessment, and analysis services on the state of the cybersecurity. As a security professional - and someone 'on the front lines' of the cyberspace battlefield - I'm both curious and dubious about the whole 'cybersecurity intelligence' business concept, and wonder what it takes to both become a 'cybersecurity intelligence' expert and make money at it, too. For example, a spooky November 11 briefing by mi2g talks about the need for "counter-attack-forces" to deal with the threats of "digital terrorism" in the "5th dimension defence shield" against "digital mass attacks" and notes that it's "not a question of if, but when" such attacks will occur. As we've seen elsewhere, coining neat buzzwords in the cybersecurity realm makes for interesting reading, but does little to offer real solutions to the security challenges faced today. Such only serves to fan the flames of public misperception. Even more disturbing is the report's feeble attempt to capitalize on the public's visceral fear of real terrorism by trying to relate the 'insider threat' of disgruntled employees to the al-Qaeda members responsible for the September 11 attacks. mi2g claimed that in November 2002 there were 57,977 'overt digital attacks' to date, and that such 'overt' attacks will cost $7.3 billion worldwide for 2002. The firm estimates that the total economic damages of all attacks - overt, covert, virus, and worms - will be between $33 and $40 billion worldwide for the year. It's never really clear how mi2g differentiates an 'overt' attack versus a 'covert' attack. Does a website defacement count as an 'overt' attack? How does one know when a 'covert' attack occurs? Isn't that what being 'covert' is all about? And how can one credibly forecast billions of dollars lost from cyberattacks, especially from 'covert' ones the victim doesn't know have occurred? One wonders how much mathematical masturbation takes place when analyzing and generating these numbers. After all, it's quite popular - and easy - to cite economic losses resulting from cyber-attacks, especially since proving them is next to impossible. But it sure sounds impressively frightening to gullible reporters and ignorant business leaders. Personally, much of what security experts deem an 'overt' attack is nothing more than a nuisance event - web defacements, ping attacks, network compromises, or viruses - and not an act of cyberterrorism. Yet so much noise is made by firms over these nuisance events, you'd think the end of the digital world was approaching with each new vendor security alert. Perhaps if mi2g included unexpected port scans or pingsweeps as types of 'overt attack' they could generate even more frightening statistics for their audience, too. That, in turn, might generate more customer interest in their products and help their bottom line. Of course, security product and service vendors would benefit as well, so this continual public threat inflation is a win-win for everyone in the security industry, regardless of whether any real security enhancements take place. Also in November, mi2g claimed that "just one motivated individual cannot usually perpetrate complex cross-boundary physical or digital terrorism" yet a statement from a 1999 internal mi2g memo - now used as part of a marketing white paper - notes that [information-based] 'warfare' is "readily available to groups and individuals at anytime, anywhere in the world.² So which is it? This sounds suspiciously like former US National Security Advisor Anthony Lake's FUD-filled remarks in his book 'Six Nightmares" where he believes that if you're under thirty and have a computer and access to the internet, you can become a potential cyberterrorist and Harbinger of Global Digital Evil. Of course, Lake, mi2g, and other private and government-sector folks - like Senator Schumer of New York - continue to preach that cyber-attacks will cause airplanes to fall from the sky (a favorite scenario for these cyber-Chicken-Littles) and that the end of the world will occur not with a bomb but a directed TCP/IP packet, even though recognized terrorism experts regularly challenge this fear-based belief. So, given all its media coverage and gloomy forecasts of electronic and economic doom, what's the real-world experience mi2g is drawing on to generate its assessments? At first glance, you'd think the firm's been focused exclusively on internet security for almost a decade, and filled to the brim with recognized cybersecurity wizards akin to an Eeye or @Stake. Sadly, that's not the case. Cybersecurity FUD-buster (and VMyths owner) Rob Rosenberger conducted his own ongoing review of mi2g over the past few years, and his observations make for some interesting reading. In the interest of time, I'll summarize the mi2g mystique in two paragraphs, and let you form your own conclusions. Scouring the web, we find that in the mid-1990s, mi2g started off as an e-business enabler focused on operating portal sites (such as Carlounge.Com and Lawlounge.Com) under the corporate motto "Bringing The Web To The World." Suddenly, in 1999 with the digital apocalypse of Y2K looming ahead, the firm morphed into an internet security company that "by integrating state-of-the-art software engineering technology with super computing capability is revolutionising the world of eCommerce and for the first time maximising the return from the internet whilst minimising the risk." This was the same time when internet security companies were sprouting up faster than the kudzu in my backyard, bringing them to where they are today, as a provider of 'security intelligence' and other security-related products. One wonders what new market mi2g will be exploiting three years from now. The firm's current website reveals little about the background of its staff; most appear to be folks without significant operational IT security experience. It's interesting that only DK Matai, mi2g's founder and CEO, seems to speak or write publicly on security topics (few if any mi2g folks are active in the security discussion community, it seems) and although a seemingly talented academic, apparently has never been involved in the trenches of day-to-day IT security in the real corporate world. Compare this to other commercial firms founded to focus exclusively on IT security that employ many well-known, highly-experienced, and frequently-quoted security experts to help draft formal analyses on the state of cybersecurity. Who would you trust when being presented analysis and estimations about the state of cybersecurity? Soundbytes alone don't make a credible security expert. George Orwell wrote that if you preach something loud and often enough, you can get folks to believe it as truth, no matter how far-fetched your message. Those that blindly accept continual reports of impending gloom and doom, the need for "counter-attack-forces" to prevent "digital mass attacks" and minimize dubious economic losses will never be able to implement effective information security programs. They are basing their defenses on the customized opinions of self-monikered 'experts' - trying to make a profit - who have never set their proverbial foot on the cyber-battlefield and only know the enemy by what they've read or heard about them. And that's a very dangerous thing, no matter what battlefield you're on. Further Reading Study makes less of hack threat (Wired) Special Thanks to McW and Rob for their help in drafting this article. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.