The Hysteria of the Cyber-Warriors 150
Posted
by
Soulskill
from the y2k-is-looking-more-reasonable-by-the-day dept.
from the y2k-is-looking-more-reasonable-by-the-day dept.
Willfro sends in a piece by Evgeny Morozov at the Boston Review about the hyperbole and the reality of "cyber war." Quoting:
"At the end of May, President Obama called cyber-security 'one of the most serious economic and national security challenges we face as a nation.' His words echo a flurry of gloomy think-tank reports. Unfortunately, these reports are usually richer in vivid metaphor — with fears of 'digital Pearl Harbors' and 'cyber-Katrinas' — than in factual foundation. So why is there so much concern about 'cyber-terrorism?' Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies — which need to justify their own existence — and cyber-security companies — which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts."
Because the threat is real (Score:2, Informative)
There have been some very vivid demonstrations of the impacts of cyber-warfare, such as the attacks on Estonia and Georgia, Chinese and Iranian suppresion of free speech and media, air traffic control penetrations, and demonstrated penetrations of SCADA networks (power grid in particular). In Estonia, gov't services were disrupted, and the local equivalent of 911 was broken. Georgia was not as badly dinged as Estonia, largely because they're less reliant on networked services. (c.f. http://www.economist.com/displaystory.cfm?story_id=12673385 [economist.com] ). Power grid infrastructures (as well as telecom, oil pipelines, etc.) are highly automated in the US, and have been demonstrated to have been attacked (c.f. http://online.wsj.com/article/SB123914805204099085.html?mod=googlenews_wsj [wsj.com] ). Having accidentally broken chunks of telecom infrastructure, I know how easy it is to create large-scale disruptions through control networks - even without ill intent. The FAA IG has reported that air traffic has already been disrupted by system breaches (c.f. http://online.wsj.com/article/SB124165272826193727.html [wsj.com], http://www.oig.dot.gov/StreamFile?file=/data/pdfdocs/ATC_Web_Report.pdf [dot.gov] ).
And this is the stuff that's publicly visible. There is definitely an iceberg effect here - there's a lot more under the surface that isn't readily visible to the public. There's good reason the Pentagon doesn't publish the full extent of attacks (successful and not) perpetrated against the DoD infrastructure - it's not a good idea to let attackers know how much you see (and don't). But the concern is based on real threats, and real attempts - this is not hysterical speculation. The rules of engagement haven't been defined (when is a hack attempt serious enough to merit retaliation? what's a 'cyber-exercise' v. an act of war? how definite does attribution of an attack need to be to become a diplomatic issue?). There are countries that are pushing all these envelopes to gain an edge.
So if this stuff is already going on at a low-rumble level, the threat is demonstrated, and the consequences can be foreseen, wouldn't it be irresponsible not to develop techniques and strategies to ensure this bad stuff doesn't happen?
Just because you're paranoid, doesn't mean people aren't out to get you.
Re:Are you kidding? (Score:3, Informative)
some pretty good ones, and many lame ones.
I have a machine running apache on linux that hosts some "sensitive files". Nothing that a government would want, but something that people who would want to mod certain hardware would want. I had one attack that tried to exploit an IIS vulnerability relentlessly for over an hour against my machine. It was funny because the files it was looking for didn't even exist, and had the script kiddie thought about it, would have checked the server type prior to launching the attack.
on the other end of the scale I had an attack that spidered the whole site, then probed likely holes in the filesystem where tidbits may have been found. I.e.: /index.html /content/file.html /content/collateral/images/picture.png
they would attempt directory view of /content/collateral/ to see what else was there (too bad directory listing is deinied by default in my .conf file)
-nB
Pax Americana at the Galleria, maybe (Score:1, Informative)
Without any regard to the veracity of your "manufacture existential threats" premise, the notion that we as a nation "are in a period of relative peace and stability" is complete and utter hogwash.
The USMC, US Army, elements of the USN, USAF larger IC, as well as significant chunks of our allies' armed forces, are really and actually at war--real and actual ordnance, rounds and other kinetic weapons are really and actually used against them, even as we are "speaking."
Pax Americana might be the case at the mall, but our armed forces are feeding the slipped loose dogs of war, and have been for coming up on 8 years!
Re:Are you kidding? (Score:3, Informative)
"Having the plans" is not enough. You have to have people able to interpret them and put them into action. Critical elements are often left out of engineering documentation and there's also always that stuff which was figured-out on the shop floor and never written down.
Slashdot's comments are frequently amusing, as armchair experts bolstered by 30 second's worth of Google search know everything. And are smug in their ignorance. They're probably the type that eventually gets into politics for all the wrong reasons.
Re:You're wrong. (Score:3, Informative)
My point is that you can shut down the economy with a very small effort. It could be done much more easily and inexpensively than trying to plant an ICBM on, or fly a bomber over, every power plant in the country.
Furthermore, banks have disaster recovery plans to operate from alternative datacenters if a natural disaster or fire wipes out one of their buildings. Such DR plans don't help much against hackers and DoS attacks.