The Hysteria of the Cyber-Warriors 150
Posted
by
Soulskill
from the y2k-is-looking-more-reasonable-by-the-day dept.
from the y2k-is-looking-more-reasonable-by-the-day dept.
Willfro sends in a piece by Evgeny Morozov at the Boston Review about the hyperbole and the reality of "cyber war." Quoting:
"At the end of May, President Obama called cyber-security 'one of the most serious economic and national security challenges we face as a nation.' His words echo a flurry of gloomy think-tank reports. Unfortunately, these reports are usually richer in vivid metaphor — with fears of 'digital Pearl Harbors' and 'cyber-Katrinas' — than in factual foundation. So why is there so much concern about 'cyber-terrorism?' Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies — which need to justify their own existence — and cyber-security companies — which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts."
Re:Ignorance Leads to Fear Leads to Profit (Score:3, Interesting)
I agree. And seems there just keeps coming more and more news about how this goverment facility was attacked, how that goverment office was hacked and how pretty much whole goverment is in cyber war with china and other "bad countries". For me it seems like US is trying to push that into peoples minds, so they can more easily create new laws to restrict internet. Seems goverments are quite afraid now that normal citizens can quite freely tell their opinions to large user base. TV and radio and other ways to tell your opinion to lots of people were restricted and under goverment control before. Freedom on the internet scares them.
More worried about SPAM (Score:5, Interesting)
Of the 63 MILLION emails we've processed for our clients (About 60 companies run through our spam filter) 58 million of them are blocked as SPAM.
So only 1/12th of the email traffic we see is legit. One of our clients has its own spam filter because they process that much email all by themselves and they have closer to a 1/20 legit traffic.
SPAM is a bigger threat to the network than some hypothetical cyber-terrorist.
The post-nuclear war threat (Score:5, Interesting)
The US no longer has to worry about nuclear war or even conventional war because we have the means of "winning" a nuclear war and can easily crush any country in a conventional war except, perhaps, the PRC. Even the European Union would not likely hold out against us in a conventional war. Our military knows that, and the majority of the world knows that. We are in a period of relative peace and stability, a Pax Americana. Thus we have to manufacture existential threats to keep the momentum going.
Going back to that post about government IT spending, I'd like to point out something about the military industrial complex that many don't realize. Just keeping the US military ready to go as a kick ass self-defense force with modest offensive capabilities is expensive. There is plenty of money to go around, and you're much more likely to see the agencies that now have to justify their existence like DHS getting in on this bandwagon than the DoD. For the traditional apparatus, it's always business as usual keeping the basic defense of US sovereignty going. For the rest, like DHS which has to find a new enemy under every bush, they have a lot of good reasons to be afraid.
Re:Ignorance Leads to Fear Leads to Profit (Score:4, Interesting)
Because no one fully understands it. And not understanding something can easily lead to fear.
Understanding plays a large part. But, it's also about an individual's lack of control. Most everyone depends upon the network and computer infrastructure of our world to meet their basic, day-to-day needs. Almost all of that infrastructure is out of their individual control. Their actions have no direct relationship to how likely they are to be affected by any "cyber"-attack.
People don't get this batty about hurricanes or even conventional terrorist attacks (like 9/11); not everyone is equally likely to experience such an event, and there are actions one can take to minimize their risk. Things like cyber-attacks and virulent diseases provoke more fear because they are seemingly harder to mitigate by individual action, and are seen as more equal-opportunity.
You're wrong. (Score:5, Interesting)
It's fear, yes. But it is extremely well-justified fear.
I do penetration tests for large companies. It's bad. Everywhere. The only reason penetration tests are ever unsuccessful is when the tester's hands are tied. Attacker's hands are not tied. Furthermore, denial-of-service flaws are universally ignored because information disclosure is considered a higher priority, and most companies have their hands full dealing with those flaws.
So let me make this as clear as possible: A single individual could shut down pretty much any large company. A group of individuals (say, from a hostile government) could halt operations in multiple simultaneous companies. Target a few large supply-chain management companies and a few large payment-processing/banking companies, and it would be relatively easy to shut down the economy for a while.
That means food rots on delivery trucks while paychecks stop flowing to employees. And don't think we will all switch over to doing things by hand during such an attack. The infrastructure to do so has been dismantled. We are entirely dependent on digital transactions these days.
Why hasn't such an attack happened? Is the probability really "low" as you suggest? It's just a matter of motivation. There isn't much profit in doing such a (tedious) thing for the eastern-european hacker crime groups, nor for the bored teenagers. There is more profitable, lower-hanging fruit. But if we went to war with a sophisticated nation, the motivations are entirely different. Widespread DoS combined with targeted database corruption would do much more damage to the economy (that thing that allows us to have the best military) than similarly-funded missile strikes.
Ignore the sound-bites security companies feed the media, but don't ignore the problem. This is perhaps the weakest part of our nation's defense infrastructure.
Re:Irrelevant Info (Score:3, Interesting)
We can brainstorm this on email if you like.
It's just about my top interest topic.
Re:Elevating a simple scenario to a movement (Score:3, Interesting)
Then there are items that we all assume are not exposed to the internet at all. Power systems come to mind as an item that is talked about a lot in cybe attacks but can anyone really quantify the extent to which a hacker can even access those systems remotely? One would hope those sites don't use the public internet to coordinate the power grid. That WOULD be a nightmare waiting to happen because a cyber attack could do a tremendous amount of real damage (AKA exploding transformers and melted transmissions lines).
A lot of this depends on just how stupid and short-sighted the people are who are running these systems. But if all we're talking about here is DDoS then it is a non-issue IMO. It would be a hassle for the IT departments but I have 100% faith that the IT infrastructure across America could easily handle even the most pernicious DDoS. If 4chan can manage to stay online then I think the US could survive a DDoS from N. Korea.
Re:Ignorance Leads to Fear Leads to Profit (Score:3, Interesting)
Really? I personally don't. Can you cite examples?
Sure.
Though you state later that you don't need electricity, a large percentage of the food sold in the US requires refrigeration of some kind. Most people could last a week eating just the non-perishables in their homes, but any longer and they might start running into problems.
The production and transportation network which gets that food to your supermarket is heavily reliant upon computers. Just-in-time shipping, and complex international supply chains rely upon networks of computers to function.
Even then, the employees of those companies which produce the things you need are usually paid by check or direct-deposit, not cash. How long do you think they'll continue to work if the banking system--which relies upon computers--is down, and they can't cash their checks or withdraw funds from their accounts?
Now yes, we don't strictly need computers to do any of this. We got by just fine fifty years ago, and could do the same thing today. It's the sudden transition that's the problem.
I'm pretty sure I can manage for quite a while without any of those.
Probably. But, I'm not just talking about some Mad Max style societal breakdown. The US GDP is $38 billion per day. If you could disrupt even 2.5% of our economy through a cyber-attack, thats one billion dollars per day in lost production. That's a big deal.