Threat of Cyberwar Is Over-Hyped 123
nk497 writes "A new OECD report suggests the cyberwar threat is over-hyped. A pair of British researchers have said states are only likely to use cyberattacks against other states when already involved in military action against them, and that sub-state actors such as terrorists and individual hackers can't really do much damage. Dr. Ian Brown said, 'We think that describing things like online fraud and hacktivism as cyberwar is very misleading.'"
Perhaps... (Score:3, Insightful)
Perhaps the "movie science/actual science" effect is going on here...example: people see "Hackers", and think that's what "hacking" is. People then see either a script kiddy in their mom's basement or a government techie with sky-high stacks of paper on his desk (or working at a scarily-clean desk), and realize the actual act is pretty damn boring.
Yes and no (Score:5, Insightful)
Yes, describing fraud and hackivism as cyber war is misleadg.
No, it's not over-hyped.
Cyber-war is cheap, the knowledge on how to do it is free, and it doesn't need to take much manpower, as compared to conventional war.
It's about control not reality (Score:5, Insightful)
There's no real threat of cyberwar. And there's no real threat of me being blown by an airplane terrorist. But that's completely irrelevant for government leaders desiring to control everything within their sight.
So enjoy your slef-portrait porn, scanner-induced skin cancer, your breast/penis fondling by the SA, and the eventual limitations placed upon the internet/free speech. It's inevitable.
The real problem... (Score:5, Insightful)
"war" carries with it a strong series of historical associations, lessons learned, rules of thumb, rules, likelihoods, etc. Virtually none of them really map all that well into the area of computer security. If you use the term "cyberwar", though, you are implicitly trying to mash those (comfortingly familiar) concepts into a badly-fitting new environment. In a much less serious vein, this is why most movies that feature a "hacking" sequence usually make hacking look like beating a video game- because video games are "computery"; but they work very hard to simulate familiar rules.
Electronic attacks are a costly problem and, if some idiot connects the wrong control systems to the internet, or a laptop to the wrong control systems, potentially a dangerous one; but trying to map them into the historical concepts of "war" just doesn't work very well.
There's an elephant in the living room. (Score:5, Insightful)
The cyberwar is already ON between state actors. Stuxnet, for instance. Certainly targeted at Iran, almost certainly developed by the US, Israel, or both. There's the attack on Google and other non-Chinese companies from China in 2009 as well.
IMO, now that Stuxnet has paved the way, we WILL see cyberterrorism directed at other SCADA systems.
In a Perfect World (Score:4, Insightful)
Re:Well... (Score:4, Insightful)
A pair of British researchers have said states are only likely to use cyberattacks against other states when already involved in military action against them...
Right. Tell that to the Iranians [nytimes.com] who just lost 984 uranium-enrichment centrifuges to a US/Israeli worm.
Almost everything in the News is "over-hyped" (Score:3, Insightful)
Since the news media likes to repeat the same thing over, and over, and over, just about anything that hits the national press is either over-hyped or about to be over-hyped. That's just the way it is. Cyberwar is no different.
Re:"can't really do much damge"? (Score:5, Insightful)
I recently submitted [slashdot.org] a story to /. that is related to this very topic. Chief of defence staff in the UK, General Sir David Richards, argued a little while ago that the UK should have a cyber command [iiss.org], and that the UK faces what he called a 'horse verses tank moment' in coping with modern warfare, saying the the rules of war had changed as a result of the success of insurgents in Iraq/Afghanistan, and the threat of non-state actors. In particular, he said that 'We must learn to defend, delay, attack and manoeuvre in cyberspace, just as we might on the land, sea or air and all together at the same time. Future war will always include a cyber dimension and it could become the dominant form. At the moment we don't have a cyber command and I'm very keen we have one [google.com]. Whether we like it or not, cyber is going to be part of future warfare, just as tanks and aircraft are today. It's a cultural change. In the future I don't think state-to-state warfare will start in the way it did even 10 years ago. It will be cyber or banking attacks — that's how I'd conduct a war if I was running a belligerent state or a rebel movement. It's semi-anonymous, cheap and doesn't risk people.'"
Re:There's an elephant in the living room. (Score:2, Insightful)
And that elephant is named "espionage." The only difference today is that the systems are more complex and interconnected. Otherwise, "cyber-war" is no different than the ongoing spying and sabotage that's been practiced for decades. Espionage was never it's own entity which is why "cyber-war" is misleading.
Why the hell would states restrict usage? (Score:5, Insightful)
Cyber espionage (Score:3, Insightful)
NSAs cant do much damage? (Score:5, Insightful)
Do they mean like when, during the incident in Georgia, Russian hackers brought down the primary bank used by most Georgians for about a week? Look at what happened at 9/11. In physical terms, the damage was slight. A couple planes, a few buildings, and several thousand people gone. The actual act didn't really affect anything. It was the response generated by the attack-the fear, the anger-that prompted the stock market to drop, and the US to invade 2 countries. Terrorists do not care about physical damage, they go after symbolic targets that will create the most psychological damage. Say al-Qaeda brought down Bank of America's online systems for a few days. Economically it would not have much of an impact overall. However, it would shake people's confidence in the system, cause huge overreactions, and the damage would come not from the attack but from the response.
Consider this example: you want to attack the population of a walled city, and you have something that will make a water supply useless. What is going to have the bigger impact, poisoning the stream that runs by the walls, or poisoning the well in the middle of the town? With cyber attacks, a terrorist can essentially do this without ever having to set foot inside the walls. You want to really cause problems in the US and the rest of the West? You don't attack an embassy, or a military convoy. You don't even have to directly, physically attack the civilian populace. You simply attack their wallets. Make people worried that they can't get to their money, and you will have caused real problems.
CyberWar CyberEspionage (Score:4, Insightful)
states are only likely to use cyberattacks against other states when already involved in military action against them
Well Stuxnet has already blown that theory. Network intrusions and system compromises are only part of the equation. Cyber espionage is alive and well and extremely prevalent. The only difference between a cyber-attack and cyber-espionage is whether you're just stealing valuable info or actively damaging things. China is only interested in acquiring technical knowledge at this point. Also by quietly exfiltrating data as they are, it makes it much harder to find out just how deep they are. If they start breaking things, their methods and access gets discovered. Better to be quiet and maintain access in case they want to turn malicious and actively disrupt things..
Re:The real problem... (Score:4, Insightful)
It's really computer espionage and/or sabotage. Those have been parts of warfare for as long as there has been war.
Since the Internet lets you engage in espionage and sabotage with zero risk of being physically caught, it changes the dynamic to something we haven't seen before. But it's not completely unrelated to warfare as it's always been done. The real constant about it is the lack of constants, as the level of technology constantly increases and presents new opportunities to thwart or take advantage.
Re:The real problem... (Score:4, Insightful)
Your old-school landline was associated with a place, in that its area code probably actually meant something, it was physically terminated in a given building(which, if a residence, quite likely had more occupants than phone lines). Also, billing may well have drawn a distinction between "local" and "long distance". It was further localized in that, unless specifically unlisted, it would be printed in the local telephone directory.
Your cellphone, by contrast, is more typically connected with a person. Odds are that its area code is nearly arbitrary, it is listed in no phone books, and its billing is flat at least within an entire country, if not more broadly. It is not at all uncommon for a household to have a cell per person, and, since there is no physical hookup, even people without addresses commonly have them.
There are also the broader social changes: social event organization certainly isn't the same if you can only call somebody when you are both in a building with a phone. Just ask an old person about the rise of the spontaneous "eh, we'll figure it out as we go and text you" model of social planning. That simply didn't work with the old material culture. Never mind the(less notable in the wealthy west; but dramatic among the poor here and abroad) change from "you basically can't get a line run and provisioned for less than $$ a month; but the calls cost essentially nothing" to "calls cost $/minute; but you can literally get a phone and some starter minutes at any corner store for 15-20bucks".
Also, of course, we have the fact that landline phones work very well as dumb extensions of the network. The older ones are even powered by it. Thus, the landline world has seen an almost complete dichotomy: phones, which have remained dumb as bricks, with the exception of message machines, and modem-connected computers, which are wholly free of telco control and treat the network as a dumb pipe. Cellphones, on the other hand, have to be pretty sophisticated devices just to work, so they started sprouting additional features early; but were always much more creatures of the carriers. Hence the continuing differences between the evolution of the "smartphone" and the evolution of internet-connected devices with their heritage in modem-linked PCs.
I don't wish to claim that yours is precisely analogous to "war" vs. "cyberwar"; but I would very much claim that it does demonstrate the sort of important changes that an apparently simple switch can hide. My contention would be that somebody trying to approach a "cyberwar" based on the "war" part would be roughly like somebody trying to use a bleeding-edge smartphone by looking things up in the phone book and attempting to rotary dial the touch screen.