Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Government The Internet The Media News Politics

The Hysteria of the Cyber-Warriors 150

Willfro sends in a piece by Evgeny Morozov at the Boston Review about the hyperbole and the reality of "cyber war." Quoting: "At the end of May, President Obama called cyber-security 'one of the most serious economic and national security challenges we face as a nation.' His words echo a flurry of gloomy think-tank reports. Unfortunately, these reports are usually richer in vivid metaphor — with fears of 'digital Pearl Harbors' and 'cyber-Katrinas' — than in factual foundation. So why is there so much concern about 'cyber-terrorism?' Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies — which need to justify their own existence — and cyber-security companies — which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts."
This discussion has been archived. No new comments can be posted.

The Hysteria of the Cyber-Warriors

Comments Filter:
  • by eldavojohn ( 898314 ) * <eldavojohnNO@SPAMgmail.com> on Wednesday July 01, 2009 @11:23AM (#28544023) Journal

    Unfortunately, these reports are usually richer in vivid metaphor -- with fears of 'digital Pearl Harbors' and 'cyber-Katrinas' -- than in factual foundation. So why is there so much concern about 'cyber-terrorism?'

    Because no one fully understands it. And not understanding something can easily lead to fear. And those standing to make money off that fear (journalists, contractors, agencies) are unashamed to exploit it.

    I'm a computer scientist and I don't even understand or know about every potential vulnerability. It's simply too complex ... and that's easy to turn into fear when you're talking to the people who are in charge of protecting us from threats. And the potential mitigation techniques are another endless myriad of complex software/hardware. All I can say is that it is highly unlikely that a Live Free or Die Hard 'fire-sale' scenario will happen. I can't in good conscious tell you it's impossible. I can tell you that the probability of it happening within a year would most certainly be dealt with in multi-digit negative powers of ten. Then there's the possibility of lesser attacks which are highly probable but I feel that the cost-risk ratio is all messed up. Again, I believe this is due to ignorance.

    You get into a weird sort of emperors-new-clothes kind of situation when the only people who understand your problems are also the ones trying to sell you a solution. And they're just not being openly honest nor realistic with you.

    • Re: (Score:3, Interesting)

      by sopssa ( 1498795 )

      I agree. And seems there just keeps coming more and more news about how this goverment facility was attacked, how that goverment office was hacked and how pretty much whole goverment is in cyber war with china and other "bad countries". For me it seems like US is trying to push that into peoples minds, so they can more easily create new laws to restrict internet. Seems goverments are quite afraid now that normal citizens can quite freely tell their opinions to large user base. TV and radio and other ways to

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      I agree and I would add the simple fact of life that politicians love to BS and love to be seen as though they are "with it", whatever "it" happens to be at the time. Same thing over here in the UK, all the policticians are using the prefix "cyber" on every bloody thing they can, without really thinking about it. Old gits, with about 5 years of working life left, before they bugger off to some highly paid consultant job, bandying "cyber" about like so much confetti. Just to make it seem like they understand

    • by FriendlyLurker ( 50431 ) on Wednesday July 01, 2009 @11:44AM (#28544487)

      Not to mention that in the process of securing against the "cyber-terrorism" bogeyman [slashdot.org], an big added benefit for ruling elites will be removing net anonymity and related speech in the name of national security, bringing all those blogs and uncontrollable information channels under heel in a more hierarchical system - or at least more accountable to an "authorized views", type system - ("Take down that anti-war protest site and uncensored video footage - preempt information warfare against our war, sir") and of course, only authorized p2p channels and protocols allowed in this future we are manufacturing, thanks.

    • by Anonymous Coward on Wednesday July 01, 2009 @11:51AM (#28544627)

      "I'm a computer scientist and I don't even understand or know about every potential vulnerability. It's simply too complex"

      And yet you're claiming that "the probability of it happening within a year would most certainly be dealt with in multi-digit negative powers of ten."

      Not sure where you're getting your confidence from. You've basically just said that these complex systems are extremely vulnerable. Meaning, even you can't be clear to what extent these vulnerabilities can be used to cause damage.

      • Look, to a great extent the net is fairly robust.
        it has some weak points like the top level routing algorithms and such but the die hard thing is utter bullshit.

        It takes a great deal of time and effort to break into even one system(that isn't windows or out of date or both), if your plan involves hacking many many systems, some of which aren't even on the internet then best give up now.

    • by johnsonav ( 1098915 ) on Wednesday July 01, 2009 @11:52AM (#28544647) Journal

      Because no one fully understands it. And not understanding something can easily lead to fear.

      Understanding plays a large part. But, it's also about an individual's lack of control. Most everyone depends upon the network and computer infrastructure of our world to meet their basic, day-to-day needs. Almost all of that infrastructure is out of their individual control. Their actions have no direct relationship to how likely they are to be affected by any "cyber"-attack.

      People don't get this batty about hurricanes or even conventional terrorist attacks (like 9/11); not everyone is equally likely to experience such an event, and there are actions one can take to minimize their risk. Things like cyber-attacks and virulent diseases provoke more fear because they are seemingly harder to mitigate by individual action, and are seen as more equal-opportunity.

      • Re: (Score:3, Insightful)

        by JAZ ( 13084 )

        Most everyone depends upon the network and computer infrastructure of our world to meet their basic, day-to-day needs.

        Really? I personally don't. Can you cite examples? Most of the systems that I rely on predate the computer and network infrastructure by decades. I have enough food and water around the house to last a week of normal consumption (i.e. without rationing). I'm pretty sure that I don't need a computer for my toilet to flush (I'll admit I could be wrong about that). Other than that, I rely on roads, but I don't *need* the traffic signals to work. Power is a nice to have, but again not required. what else

        • Re: (Score:3, Interesting)

          by johnsonav ( 1098915 )

          Really? I personally don't. Can you cite examples?

          Sure.

          Though you state later that you don't need electricity, a large percentage of the food sold in the US requires refrigeration of some kind. Most people could last a week eating just the non-perishables in their homes, but any longer and they might start running into problems.

          The production and transportation network which gets that food to your supermarket is heavily reliant upon computers. Just-in-time shipping, and complex international supply chains rely upon networks of computers to function.

          Even th

          • If you could disrupt even 2.5% of our economy through a cyber-attack, thats one billion dollars per day in lost production.

            Here in the UK we lose a good deal more than 2.5% of our productivity through having to comply with pointless beaurocratic nonsense. The government's main response is to to add an extra layer of beaurocracy to everything.

            The real cyber-security problem at the moment is the unwillingness of government to do anything at all about spam. Hell, if they can't arrest and incarcerate even

          • by JAZ ( 13084 )
            All valid points, but... 2.5% would be a huge hit - you're talking about taking down like 600,000 of America's 25 million businesses. Of course some are more important than others but when we get down to small segments that are higher value, we can get by without those for a day or two while either the computers are repaired or the work is process manually. I'm not saying it wouldn't be a big deal or that it might not be painful. But when we talk about day to day dependencies, then we're talking about su
            • Of course some are more important than others but when we get down to small segments that are higher value, we can get by without those for a day or two while either the computers are repaired or the work is process manually.

              I'm not arguing that there is a single facet of our economy that could not run just fine without computers. I am arguing that there are plenty that could not tomorrow. Changing the work flow in those instances takes time. If you have time to prepare contingency plans, you can probably continue working uninterrupted. But, if you don't have them, and know them well, that will mean downtime in the event of some kind of cyber-attack (or many other more innocent types of disruption).

              For example: I used to work a

      • Well, I've never experienced a terror attack personally, but I have been through the eye of more than one Category 5 hurricane, and I can assure you people go pretty batty over that. Besides, what would you call the election of Bush in 2004 if not batty behavior, given what an obvious fuckup he made of the Iraq war and plundering the US Treasury?
        • Well, I've never experienced a terror attack personally, but I have been through the eye of more than one Category 5 hurricane, and I can assure you people go pretty batty over that.

          Sure, in the midst of the hurricane people go pretty batty. But, when it's not hurricane season people don't lose too much sleep over the possibility of hurricanes sometime in the future.

          A hurricane, in the words of Donald Rumsfeld, is a known unknown. You don't know exactly when or where one will strike, or how strong it will be; but, you do know quite a bit about hurricanes in general, what you can do to minimize your risk, and what kind of warning you'll have before it hits. In short, there's something y

          • You flinch more when you've been hit a few times. I lived in the tropics for 19 years and there were two reactions to hurricane season: low level terror, or just ignore it. In 1995 we had many many storms pass within a couple hundred miles before veering off, then Luis and Marilyn whacked us with category five one-two punches. You wanna see terror? Wait until you've lost your roof in the first store, when you hear that the next storm will hit within 24 hours, but the airport is closed and you cannot leave t
    • I see your point, but that can't be all there is to it. If we take sept 11 for example, it doesn't take a genius to figure out that the cockpit needs to be locked, secure from both attackers and the pilots themselves. And sure, the average person might not understand the concept of an air gap, but they don't understand how a real crack works either. So, given two possible solutions, one rational, and the other "omfg, we're gonna die unless we have a panopticon prison state!" that they're equally unclear on,

    • Agreed - the likelihood of a "fire sale" scenario is very minimal, but the odds for any given individual getting caught up in a specific attack on a "soft target" such as in the TJ Maxx case are about 1:1. I have already been involved in 3 - one of those incidents put a coworker in the sights of an identity thief. This is the issue: It's the same old game - "Security is a cost to be minimized, not a "value-added" feature of a business", "It's not like we're protecting national security info", "Why would
      • by Svartalf ( 2997 )

        Agreed - the likelihood of a "fire sale" scenario is very minimal, but the odds for any given individual getting caught up in a specific attack on a "soft target" such as in the TJ Maxx case are about 1:1. I have already been involved in 3 - one of those incidents put a coworker in the sights of an identity thief.

        Indeed. In fact, there's quite a few soft-target attacks that're possible that people just don't give thought to that can really cause a lot of havok.

        Moreover, there's a few hard-target risks that

    • You're wrong. (Score:5, Interesting)

      by Lord Ender ( 156273 ) on Wednesday July 01, 2009 @12:36PM (#28545555) Homepage

      It's fear, yes. But it is extremely well-justified fear.

      I do penetration tests for large companies. It's bad. Everywhere. The only reason penetration tests are ever unsuccessful is when the tester's hands are tied. Attacker's hands are not tied. Furthermore, denial-of-service flaws are universally ignored because information disclosure is considered a higher priority, and most companies have their hands full dealing with those flaws.

      So let me make this as clear as possible: A single individual could shut down pretty much any large company. A group of individuals (say, from a hostile government) could halt operations in multiple simultaneous companies. Target a few large supply-chain management companies and a few large payment-processing/banking companies, and it would be relatively easy to shut down the economy for a while.

      That means food rots on delivery trucks while paychecks stop flowing to employees. And don't think we will all switch over to doing things by hand during such an attack. The infrastructure to do so has been dismantled. We are entirely dependent on digital transactions these days.

      Why hasn't such an attack happened? Is the probability really "low" as you suggest? It's just a matter of motivation. There isn't much profit in doing such a (tedious) thing for the eastern-european hacker crime groups, nor for the bored teenagers. There is more profitable, lower-hanging fruit. But if we went to war with a sophisticated nation, the motivations are entirely different. Widespread DoS combined with targeted database corruption would do much more damage to the economy (that thing that allows us to have the best military) than similarly-funded missile strikes.

      Ignore the sound-bites security companies feed the media, but don't ignore the problem. This is perhaps the weakest part of our nation's defense infrastructure.

      • Umm no. You are the person that this articles talks about. It's in your interest to over hype the risk and given it's your area you of course believe it's the most important thing in the world.

        A single individual with a $500 gas axe from the local hardware store and a 4x4 could cut the power to any major city for weeks in a few hours simply by taking the bottoms out of remote high voltage power lines that feed most cities.

        A group of individuals could cut power for months.

        Or how about dumping a few thousa

    • IANACS though. But neat to have another acronym.

    • Re: (Score:3, Insightful)

      by pipingguy ( 566974 ) *
      When all you have is a hammer, everything starts to look like a nail. But now we have pneumatic hammers with 100 round magazines and a plethora of frightened people willing to get their hands on them.
    • probability of it happening within a year would most certainly be dealt with in multi-digit negative powers of ten

      That's not helping, really...

      Politician: "So you would say there's about a ten percent chance?"

  • Uh, seriously? Journalists and other people with something to gain from it take a sensationalist view point and run with it?

    Holy crap, really? They do that? Huh.

    Oh well. /eats some Cheetos. What's on the tube?

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Wednesday July 01, 2009 @11:27AM (#28544129)
    Comment removed based on user account deletion
    • I see that same type of problem every day, with front door, side door, and back door (no not THAT kind of back door) attempts each and every day from Chinese IP addresses. Don't think they're trying to get into your system ? Take a look at your log files, you'll see them. If you don't have log files ...

      • Care to elaborate? What kinds of attacks?
        • Re: (Score:3, Informative)

          by networkBoy ( 774728 )

          some pretty good ones, and many lame ones.
          I have a machine running apache on linux that hosts some "sensitive files". Nothing that a government would want, but something that people who would want to mod certain hardware would want. I had one attack that tried to exploit an IIS vulnerability relentlessly for over an hour against my machine. It was funny because the files it was looking for didn't even exist, and had the script kiddie thought about it, would have checked the server type prior to launching

        • by jc42 ( 318812 )


          Care to elaborate? What kinds of attacks?

          Oh, you know; pings from lots of different addresses. That's a "DDoS" attack, y'know.

          (Yeah, I know; the military security guys aren't that dumb. But many of their superiors are, and they have a strong incentive to play up such things. That's how you get funding, after all.)

    • by TerranFury ( 726743 ) on Wednesday July 01, 2009 @11:52AM (#28544653)

      Yeah, but it's not cyber-"terrorism;" nothing is going to blow up. It's just espionage.

      Plus, I've got to wonder how much of this is truly "hackers" from the outside, and how much is just the result of employees taking data with them -- whether they're just being sloppy, or actually malicious (e.g., ethnic Chinese with misplaced loyalties (god do I hate nationalism)).

      Whatever the case, without disclosure for each "incident" of what actually happened in technical terms, we the public will never understand what's going on at any level besides "OMG HACKERS" -- which can mean anything.

    • Re: (Score:3, Insightful)

      by ThosLives ( 686517 )

      This is why I think that true security lies not in keeping people from obtaining information, but from setting things up so that it is irrelevant if people obtain that information.

      Consider the situation where someone knows all the internal workings of, say, the JSF, but it's designed in such a way that that knowledge would not allow someone to prevent the use of the JSF.

      Or consider "identity theft": what if it didn't matter if someone stole your "identity" because there was nothing they could do with it any

    • by steelfood ( 895457 ) on Wednesday July 01, 2009 @12:40PM (#28545611)

      Everybody, governments, companies, content creators, privacy advocates, have the same problem: digital information is cheap to disseminate.

      If somebody breaks into a library of secret documents, there's a limit to how many copies they can make and take out. Even if they were to scan and store every page in every folder in every cabinet, it's still extremely time-consuming.

      If somebody breaks into a computer full of secret documents, it takes seconds, maybe minutes, to copy the whole thing. And, the person doesn't have to be physically located by the computer. The person could be halfway around the world, or just right next door but seem halfway around the world.

      What it amounts to is that secret-keeping is becoming more and more difficult. Actually, this isn't true. The difficulty of secret-keeping hasn't changed. But society desires convenience. And little do people know, these two concepts are mutually exclusive.

      Furthermore, while convenience is individual, keeping secrets is communal. "Secret" is a term that only has meaning within the context of systems, i.e. only people inside the system know the secret, while people outside the system do not know. The problem is when one individual wants convenience and compromises secrecy for it, then the secret is effectively compromised.

      Everybody just wants to have their cake and eat it too. That kind of logical impossibility will not happen, no matter how much we might desire it.

    • plans for the JSF fighter were sold.

      Fixed that for you. Seriously, you must mean ALL THIS DATA [google.com].

    • Re: (Score:3, Informative)

      by pipingguy ( 566974 ) *
      Its kind of a big deal when the U.S. military can't keep its data secure.

      "Having the plans" is not enough. You have to have people able to interpret them and put them into action. Critical elements are often left out of engineering documentation and there's also always that stuff which was figured-out on the shop floor and never written down.

      Slashdot's comments are frequently amusing, as armchair experts bolstered by 30 second's worth of Google search know everything. And are smug in their ignorance. T
      • Comment removed based on user account deletion
        • The most amusing people on Slashdot are the conceited, dysfunctional nerds who argue with statements they know are true and launch personal attacks for no reason other than to satisfy their own anti-social tendencies.

          I agree. Have you ever worked in a large engineering organization? I mean companies that design/build bridges, refineries and that scale of project.
  • by Kintanon ( 65528 ) on Wednesday July 01, 2009 @11:38AM (#28544349) Homepage Journal

    Of the 63 MILLION emails we've processed for our clients (About 60 companies run through our spam filter) 58 million of them are blocked as SPAM.
    So only 1/12th of the email traffic we see is legit. One of our clients has its own spam filter because they process that much email all by themselves and they have closer to a 1/20 legit traffic.
    SPAM is a bigger threat to the network than some hypothetical cyber-terrorist.

    • Spam is an inconvenience. A foreign government (or disgruntled locals) hacking into military or infrastructure systems is a threat, whether or not it's actually happening to any degree. Having most of the susceptible systems attached to public networks is ridiculous.
  • Internet security has been an issue ever since the beginning and we have been handeling it just fine. Why should it suddenly become a government issue?

    • Re: (Score:3, Insightful)

      by BunnyClaws ( 753889 )
      Because security concerns are mana for The Leviathan.
    • by al0ha ( 1262684 )
      Disagree. It should be a government issue, but not solely a government issue and certainly not a clandestine government organization issue. Information and Network Security should be shared and handle by all end-points, government, commercial and private; and they should all work together and share information openly.

      Bruce Schneier has an interesting essay which touches on this subject. http://www.schneier.com/essay-265.html [schneier.com]
    • by PPH ( 736903 )

      The 'we' that you refer to is evidently not a part of the set of people that connect insecure equipment to the Internet. Good for you, but you don't represent the majority of users.

      I wish there was something akin to a driver's license for the web, where a judge could order incompetents to hand it over, box their computer up and take it back to the store. But that's not likely to happen in the near future.

    • I can think of a couple of reasons its a government issue.

      * The government has computers on the internet. If our taxpayer money is being spent on government security, it might as well go to benefit infrastructure as well.

      * In the last couple of years there has been a major increase in how comfortable "normal" people are with doing business on the internet, with potential negative impact gaining greatly.

      * People are starting to take notice at how little security has been designed into a lot of critical infra

    • Why should it suddenly become a government issue?

      Because more and more important stuff is being connected to the Internet.

      Back when the web was a collection of our ugly home pages hand-coded in html-1.0 view with Mosaic, it really didn't matter if someone broke in to your site.

      We don't live in that world anymore.

  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Wednesday July 01, 2009 @11:39AM (#28544369)
    Comment removed based on user account deletion
    • by gtall ( 79522 ) on Wednesday July 01, 2009 @12:34PM (#28545499)

      The U.S. no longer has to worry about nuclear war? Probably. However, those nice N. Koreans are about as well adjusted as a squirrel after his third cup of coffee. Want to bet that even knowing full well they'd get annihilated, they wouldn't lob one in our direction if they started something they couldn't win? How about Al Qaeda and those gentle Islamic fanatics. Care to guess what they'd do with one of Pakistan's nukes if they were to, I don't know, maybe get one slipped to them as long as no they didn't ask questions?

      Yes, DoD is expensive, losing a war is vastly more expensive. Let's talk some numbers, shall we. The U.S. DoD recurring budget (forgetting about Iraq and Afghanistan) is roughly $600 Billion/yr. Our recurring budget deficit is over $1 trillion. So even halving DoD's budget won't put us in the money. That doesn't count the Me Generation demanding their slice when they start retiring because there's nothing worse than a Baby Boomer who isn't made to feel the center of attention. Deficits from those nutjobs are well north of several trillion.

      So no, there's isn't plenty of money to go around. Also, before you hop on the disarmament wagon train, you might want to consider that other countries reactions to the loss of the U.S. nuclear umbrella are probably not what you'd like them to be. First off, if Iran goes nuclear and the U.S. isn't around to back up the Arabs that hate us, the Arabs will want theirs too...of course they could rely on the Europeans...bwahahaahahaha...seriously, no one relies on those jokers. Hell, the U.S. is allied with them and knows better than to rely on them. Then there's the Asian countries who dearly love their Chinese brothers...as long as the their Chinese brothers don't have designs on their land, raw materials, etc...which they do. They will likely demand a nuclear counterpoint to China, Japan will find their pacifist notions are mere indulgences they can ill afford with China pushing them around, not to mention those nice well-adjusted N. Koreans.

    • There are very, very few countries the USA could attack right now without doing great harm to its own economy, and most of those countries are tiny third-world nations. The stimulus to the arms industry could no more hope to compensate for the damage to international trade, than you could violate the laws of thermodynamics.

      The European Union and even the PRC could be destroyed militarily, but each of these events would cause hyperinflation in the USD, and essentially an economic apocalypse in the US. It'd b

      • (PS: Note that for that to work at all, the military would have to hurry like hell to get the destruction over with because they'd be out of stuff to pay their guys in a few weeks.)

  • Fear == Revenue (Score:2, Insightful)

    by iCantSpell ( 1162581 )

    If country A were to take down country B internet connection then country A wouldn't be able to spy on country B or even get sensative info. I honestly don't think it's a big of a problem as they make it out to be.

    Most of it's just hollywood and bad publishing, but the main idea behind all this is revenue.

    The gov get's more spending, the site/paper that publishes the story gets more notice, and the list could go on forever. The truth of the fact is if people knew the facts then no one would beable to sell "

  • At my job if email goes down, work stops.. 100% shutdown. The organization has largely gone paperless. I'd imagine most other gov't organizations are the same way. That's only one service of many.. so cybersecurity is very important in my book. Unfortunately a national level of security seems impossible, offensively yes, but not defensively.

    • At my job if email goes down, work stops.. 100% shutdown. The organization has largely gone paperless. I'd imagine most other gov't organizations are the same way....

      Uh, OK, stop right there. Paperless in Government? You are referring to the US Government, yes? The same Government who requires forms filled out in triplicate just to order...more forms?

      Apparently you've not caught a glimpse of that tree-killing beast up close and personal.

      • by tibman ( 623933 )

        About 5 years ago the government made a big push towards being paperless. Especially for the military. LESs are online, every record gets digitized now (including medical), training manuals and regulations are distributed by cd instead of book. Not only that but paper recycling is absolutely manditory, no exceptions.

        Maybe it's the civilian government that is still operating primarily with paper. Military organizions only use it as a temporary means of information storage, not a primary.

        The only places y

  • by recharged95 ( 782975 ) on Wednesday July 01, 2009 @11:40AM (#28544407) Journal
    a. Turn off your computer.

    b. Turn off your phone.

    c. Turn off your TV.

    d. Take that $20 bill in your wallet (better yet in a different society, you wouldn't need money)

    e. Go buy a slice of pizza. Enjoy the outside environment.

    .

    . See that wasn't so hard.

    .

    That what would likely happen in a cyber attack. It's more like a 'snow' day in DC. Of course, if a physical Pearl Harbor, 9/11 or Katrina happened, you would NOT be able to do the above. As for money: if major bank computer systems gets wiped for instance, as long as 'someone' has an audit of recent account info and transactions, you'll be taken care of to some extent. Sure you may lose money, but life isn't going to end.

    .

    Therefore, this is exploiting technology for the purpose of generating 'progress'. A. That's a politician's job (to look useful in keeping your "well being" SAFE) and B. that's a skill where gov't excels (exploitation).

    • Re: (Score:3, Funny)

      $20! For a slice of pizza? That's outrageous! And you say we have nothing to fear.
      OMG, we're all gonna die!

    • Really? Now go unplug your refrigerator, and turn off your lights. I'm not saying that this is likely to happen. Just that, yes, references to Pearl Harbor or Katrina are valid. How likely that Pearl Harbor or Katrina is going to happen is another question.
    • How about an attack that corrupts over a period of months, then wipes out, a state EBT/food stamp database?
      • Re: (Score:3, Interesting)

        Comment removed based on user account deletion
        • by Svartalf ( 2997 )

          I guess that is the fear. We assume that vital systems are not only "hardened" but that they have a robust backup/restore plan. State systems that deliver vital services are a really good example where you'd assume everyone would be fired and start from scratch if auditors found there was no backup/restore plan in place. It might be a matter of degree that we're talking about here. Does every vital system need a cold site that can be made hot with yesterday's data within 12 hours? Maybe.

          Unlikely.

          It's becaus

          • most of this stuff is secured only to about 1/4-1/2 of the cost incurred by a complete loss of the system

            Most of the stuff could be secured by ditching windows and replacing it with free software.

            This _is_ /. - remember?

    • See that wasn't so hard.

      That $2 slice of pizza implies - along with much else - the ability to move dairy and produce quickly and efficiently from the farms to the wholesale market or directly to the processing plant and from there to the fast-food outlet.

      Try negotiating all the intermediate steps by cash or barter - with no telephone - telegraph - telex - fax or e-mail to monitor the traffic and speed it along.

      The first and most obvious impact is that costs skyrocket. You need to field armies of commissio

    • Except the kid at the pizza place is going to say "I'm sorry, our registers are down". After someone digs out a calculator they will start taking orders and making pies. You'll say get a calculator out, but they won't know the prices of anything because the LCD menuboards are out.

      You would drive to a different store, but they someone hacked the OnStar network and bricked your car.

      You would go out for a walk, but the TV weatherguy says there are multiple hurricane, tsunami, and tornado warnings. This

    • Um....you do realize that it takes longer than a reboot to recover from a proper cyber attack, yes?

      So you might be able to get pizza on day 1, if you hurry and they have one sitting around the store. The lack of an oven would kinda hinder their on-going production. (Despite being gas appliances, they have electrical ignition. No electricity and the gas is turned off for safety.)

      f major bank computer systems gets wiped for instance, as long as 'someone' has an audit of recent account info and transactions

  • by visible.frylock ( 965768 ) on Wednesday July 01, 2009 @11:41AM (#28544411) Homepage Journal

    In the face of meatspace terrorism, meatspace liberties can be curtailed. That's why there's "concern" over cyberterrorism. Because the internet is not healthy for the establishment. It can spread both truth and propaganda, but currently, it tends too much toward truth for the establishment. If that sounds crazy to you (nothing on the internet but lies and pr0n!) then you haven't looked around.

    FTA:

    It is alarming that so many people have accepted the White House's assertions about cyber-security as a key national security problem without demanding further evidence. Have we learned nothing from the WMD debacle? The administration's claims could lead to policies with serious, long-term, troubling consequences for network openness and personal privacy.

    Yes, this same thing keeps happening, where a (possibly) real world problem is used to justify a curtailing of freedom, consolidation of power, and serving various agendas of people in power at the time. A cynic might say it's planned, but we're not cynical, are we?

    I suggest we give it a name. Let's call it Problem-Reaction-Solution.

  • Fear is one of the biggest motivators. The squeaky wheel gets the grease. As Americans, we are unfortunately conditioned by fear based language. Unless something is presented to us as scary and threatening, we tend to ignore it. In order to get funding for projects, politicans and the like have to play the fear card. They will present doomsday what-if scenarios, and threaten to put responsibility for failure on anyone who gets in the way of getting things done.

    Although I agree that "cyber security" sho

  • by SgtChaireBourne ( 457691 ) on Wednesday July 01, 2009 @11:51AM (#28544603) Homepage

    Look, for the first round of clean up no "cyberwarriors" are needed. We just had yet another article about how single city, for a single Windows worm, lost millions due to clean up. In that case it lost over $2.5 million [slashdot.org], including rewarding the designers of the security flaws to the tune of $1 million. Knocking down a water tower would probably cost less to repair. So why are not the defense and law enforcement agencies stepping in here?

    It's not a nameless or faceless "terrorist" group that is costing our businesses, shutting down our infrastructure, tangling our air traffic control, our power grid, or our hospitals. The people promoting Windows and Microsoft technologies have real names and faces and walk among us every day. Take them out and we've won the first round. It could be as simple as organizing a large scale round up under the RICO Act [cornell.edu].

    From there we can go on to hardening the net with IPv6 and dealing with the usual intelligence / counter-intelligence activities. But the first step, before we can stop the economic bleeding [bastiat.org] is to deal with the cause of the problem: the people who promote and profit from known defective technology.

    • It's not a nameless or faceless "terrorist" group that is costing our businesses, shutting down our infrastructure, tangling our air traffic control, our power grid, or our hospitals. The people promoting Windows and Microsoft technologies have real names and faces and walk among us every day. Take them out and we've won the first round. It could be as simple as organizing a large scale round up under the RICO Act [cornell.edu].

      Haven't you been paying attention. These nameless faceless people have lots of money and political clout. So good luck getting the government or getting the main stream to help resolve this issue.

      By the way, I think maybe your tinfoil is wrapped to tight.

    • by $1uck ( 710826 ) on Wednesday July 01, 2009 @12:38PM (#28545577)
      MS is not the one perpetuating the attacks, or causing the damage. There are no laws holding them responsible for creating a secure operating system. Rounding them up and punishing them is hardly legal/ethical/moral. The first thing we should do is start with laws requiring the people creating the networks/data warehouses to secure them properly. Then they'll demand a better product (from MS or some other vendor) if not they should be responsible (unless said vendor wishes to indemnify them). MS is just trying to make a buck, they're not actually attacking anyone.
      • Sold "as-is" (Score:3, Insightful)

        MS is not the one perpetuating the attacks, or causing the damage...

        Re-read the post: those who promote and profit from known defective technology are at fault. That spreads out the blame to include all those Certified Gold Partners and M$ monkeys who go around posing as IT experts. In fact, the licensing partially takes M$ off the hook by stating that it is made available "as-is" and without claims to suitability for any particular task. They know their products can't cut it.

        The fault also lies on all those Certified Gold Partners and M$ monkeys who go around posing

  • If you form a think-tank, or oversight committee, or regulatory office with a nice, big budget and charge them with feeding into the decision making process, that's what they'll do. They are hardly likely to say "we've checked - everything's fine". The two obvious reasons being:

    There might be something they missed

    If there is no "threat", they're out of a job

    So it happens that every time a new office is created to look into the potential of a hazard to the country - lo and behold: they find one. Amazing!

  • by Opportunist ( 166417 ) on Wednesday July 01, 2009 @12:14PM (#28545095)

    I'm in security research, but none of you will be potential customers (trust me, you won't), so I needn't lie to you: It's hopeless, but not serious.

    The problem is not insecure applications. It's not the stealthy superhacker from China. It's not the RBN (ok, it is, but they couldn't do jack without the original culprit). The biggest problem in IT security and internet security is (drumroll please) the user. And his inability and unwillingness to take responsibility for his crate.

    There are security holes, granted. They are not the main source of malware, though. I do assume here that the average /. reader knows a bit more about his machine than "push this button to turn on, when a window opens that you don't know, panic". Likewise, a lot of you say they have no AV suit installed and never had troubles with malware. I believe you. You're probably not into dancing pigs and if you are, you don't let any arbitrary webpage gain root access to show those pigs dancing.

    A lot of users do. And thus get infected. And thus become a security problem.

    Governments will create a lot of laws concerning the problem, without one that actually addresses the problem: Making the user responsible for his security. I don't mean "get infected, get your pants sued off". I mean that you are required to take reasonable (!) means and surf safely, that includes not clicking on every friggin' crap you run into, that includes not opening every goddamn spam mail and run the infector. This would require educated users, and education has always been the mortal enemy of surveillance and monitoring, so we won't see any of this anytime soon. So it's hopeless.

    On the other hand, the infections we face currently (which may change, but so far didn't) don't even come close to enabling anyone to cause a global network meltdown. It is a nuisance (because of spam, page infections and so on), attacks may take out certain parts of the net, but there's no global threat. So it's not serious.

    • by cdrguru ( 88047 )

      Absolutely, today there is no serious threat.

      The problem is, should someone decide to "do" something or, perhaps more likely, "let's see what happens if ..." we are completely vulnerable. Wide open to whatever is coming down and there isn't anything that can realistically be done about it today.

      Sure, it like staring up at the noonday sky wondering if a comet is going to hit today. But you can rest assured that someday, probably sooner than later, that comet is going to come calling. And if someone figure

      • Current botnets are mostly an economic endeavour. Not one of national warfare. If there was money in shutting down the internet, I'd be concerned. But why butcher the goose that lays your golden eggs?

  • Much of the data are gathered by ultra-secretive government agencies

    Bush wanted to know who was moving porn in cyberspace. Obama wants to know who's moving cash. Both are legitimate concerns on the surface, but the searches will suffer from many false positives. Most porn doesn't involve kids or coerced victims. Likewise, the amount of money needed to finance another 9/11 could easily moved down below the noise level of AIG's CDS operations. While law enforcement is looking for the rare needle in each haystack, they'll be motivated to take action on the other stuff they fin

  • NSA has the computing power to monitor all incoming threats to the US that deals with anything electronic or electrical signal and other techniques used. They can not legally use these techniques looking into the US, if you believe the television and news papers. Now, I can see how many /.'s will have their panties riding their ass when a new agency can legally look at what happens on the wires inside the US. They will probably find that many of the robots that are hitting US public IP space everyday from o
    • by cdrguru ( 88047 )

      You point out a huge problem: today we have little redundancy and almost no wiggle room for any sort of failure. JIT inventory means that if UPS or FedEx drivers go out on strike commerce shuts down, even the stores on Main Street. Factories operate on the thinnest of margins with no reserve capacity.

      So what if Something Bad happens? In 1970 it would have mean almost nothing. Today, almost any major event is going to distrupt supply chains, inventory and commerce. The result if we are talking about pap

  • There have been some very vivid demonstrations of the impacts of cyber-warfare, such as the attacks on Estonia and Georgia, Chinese and Iranian suppresion of free speech and media, air traffic control penetrations, and demonstrated penetrations of SCADA networks (power grid in particular). In Estonia, gov't services were disrupted, and the local equivalent of 911 was broken. Georgia was not as badly dinged as Estonia, largely because they're less reliant on networked services. (c.f. http://www.economist. [economist.com]

    • Correct. There are more serious things that you don't hear about because they are classified, which creates a problem: because you (the general public) don't hear about them, you don't believe they exist. Unfortunately, these days many people don't trust the government well enough to accept "trust us, we know what we're talking about even if we can't show you the evidence" because of past abuses of the public trust.

      So what, hypothetically, do you do know if you're in the government setting policy on this is

  • Absolutely, spam and malware cost government and companies millions if not billions of dollars. But what is the Government going to do?

    Every server placed on the Internet is exposed to traffic. If we try and shape and filter that traffic, we can certainly reduce spam and such, but at the cost to everyone. What does Obama think he is going to do to stop a "Cyber Pearl Harbor"? filter all traffic over the net? Restrict what servers can host what applications? Control what applications people install and

  • It must be paid for by the complete destruction of every person's privacy*.

    * - Politicians, Cyber-Security Vendors, and Fatherland Security excluded, natch.
  • The reason why is clear if you've ever listened to these people make their cases in congressional hearings - they get hella PAID for scamming the government. For whatever reason, senators and state reps have a soft spot for this particular thing they have no understanding of. They feel the fear and dish out contracts by the truck-load.. maybe it's a way for them to seem "tough on crime" without actually doing anything; maybe it's favoritism or otherwise; but it works time after time. I for one find it appa
  • The danger/damage scales with the size of the attacker? Internet (or at least, some monocultures on it) is so vulnerable that single individuals alone did a lot of damage in the past. And is so big the hole that individuals and very small organizations are swarming to get a share of the cake. Spam, small/medium botnets, phishing, etc are doing pretty well without implying something big behind, and in a way that could be hard to get the people behind it, at least with current freedom, rights to privacy and s
  • Comment removed based on user account deletion
  • In the ecosystem of good/bad/profit/free/loss the people who make their lively hood from a system are those that will defend it without threat or coercion. Leave the black hats who earn their living off the weak and stupid to protect the system to their benefit with careful nudging when they get out of line.

  • Run s/cyber/cybersex on any article related to this topic.

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...