At least 100 countries building cyber weapons - expert

[InfoSec News <isn () c4i org>]

Forwarded from: Jei <jei () cc hut fi>

http://www.theregister.co.uk/content/6/27265.html

By John Lettice
Posted: 24/09/2002 at 10:09 GMT

Cyberterrorism hyping has reached new heights - according to a report
in the Melbourne Herald Sun, at least. The Herald quotes expert
Matthew Devost, speaking at a meeting at the US consulate there
recently, as claiming the CIA believes at least 100 countries are
investigating waging war by computer, or cyberterror.

Mr Devost is proprietor of terrorism.com, incidentally, which is
something of a misnomer, as he's in the counter-terrorism game. Should
any bona fide terrorist take him to the ICANN disputes panel we fear
he'd be on difficult ground. But 100 countries? Could the CIA possibly
believe this? Who are these countries?

"How many do we need to worry about - six? Twelve?," Devost is quoted
as saying. "What are the capabilities of number 100 on the list?"
Disappointingly, it turns out that "a lot of questions haven't been
answered." So we've no idea what the point of saying 100 countries are
working on it is, aside from trying to grab headlines.

The CIA itself, in the shape of its most excellent World Fact Book,
reveals (as of July 1st 2001) that the top 100 countries by GDP per
capita is headed by Luxembourg, with Gabon coming in at number 100.
Per capita GDP is however clearly a hopeless yardstick to try to
estimate cyberterror capability against. There are a lot of names in
the top 100 (San Marino? Aruba?) that sound improbable proprietors of
cyberwarefare development programmes, and some obvious suspects who
are just to poor to make it. Yugoslavia, for example, is there way
down at 160, and we seem to recall the locals nevertheless being
pretty handy when it comes to the deployment of cyber weapons.

So GDP doesn't really work. How about Internet connections? One can of
course wreak a deal of havoc with just one Internet connection, but
the number of them in a country ought to provide some kind of measure
of the potential raw expertise. This chart here isn't ordered, nor is
it weighted by population, and the figures are a tad old. But there
are somewhere in excess of 30 countries with more than a million
people connected. Again, it's a very rough yardstick, and our friends
in Yugoslavia are still nowhere near the cut. However, the more you
look at the list, the less probable it seems that you can drag out 100
with even the capability for a stupid, futile and laughable stab at a
cyberweapons development programme.

So maybe you just go anecdotal. Start with major, rich economies with
developed IT businesses. Add other economies known to have expertise
and/or strategic plans in that area (so India definitely qualifies on
expertise, China on both). Cross out the ones who don't have serious
armies (e.g. Andorra). Add in a couple of mad dictators. Add in those
with money and known agendas. Add in anybody you don't like. Add
anybody whose justice minister has pissed-off the White House
recently. On our turn through the whole list on this basis, we come to
a total of approximately 60, many of whom are barely credible and who
would only be counted by the most paranoid and drug-addled CIA
operative.

For example, we included the Vatican on the basis of money and known
agenda, and Finland and Estonia on the basis of sheer cleverness
(nothing personal people, we mean to flatter). We offer our services
to the CIA should it wish to recruit a research capability willing to
try to justify future ludicrous claims in exchange for money.

Mr Devost himself seems an intriguing cove. He is co-author of
"Information terrorism - can you trust your toaster?", which won the
1996 Sun Tzu Art of War Research Award (disappointingly, we are unable
to identify any other winners of this award, which in any event seems
to be no more). This document includes the phrase "digital Pearl
Harbor," which may be one of the first recorded uses of the
expression. 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.