funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: [Infowarrior] - Cyberwar Is the New Yellowcake

From: Paul Ferguson <fergdawgster () gmail com>
Date: Tue, 14 Feb 2012 16:32:11 -0800
Fyi,

- ferg

- Sent from my Android device...
---------- Forwarded message ----------
From: "Richard Forno" <rforno () infowarrior org>
Date: Feb 14, 2012 11:29 PM
Subject: [Infowarrior] - Cyberwar Is the New Yellowcake
To: "Infowarrior List" <infowarrior () attrition org>

The last few paragraphs are spot-on rational observations and
recommendations. Which means, of course, they'll be marginalised by those
in charge.  -- rick

Cyberwar Is the New Yellowcake, Fueling a Cybersecurity-Industrial Complex

       • By Jerry Brito and Tate Watkins
       • Email Author
       • February 14, 2012 |
       • 6:30 am |

http://www.wired.com/threatlevel/2012/02/yellowcake-and-cyberwar/

In last month’s State of the Union address, President Obama called on
Congress to pass “legislation that will secure our country from the growing
dangers of cyber threats.” The Hill was way ahead of him, with over 50
cybersecurity bills introduced this Congress. This week, both the House and
Senate are moving on their versions of consolidated, comprehensive
legislation.

The reason cybersecurity legislation is so pressing, proponents say, is
that we face an immediate risk of national disaster.

“Today’s cyber criminals have the ability to interrupt life-sustaining
services, cause catastrophic economic damage, or severely degrade the
networks our defense and intelligence agencies rely on,” Senate Commerce
Committee Chairman Jay Rockefeller (D-W.Va.) said at a hearing last week.
“Congress needs to act on comprehensive cybersecurity legislation
immediately.”

Yet evidence to sustain such dire warnings is conspicuously absent. In many
respects, rhetoric about cyber catastrophe resembles threat inflation we
saw in the run-up to the Iraq War. And while Congress’ passing of
comprehensive cybersecurity legislation wouldn’t lead to war, it could
saddle us with an expensive and overreaching cyber-industrial complex.

In 2002 the Bush administration sought to make the case that Iraq
threatened its neighbors and the United States with weapons of mass
destruction (WMD). By framing the issue in terms of WMD, the administration
conflated the threats of nuclear, biological, and chemical weapons. The
destructive power of biological and chemical weapons—while no doubt
horrific—is minor compared to that of nuclear detonation. Conflating these
threats, however, allowed the administration to link the unlikely but
serious threat of a nuclear attack to the more likely but less serious
threat posed by biological and chemical weapons.

Similarly, proponents of regulation often conflate cyber threats.

In his 2010 bestseller Cyber War, Richard Clarke warns that a cyberattack
today could result in the collapse of the government’s classified and
unclassified networks, the release of “lethal clouds of chlorine gas” from
chemical plants, refinery fires and explosions across the country, midair
collisions of 737s, train derailments, the destruction of major financial
computer networks, suburban gas pipeline explosions, a nationwide power
blackout, and satellites in space spinning out of control. He assures us
that “these are not hypotheticals.” But the only verifiable evidence he
presents relates to several well-known distributed denial of service (DDOS)
attacks, and he admits that DDOS is a “primitive” form of attack that would
not pose a major threat to national security.

When Clarke ventures beyond DDOS attacks, his examples are easily debunked.
To show that the electrical grid is vulnerable, for example, he suggests
that the Northeast power blackout of 2003 was caused in part by the
“Slammer” worm. But the 2004 final report of the joint U.S.-Canadian task
force that investigated the blackout found that no virus, worm, or other
malicious software contributed to the power failure. Clarke also points to
a 2007 blackout in Brazil, which he says was the result of criminal hacking
of the power system. Yet investigations have concluded that the power
failure was the result of soot deposits on high-voltage insulators on
transmission lines.

Clarke’s readers would no doubt be as frightened at the prospect of a cyber
attack as they might have been at the prospect of Iraq passing nuclear
weapons to al Qaeda. Yet evidence that cyberattacks and cyberespionage are
real and serious concerns is not evidence that we face a grave risk of
national catastrophe, just as evidence of chemical or biological weapons is
not evidence of the ability to launch a nuclear strike.

The Bush administration claimed that Iraq was close to acquiring nuclear
weapons but provided no verifiable evidence. The evidence they did
provide—Iraq’s alleged pursuit of uranium “yellowcake” from Niger and its
purchase of aluminum tubes allegedly meant for uranium enrichment
centrifuges—was ultimately determined to be unfounded.

Despite the lack of verifiable evidence to support the administration’s
claims, the media tended to report them unquestioned. Initial reporting on
the aluminum tubes claim, for example, came in the form of a front page New
York Times article by Judith Miller and Michael Gordon that relied entirely
on anonymous administration sources.

Appearing on Meet the Press the same day the story was published, Vice
President Dick Cheney answered a question about evidence of a reconstituted
Iraqi nuclear program by stating that, while he couldn’t talk about
classified information, The New York Times was reporting that Iraq was
seeking to acquire aluminum tubes to build a centrifuge. In essence, the
Bush administration was able to cite its own leak—with the added imprimatur
of the Times—as a rationale for war.

The media may be contributing to threat inflation today by uncritically
reporting alarmist views of potential cyber threats. For example, a 2009
front page Wall Street Journal story reported that the U.S. power grid had
been penetrated by Chinese and Russian hackers and laced with logic bombs.
The article is often cited as evidence that the power grid is rigged to
blow.

Yet similar to Judith Miller’s Iraq WMD reporting, the only sources for the
article’s claim that infrastructure has been compromised are anonymous U.S.
intelligence officials. With little specificity about the alleged
infiltrations, readers are left with no way to verify the claims. More
alarmingly, when Sen. Susan Collins (R-Maine) took to the Senate floor to
introduce the comprehensive cybersecurity bill that she co-authored with
Sen. Joe Lieberman (I-Conn.), the evidence she cited to support a pressing
need for regulation included this very Wall Street Journal story.

Washington teems with people who have a vested interest in conflating and
inflating threats to our digital security. The watchword, therefore, should
be “trust but verify.” In his famous farewell address to the nation in
1961, President Dwight Eisenhower warned against the dangers of what he
called the “military-industrial complex”: an excessively close nexus
between the Pentagon, defense contractors, and elected officials that could
lead to unnecessary expansion of the armed forces, superfluous military
spending, and a breakdown of checks and balances within the policy making
process. Eisenhower’s speech proved prescient.

Cybersecurity is a big and booming industry. The U.S. government is
expected to spend $10.5 billion a year on information security by 2015, and
analysts have estimated the worldwide market to be as much as $140 billion
a year. The Defense Department has said it is seeking more than $3.2
billion in cybersecurity funding for 2012. Lockheed Martin, Boeing, L-3
Communications, SAIC, and BAE Systems have all launched cybersecurity
divisions in recent years. Other traditional defense contractors, such as
Northrop Grumman, Raytheon, and ManTech International, have invested in
information security products and services. We should be wary of proving
Eisenhower right again in the cyber sphere.

Before enacting sweeping changes to counter cyber threats, policy makers
should clear the air with some simple steps.

Stop the apocalyptic rhetoric. The alarmist scenarios dominating policy
discourse may be good for the cybersecurity-industrial complex, but they
aren’t doing real security any favors.

Declassify evidence relating to cyber threats. Overclassification is a
widely acknowledged problem, and declassification would allow the public to
verify the threats rather than blindly trusting self-interested officials.

Disentangle the disparate dangers that have been lumped together under the
“cybersecurity” label. This must be done to determine who is best suited to
address which threats. In cases of cybercrime and cyberespionage, for
instance, private network owners may be best suited and have the best
incentives to protect their own valuable data, information, and reputations.

Photo:Nextors/Flickr


---
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.

_______________________________________________
Infowarrior mailing list
Infowarrior () attrition org
https://attrition.org/mailman/listinfo/infowarrior

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: