Security Through Soundbyte: The 'Cybersecurity Intelligence' Game

[InfoSec News <isn () c4i org>]

Forwarded from: Richard Forno <rforno () infowarrior org>

Security Through Soundbyte: The 'Cybersecurity Intelligence' Game
Richard Forno

Essay #2002-12

(c) 2002 Richard Forno. Permission granted to reproduce and distribute in
entirety with credit to author.

Full article with in-line URLS is available at:
http://www.infowarrior.org/articles/2002-12.html

Some say that cyberspace is the new battlefield, with its own unique
rules, challenges, and concerns for those charged with defending it.  
If one does consider cyberspace a modern battlefield, intelligence
must naturally play a key role in developing appropriate, proactive
defenses. Regarding battlefield intelligence, military strategist Sun
Tzu wrote that "what is called foreknowledge cannot be elicited from
spirits, nor from gods, nor by analog with past events, nor from
calculations. It must be obtained from men who know the enemy
situation."  That's sound advice.

During recent months, hardly a week goes by without some reference to
some firm's findings or statistics on hackers, crackers,
cyberterrorists, and the general state of internet security as they
see it.  Many times these reports are marketed as cybersecurity
"intelligence."

The latest player in the internet security industry is UK-based mi2g,
and the subject of this article. mi2g offers a suite of security
products (essentially they're a systems integrator focused on
security), but is best known perhaps as a "security intelligence
provider" providing research, assessment, and analysis services on the
state of the cybersecurity.

As a security professional - and someone 'on the front lines' of the
cyberspace battlefield - I'm both curious and dubious about the whole
'cybersecurity intelligence' business concept, and wonder what it
takes to both become a 'cybersecurity intelligence' expert and make
money at it, too.

For example, a spooky November 11 briefing by mi2g talks about the
need for "counter-attack-forces" to deal with the threats of "digital
terrorism" in the "5th dimension defence shield" against "digital mass
attacks" and notes that it's "not a question of if, but when" such
attacks will occur.

As we've seen elsewhere, coining neat buzzwords in the cybersecurity
realm makes for interesting reading, but does little to offer real
solutions to the security challenges faced today. Such only serves to
fan the flames of public misperception.  Even more disturbing is the
report's feeble attempt to capitalize on the public's visceral fear of
real terrorism by trying to relate the 'insider threat' of disgruntled
employees to the al-Qaeda members responsible for the September 11
attacks.

mi2g claimed that in November 2002 there were 57,977 'overt digital
attacks' to date, and that such 'overt' attacks will cost $7.3 billion
worldwide for 2002. The firm estimates that the total economic damages
of all attacks - overt, covert, virus, and worms - will be between $33
and $40 billion worldwide for the year.

It's never really clear how mi2g differentiates an 'overt' attack
versus a 'covert' attack. Does a website defacement count as an
'overt' attack? How does one know when a 'covert' attack occurs? Isn't
that what being 'covert' is all about? And how can one credibly
forecast billions of dollars lost from cyberattacks, especially from
'covert' ones the victim doesn't know have occurred?

One wonders how much mathematical masturbation takes place when
analyzing and generating these numbers. After all, it's quite popular
- and easy - to cite economic losses resulting from cyber-attacks,
especially since proving them is next to impossible. But it sure
sounds impressively frightening to gullible reporters and ignorant
business leaders.

Personally, much of what security experts deem an 'overt' attack is
nothing more than a nuisance event - web defacements, ping attacks,
network compromises, or viruses - and not an act of cyberterrorism.
Yet so much noise is made by firms over these nuisance events, you'd
think the end of the digital world was approaching with each new
vendor security alert. Perhaps if mi2g included unexpected port scans
or pingsweeps as types of 'overt attack' they could generate even more
frightening statistics for their audience, too. That, in turn, might
generate more customer interest in their products and help their
bottom line. Of course, security product and service vendors would
benefit as well, so this continual public threat inflation is a
win-win for everyone in the security industry, regardless of whether
any real security enhancements take place.

Also in November, mi2g claimed that "just one motivated individual
cannot usually perpetrate complex cross-boundary physical or digital
terrorism" yet a statement from a 1999 internal mi2g memo - now used
as part of a marketing white paper - notes that [information-based]
'warfare' is "readily available to groups and individuals at anytime,
anywhere in the world.² So which is it?

This sounds suspiciously like former US National Security Advisor
Anthony Lake's FUD-filled remarks in his book 'Six Nightmares" where
he believes that if you're under thirty and have a computer and access
to the internet, you can become a potential cyberterrorist and
Harbinger of Global Digital Evil.  Of course, Lake, mi2g, and other
private and government-sector folks - like Senator Schumer of New York
- continue to preach that cyber-attacks will cause airplanes to fall
from the sky (a favorite scenario for these cyber-Chicken-Littles) and
that the end of the world will occur not with a bomb but a directed
TCP/IP packet, even though recognized terrorism experts regularly
challenge this fear-based belief.

So, given all its media coverage and gloomy forecasts of electronic
and economic doom, what's the real-world experience mi2g is drawing on
to generate its assessments?  At first glance, you'd think the firm's
been focused exclusively on internet security for almost a decade, and
filled to the brim with recognized cybersecurity wizards akin to an
Eeye or @Stake.

Sadly, that's not the case.  Cybersecurity FUD-buster (and VMyths
owner) Rob Rosenberger conducted his own ongoing review of mi2g over
the past few years, and his observations make for some interesting
reading. In the interest of time, I'll summarize the mi2g mystique in
two paragraphs, and let you form your own conclusions.

Scouring the web, we find that in the mid-1990s, mi2g started off as
an e-business enabler focused on operating portal sites (such as
Carlounge.Com and Lawlounge.Com) under the corporate motto "Bringing
The Web To The World." Suddenly, in 1999 with the digital apocalypse
of Y2K looming ahead, the firm morphed into an internet security
company that "by integrating state-of-the-art software engineering
technology with super computing capability is revolutionising the
world of eCommerce and for the first time maximising the return from
the internet whilst minimising the risk."  This was the same time when
internet security companies were sprouting up faster than the kudzu in
my backyard, bringing them to where they are today, as a provider of
'security intelligence' and other security-related products. One
wonders what new market mi2g will be exploiting three years from now.

The firm's current website reveals little about the background of its
staff; most appear to be folks without significant operational IT
security experience. It's interesting that only DK Matai, mi2g's
founder and CEO, seems to speak or write publicly on security topics
(few if any mi2g folks are active in the security discussion
community, it seems) and although a seemingly talented academic,
apparently has never been involved in the trenches of day-to-day IT
security in the real corporate world.

Compare this to other commercial firms founded to focus exclusively on
IT security that employ many well-known, highly-experienced, and
frequently-quoted security experts to help draft formal analyses on
the state of cybersecurity.  Who would you trust when being presented
analysis and estimations about the state of cybersecurity? Soundbytes
alone don't make a credible security expert.

George Orwell wrote that if you preach something loud and often
enough, you can get folks to believe it as truth, no matter how
far-fetched your message. Those that blindly accept continual reports
of impending gloom and doom, the need for "counter-attack-forces" to
prevent "digital mass attacks" and minimize dubious economic losses
will never be able to implement effective information security
programs. They are basing their defenses on the customized opinions of
self-monikered 'experts' - trying to make a profit - who have never
set their proverbial foot on the cyber-battlefield and only know the
enemy by what they've read or heard about them.

And that's a very dangerous thing, no matter what battlefield you're
on.

Further Reading

Study makes less of hack threat (Wired)


Special Thanks to McW and Rob for their help in drafting this article.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.