Wednesday, 19 January 2011

Less cyber please

It seems like I can't open a paper or look at a news website without seeing the word "cyber" usually followed by "crime" or "attacks" or "security" or "war" stuck on the end. Here are some recent examples:

The Guardian - London 2012 Olympics faces increased cyber attack threat

London Olympics organisers today warned of the increased danger of cyber attacks that could fatally undermine the technical network that supports everything from recording world records to relaying results to commentators.

The London Organising Committee of the Olympic Games (Locog) said it was "inevitable" that its systems would have to repel malicious attempts by hackers to bring them down.

My reaction: Bring as much of the system as possible off the internet, create a secure internal network to process the data in house.

Daily Telegraph - Cyber-attacks could cause global 'catastrophe'

A succession of multiple cyber-attacks could "become a full-scale global shock" on a par with a pandemic and the collapse of the world financial system, the report by the Organisation for Economic Co-operation and Development (OECD) said.

Contingency plans to recover systems should be put in place and cybersecurity policies should "encompass the needs of all citizens and not just central government facilities", the report said.

Say what?!: Erm, this doesnt really need a solution. If hackers can do the same damage as a pandemic we're in "game over" territory. This story reads like the plot of a bad piece of science fiction. I can only hope that it is a severe misrepresentation of the OECD report in order to create a more exciting story. Worth noting that the BBC headline for this was "Risks of cyber war 'over-hyped' says OECD study," ironically, pretty much every other media source over-hyped it. Of course they also said...

BBC - 'Cyber war will hit all web users'

The conflict between Wikileaks supporters and the companies withdrawing their services from the whistle-blowing website has been dubbed a "cyber war".

Activists have targeted firms such as PayPal, Mastercard and Visa for their opposition to the site's publication of thousands of secret US diplomatic messages.

But there are fears the online battle could lead to everyday internet use becoming much more heavily regulated.

Say guy, learn the terminology and history: First off, every user of the internet? Thats over 1.5 billion people. Thats a lot. According to this piece there have been no DDOS attacks before now which have been done by anyone other than criminals. Of course DDOS is a crime according to most people, so thats somewhat moot as a point. Honestly, there isnt a single line in the entire piece that makes technical or factual sense. Watch the video, its hilarious if you know the first thing about the issue.

I don't fancy writing up any more because it would take too long, but I do want to revisit an article from some time ago in the New Yorker, hat tip to John Robb for the find.

New Yorker - The Online Threat: Should we be worried about a cyber war?

American intelligence and security officials for the most part agree that the Chinese military, or, for that matter, an independent hacker, is theoretically capable of creating a degree of chaos inside America. But I was told by military, technical, and intelligence experts that these fears have been exaggerated, and are based on a fundamental confusion between cyber espionage and cyber war. Cyber espionage is the science of covertly capturing e-mail traffic, text messages, other electronic communications, and corporate data for the purpose of gathering national-security or commercial intelligence. Cyber war involves the penetration of foreign networks for the purpose of disrupting or dismantling those networks, and making them inoperable. (Some of those I spoke to made the point that China had demonstrated its mastery of cyber espionage in the EP-3E incident, but it did not make overt use of it to wage cyber war.) Blurring the distinction between cyber war and cyber espionage has been profitable for defense contractors—and dispiriting for privacy advocates. [Author's emphasis]
The froth in the papers and news sources about cyber-(insert scary word here) are part of this willful exaggeration of the threat. For those who have watched Die Hard 4, such a situation is nigh on impossible. An event like that would fall into the category of a full blown singularity, an event so momentous that everything after that point would be the result of that single event. This is not something that will happen in the real world.

Even taking a simple civilian website off the internet is hard. It requires a botnet (either voluntary, e.g. Anonymous, or involuntary e.g. Storm) to be deployed at the expense of time and significant effort and for that effort to be sustained over time. The solutions to the problem of this type of attack are manifold and simple and most sites so affected are up and running in hours as if nothing had happened.

So, scale that up to a military network, which is (or should be) prepared for such an attack, do we really think that there are any real players out there who can aggressively take down and dismantle such networks to the extent they cannot be rebuilt and used again after a period of repair?

The most sophisticated cyber attack (known) to have occured is most likely Stuxnet, which did actually succeed in damaging physical infrastructure. But even that incredibly complex and ingenious tool did not stop the Iranian nuclear program, nor did it do damage which could not in time be repaired. Its also worth noting that, contrary to Sky news reports, this was a one shot tool. The vulnerabilities in the operating system have been patched, and cannot now be used to perpetrate similar attacks.

Here's what I see when I read these sorts of articles:

For those unfamiliar with the story of the blind men and the elephant take a look here. In essence it speaks to the fact that without the ability to see the whole of the thing, it is possible to interpret the thing as being an impossible array of things it is not. Thus is the media with the concept of cyber-(insert scary term).

There are some really good opportunities amongst the froth to teach people about the real problems. How their computers can be hijacked by criminals to form part of a botnet for example. Or how prolific internet fraud is. What phishing is. If more people were aware of these very real and very difficult problems then the lives of criminals who exploit the public's general lack of knowledge over the topic would have a much more trying time exploiting these weaknesses for their own gain.

Here's something to consider, from Batman - The Dark Knight

There are people in the real world, who, like the Joker in Batman, want to burn the world down just for the sake of it. But these people are painfully few and far between and almost universally lack the skills to undertake their task.

Who would want to perpetrate a cyber attack as deadly as a pandemic? No one but a madman. It would serve no military purpose, no civil purpose, at best it would be a supreme act of terrorism. But such a devastating event would reprecussions the perpretrator could never envisage, and which would, most likely, turn on them.

As a society we need to start getting a grip on our ability and desire to panic over existential threats to our existance. They never measure up to our expectations, and whilst we look skyward to see if the sun is about to go out, or the moon come crashing down, we miss the fact that there are real problems.

I'd also implore those in the media to take a step back and consider the whole elephant once in a while, as the writers in the New Yorker did in their excellent article.


No comments:

Post a Comment