Summary:  When cyberwar proponents talk about our vulnerability to attacks, they play on our fears by freely mixing things that are obvious and likely – such as malware and online crime, with things that are highly unlikely — such as an entire country being brought to its knees by an electronic attack.  The third in a series about cyberwar by guest author Marcus J. Ranum.

Other posts in the series Cyberwar: a Whole New Quagmire, by Marcus J. Ranum:

1. The Pentagon Cyberstrategy, 2 September 2011
2. “Do as I say, not as I do” shall be the whole of the law, 11 September 2011

At the end are links to get more information about this incident and cyberwar.

Part 3: Conflating Threats

We should all be deeply concerned about Afghani insurgents attacking and taking over New York City. Why? Because they have shown that, in parts of Afghanistan, they are capable of engaging in successful offensive operations, and — therefore by extension — are capable of engaging in much larger successful offensive operations.

But that sounds absurd, right? It sounds absurd because it is! What I’ve just demonstrated is one of the basic tropes of the cyberwar proponent: you point out that the enemy is capable of one thing, and argue therefore that they are capable of something unimaginably larger. This tactic works because most of the people who it’s used against are either:

• in line to make a lot of money helping defend against cyberwar,
• high tech illiterate,
• propagandized by “fear sell” to the point where they will support radical action against anything that is presented to them as scary.

We saw this same tactic used with great success during the cold war:

• the Soviets are capable of making nuclear explosions and hiding how many missiles they have,
• therefore we should assume that they have far more missiles than they appear to,
• so we should spend a gigantic amount of money trying to fill a {non-existent} “missile gap” between their imaginary and our real capability.

Recently, Joel Brenner wrote an article which is a perfect example of how to bait and switch one basic computer security fact for another, to produce a dramatically enlarged threat of cyberwar: “The Calm Before the Storm“, Joel Brenner, Foreign Policy, 6 September 2011 — “Cyberwar is already happening — and it’s about to get much, much worse. A veteran cyberwarrior explains how America can prepare itself.”

For the purposes of illustration we will refer to Brenner’s article as a framework for understanding the cyberwar ”bait and switch” arguments. Brenner’s offering is only the latest spoonful in a mound of nonsense dating back to early 2010, when the “cyberwar industrial complex” first began to trumpet its fears to the media; it’s simply a good, recent example. As with the missile gap in the 1950s, we see officials quoting other officials quoting officials regarding hypotheticals — and, indeed, anything is possible. But, as Rich Rosen used to say back in the USENET days: “Anything is possible, but only a few things actually happen.” (see his Wikipedia entry) As we take a more sober look at cyberwar, ask yourself “what are the geopolitical rationales for a State to do such a thing?”

Brenner begins with the classic set-up for cyberwar bait-and-switch: massive data heists are happening, personal information is leaking out of large companies, cybercriminals are making lots of money, malware is everyplace creating massive bot-nets, and the majority of the internet’s traffic is spam. This is all true, but what is Brenner actually illustrating? He’s telling us that the state of computer security is poor and that cybercrime is a big success.

But we should be thinking how this state of affairs might affect another power’s ability to remote-control our systems. In fact, if you think about it for a few minutes, you’ll realize that cybercriminals and their botnets, etc, are interfering with a hypothetical enemy’s remote-control capability: what if the target is trying to eradicate a spam-sending botnet and ‘accidentally’ blocks a cyberspy’s command/control data channel? Indeed, if there were no cybercriminals, most organizations would be vastly more vulnerable to espionage and state-sponsored attack, because they’d be more likely to blow off security as a concern.

So now that we’re good and scared about the weaknesses everywhere, Brennan drops the scary news: “The U.S. military’s secret network is penetrated.” Oh, and intellectual property is being stolen from corporations and our power grid is dangerously insecure. By throwing down these three scary facts together, Brennan encourages us to “connect the dots” between them. But, in fact, there’s no linkage between those scary facts at all! Indeed, our “secret network” (presumably he means SIPRNet) is penetrated – with at least 300,000 authorized users you’re a fool if you think Bradley Manning is the only data leak. [1][2] There are severe problems (I’ve been complaining about them for decades) but they’re not the result of enemy action — they are the direct consequence of lack of management vision, de-skilling of the federal IT workforce, over-dependence on contractors, and a breakdown in data management resulting in a “kitchen sink” approach to data access control.

What about intellectual property theft? Is that a new problem? Has the internet magnified it? I don’t want to minimize the problem of intellectual property theft, but it’s been a part of doing business since the early industrial age {Eli Whitney made almost nothing on the Cotten Gin} — if you’ve got secrets, you are a fool not to protect them. More to the point, intellectual property theft is a completely collateral problem to cyberwar – and the numbers regarding that threat are impossibly inflated. For example, the FBI likes to quote the damage from intellectual property theft as including media companies’ estimates of losses due to file-sharing. I bet you didn’t know that all those kids stealing music off YouTube are cyberwarriors! [3]

Joking aside, there are very real problems with industrial and technical secrets being disseminated — and it’s mostly happening at the boardroom level, such as when Microsoft gave the government of China source code for Windows in order to overcome protectionist threats, or 3Com established partnerships with Huawei in China to compete with Cisco. It’s farcical to complain about intellectual property theft when virtually every technology that we have in the USA is built elsewhere.  Does anyone imagine that the Chinese don’t know how an iPod works? They’ve built at least 140 million of them!  The global economy has been telling us for years that everything is interconnected; cooperation and competition are joined at the hip.

Now, finally, to the power grid: yes, the power grid has security problems. Back when the smart grids were first being built, my peers and I pointed out that private data links, firewalls, encryption, and good design are important for mission-critical systems, but the cost-cutters won the argument. It’s not that the people who built it were incompetent — though I’d say some of them were — the decision-making process that allowed that to happen was also badly broken.

What does this have to do with cyberwar?

When cyberwar pundits talk about power-grid weaknesses, it’s in the context that “someone could turn out the lights, there would be panic, people would die”.  But nobody can tie that to a geopolitical agenda that makes a great deal of sense. I suppose that destabilizing the US’ power grid would make sense if you were going to invade and it was 1914 and we didn’t have a massive navy (which, in case nobody noticed, is “off the grid”) and nuclear deterrent (also off the grid), etc. Sure, there’s a danger to our power grid, and it’s most likely going to be some goofy teenager flexing his cybermuscles than an enemy power. Because, right now, there is no enemy power that would usefully exploit such an attack. Non-state actors, such as terrorists, might – but if you want to broaden the discussion to fears of terrorism then I think we need to look at a much broader picture than just cyberspace.

Brenner then goes on to conflate another scary thing into cyberwar: espionage. He describes how:

In one remote attack on the Pentagon’s information systems about 10 years ago, the Chinese hauled away up to 20 terabytes of information. If the information had been on paper, they’d have needed a line of moving vans stretching from the Pentagon to freighters docked 50 miles away in Baltimore harbor just to haul it away. Had they done so, the military district of Washington would’ve become an active theater of operations for the first time since 1865, and the Navy would’ve blockaded the Chesapeake Bay. But the Chinese did it electronically, so who noticed?

Well, obviously someone noticed! But there’s a telling point that Brenner either ignores or was not aware of: 20 terabytes of data did not leave over the internet 10 years ago. Because, with data rates, at that time, it would still be in the process of leaving. No, the data in question was carried out on magnetic media. By an insider. And, in ~2000, a 10Gb hard drive was the norm, so it was probably a box of magnetic tapes or a small pallet-load of hard drives. Just because something is electronic does not automatically make it implausibly more efficient or invisible. What Brenner is probably referring to is the compromise of the Joint Strike Fighter [4] plans, which may have happened between Lockheed and one of the other international partners that was involved in the program. Personally, I suspect it was a deliberate leak – attempting to bankrupt the Chinese economy by getting them to build $156 million-dollar per plane hangar queens.

A great deal of the cyberwar fear boils down to espionage, fear of espionage, and fear that our poorly protected information assets are going to leak out. But throwing “cyber-” onto espionage doesn’t really change the dynamics of strategic spying very much. We should not allow the “cyber-” fear to blind us to the fact that, historically and even today the biggest espionage threats remain insiders: Fuchs, Walker, Ames, Boyce/Lee, Hanssen, etc. I suppose you could add Manning to that list though he was a bit of a piker compared to the cold war-era spies. What we’ve seen thanks to the Joint Strike Fighter leak and Bradley Manning is that the way that classified information is disseminated today is magnifying a problem that was already out of control late in the cold war. Strategic espionage is a serious problem, folks, and when someone is trying to sweep the entire intelligence battlefield under the carpet while they just point at cyber-espionage, you have to conclude they don’t understand the problem, or are trying to manipulate public perceptions.

Economic espionage, on the other hand, is just part of doing business; the fledgling US industrial revolution was largely built on stolen British (Scottish) and French technology. The big “secret” to economic success is to innovate constantly and to keep your innovations secret until you’re ready to dominate your market.

Brenner then segues into the final bait-and-switch of the cyberwar proponents: terrorism. From scaring everyone with the threat of professional espionage operations run by nation-state actors, we are jumped with:

Seized al Qaeda computers contain details of U.S. industrial control systems. In 2003, a group affiliated with the Pakistani terrorist organization Lashkar-e-Taiba — the same gang that engineered the 2008 terrorist assaults in Mumbai — plotted to attack the Australian grid. Other groups conspired to attack the British grid in 2004, 2006, and 2009. Yet the owners and operators of the North American grid continue willy-nilly to expose their control systems to the Internet instead of isolating and hardening it. This is folly of a high order.

If, in 2003, there was a plot to attack smart-grid systems and it’s now 2011 — it certainly has been a long time brewing. Or, as is more likely the case, terrorists thought about launching an attack and decided it was impractical, then did something else. With all of these conspiracies to attack smart-grid systems that Brenner mentions, why are we even alive today? This reminds me of the hype around Y2K — we were all going to die horribly when the lights went out and society collapsed, except that it didn’t. Yes, there are problems with SCADA systems and smart-grid systems and yes, they need to be fixed, but consultants banging the drums of doom and gloom are pretty obvious when they do.

Conclusion

Let us conclude by dissecting the one part of Brenner’s article that is both scary and accurate:

Companies that wait for the government to “solve” their own security problems do so at their peril. The government is broke and the IT backbone is 85% private, so the government doesn’t control it.

This is true. As a former counterintelligence head for NSA, and an intelligence community insider of long standing, Brenner was one of the people who were part of the government’s efforts to “solve” security problems on our behalf. The reason that we have an intelligence community and agencies like the NSA is because our private sector is not equipped — nor should it be — to engage in counterintelligence against the Chinese or other nation states. It’s not Google’s job to fight off Chinese spies: that’s NSA and CIA’s job.

If what Brenner is saying is that, at his former position, they did not earn their keep, I can only agree with him. We’ve been being treated to a tremendous flood of cyberwar ”fear, uncertainty, and doubt” from ex-government officials who were involved in what they claim to be a disaster — only now they want billions more of the taxpayers’ dollars in order to remedy the situation. My experience is that if you give more money to people like that, you don’t get a solution — you get a bigger, fancier, more expensive disaster.

The comment that is accurate is the part about the IT backbone being 85 percent private. During the watch of folks like Brennan we saw an unparalleled shift from in-house IT to operations being outsourced to massive consulting organizations. With security critical data, that makes as much sense as Apple outsourcing assembly of its iPods to Inventec in China, then complaining that its intellectual property is “vulnerable.” Yes, I suppose so, but that’s beside the point, isn’t it?

In my next column, I will write about Stuxnet. Stuxnet is the great game-changer in the cyberwar landscape.  Is it?

Notes

1. “WikiLeaks accused Bradley Manning ‘should never have been sent to Iraq’“, Guardian, 27 May 2011 — “Virtually no computer and intelligence security at Manning’s station in Iraq, Forward Operating Base Hammer”
2. One Year after Collateral Murder Release, DOD’s Networks Are Still Glaring Security Problem, by emptywheel, Fire Dog Lake, 28 May 2011
3. FBI Intellectual Property Theft Page
4. “Computer Spies Breach Fighter-Jet Project“, Wall Street Journal, 21 April 2009

About Marcus J. Ranum, from his website

Marcus J. Ranum is the author of The Myth of Homeland Security (2003), and writes at his website about homeland security and computer security.

He is a world-renowned expert on security system design and implementation. He is recognized as an early innovator in firewall technology, and the implementor of the first commercial firewall product. Since the late 1980′s, he has designed a number of groundbreaking security products including the DEC SEAL, the TIS firewall toolkit, the Gauntlet firewall, and NFR’s Network Flight Recorder intrusion detection system.

He has been involved in every level of operations of a security product business, from developer, to founder and CEO of NFR. Marcus has served as a consultant to many FORTUNE 500 firms and national governments, as well as serving as a guest lecturer and instructor at numerous high-tech conferences. In 2001, he was awarded the TISC “Clue” award for service to the security community, and the ISSA Lifetime Achievement Award. Marcus is Chief Of Security for Tenable Security, Inc., where he is responsible for research in open source logging tools, and product training. He serves as a technology advisor to a number of start-ups, established concerns, and venture capital groups.

Other publications:

• “The Problem with Cyberwar“, Rear Guard Security

For more information about cyberwar

1. “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats“, James A. Lewis, Center for Strategic and International Studies, December 2002
2. “Meet Your New Commander-in-Geek“, Katherine Mangu-Ward, Reason, 26 May 2010 — “U.S. Cyber Command has no idea why it exists.”  But their fear-mongering PR is first-rate.
3. “China’s Emerging Cyber War Doctrine“, Gurmeet Kanwal, Journal of Defense Studies (Institute for Defense Studies and Analysis), July 2009
4. They cyber war threat has been grossly exaggerated, NPR, 8 June 2010 — Audio here.
5. ‘Tehran’s Lost Connection“, Geneive Abdo, Foreign Policy, 10 June 2010 — “Is the Iranian regime’s cyberwar with the United States real, or a paranoid delusion?” — Abdo expects to know if the US waged cyberwar against Iran, ignoring our long history of covert offensive operations.
6. “Reducing Systemic Cybersecurity Risk”, Peter Sommer (London School of Economics) and Ian Brown (Oxford), OECD, 14 January 2011
7. “Cyberwar an exaggerated threat“, UPI, 17 January 2011 — Says Peter Sommer, now of the London School of Economics and author of the Hacker’s Handbook (1985) under the pseudonym Hugo Cornwall.
8. “Cyber war threat exaggerated claims security expert“, BBC, 16 February 2011 — Says Bruce Schneier, chief security officer for British Telecom.
9. “Don’t Believe Scare Stories about Cyber War“, John Horgan, Scientific American, 3 June 2011

This post originally appeared at Fabius Maximus and is reproduced here with permission.