Sunday, April 25, 2010

Rebutting Cyberwar Rhetoric

While we have spent a good deal of time this semester discussing various ways nation-states and non-state actors can use the Internet to achieve political and financial goals, it is important to listen to those voices that rebut the overheated Cyberwar! rhetoric that ricochets around the DC beltway. One of the principal critics of the cyberwar drumbeat are the folks over at Wired Magazine's Threat Level blog. In a recent post Wired's Ryan Singel provides an incisive critique of former national security council member Richard Clarke's new book Cyberwar.

Singel writes,
Readers of Richard Clarke’s new book Cyberwar who want to jump to the steamy parts should start at page 64 in the chapter “Cyber Warriors.” It’s there you’ll find the Book of Revelation re-written for the internet age, with the end-times heralded by the Four Trojan Horses of the Apocalypse.

Chinese hackers take down the Pentagon’s classified and unclassified networks, trigger explosions at oil refineries, release chlorine gas from chemical plants, disable air traffic control, cause trains to crash into each other, delete all data — including offsite backups — held by the federal reserve and major banks, then plunge the country into darkness by taking down the power grid from coast-to-coast. Thousands die immediately. Cities run out of food, ATMs shut down, looters take to the streets.

That electronic Judgment Day is not the stuff of bad movies or sci-fi novels, according to Clarke, who writes, “A sophisticated cyber war attack by one of several nation-states could do that today, in fifteen minutes.”

That’s right. In less time than it takes to download Live Free or Die Hard, foreign hackers could make it real.
Singel continues,
It’s not just Clarke’s 15-minutes-to-doomsday scenario that stretches credulity. Like most cyberwar pundits, Clarke puts a shine on his fear mongering by regurgitating long-ago debunked hacker horror stories. In his world, the Slammer worm was partially responsible for the Northeast blackout of 2003 — the Energy Department concluded otherwise. A power outage in Brazil is similarly attributed to a hacker, when the real-life evidence points to sooty insulators. Clarke describes the Russian denial-of-service attacks against Estonian servers in 2007 as the “largest ever seen” (not even close). He claims that foreign hackers stole the plans to the F-35 Joint Strike Fighter fighter, when they actually nabbed unclassified information on the plane’s self-diagnostic system.

So much of Clarke’s evidence is either easily debunked with a Google search, or so defies common sense, that you’d think reviewers of the book would dismiss it outright. Instead, they seem content to quote the book liberally and accept his premise that cyberwar could flatten the United States, and no one in power cares at all. Of course, the debunking would be easier if the book had footnotes or endnotes, but neither are included — Revelation doesn’t need sources.
Singel notes,
Clarke’s prescriptions are manyfold. First, the nation’s backbone carriers — the ones with fiber optic networks crisscrossing the country — should be required to inspect all packets, and delete the ones that match known signatures of viruses and other malware. While that might seem like a fine idea, the security industry is already moving away from signature-based strategies, since malware-makers have taken to testing their payloads against anti-virus software before deploying it.

ISPs already have the ability, and the legal right, to filter out known bad packets, but requiring it — as Clarke would do — would not only be ineffective, but it would inevitably lead to other demands to filter content, first child pornography, then perceived copyright violations, and finally unwanted speech of all sorts. Clarke fails to consider the contents of the Pandora’s box he seeks to open.

More persuasively, Clarke argues the feds need to set some real, auditable and binding rules for companies that run critical infrastructure, such as the electrical grid. The current policy is driven by the rationale that private-sector companies have enough financial incentive to protect their network, and the government’s role should be limited to helping share information about threats among the stakeholders. That policy works well when it comes to companies like Google and Chase, which could lose customers if their networks are routinely hacked, but isn’t as effective for your energy company, which likely has no real competition.

So, even if you don’t accept Clarke’s doomsday predictions, there’s a good case to be made that the feds ought to have strong rules governing these systems, and, as he suggests, a crew of white hat hackers tasked with trying to bust into the grid on a daily basis.
Singel concludes,
The cyberwar rhetoric is dangerous. Its practitioners are artists of exaggeration, who seem to think spinning tall tales is the only way to make bureaucracies move in the right direction. But yelling “Cyberwar” in a crowded internet is not without consequence. Not only does it promote unnecessary fear, it feeds the forces of parochial nationalism and militarism — undermining a communications system that has arguably done more to connect the world’s citizens than the last 50 years of diplomacy.
Check out the full article here.


Marley said...

It was interesting to read this post after reading the "Tracking GhostNet" report and the "Project Grey Goose Phase II Report. The writers at Wire Magazine seem to acknowledge the threat level illuminated by the prior articles but reject wholesale the notion that our government and we as private citizens must brace ourselves for the coming internet apocalypse. Although the Grey Goose report presents examples of nation-state sponsored (probably) patriotic hackers, religious and ideologically motivated hackers, and mentions financially motivated cyber-criminals its findings suggest that international diplomacy could begin to curb all of these threats. It seems to me that the United States should push for, leading by example, policy that would require domains hosts to register and provide the identity of domain registrants. While some may perceive this as an invasion in privacy, the U.S could frame it in terms of successfully attributing crime and attacks to individuals and not the sponsoring nation-state. Especially in the Russian example, the state's ownership of communication lines and internet access ensures access to information meaning that if they wanted the could presumably identify and stop cyber-criminals. Political pressure needs to be applied to the Kremlin should they not begin to do this. Any cyber crime committed by a Russian national or coming from Russian cyberspace needs to be treated like a nationally sponsored affront. If nothing else, the Grey Goose report shows how much can be learned purely from open source intelligence gathering, if an effort was made to make this material even more accessible cyber crime could most certainly be diminished.

Christopher Newsome said...

This has nothing to do with the article/posting above, but I wanted to bring to light some current event news.

In the past week, David Kernll, 22, went on trial for the September hacking of Sarah Palin's Yahoo email account. While the trial has taken on the inevitable political twist, the national attention that cybercrime is getting could do the nation some good.

The maximum sentence that Kernell could receive is 50 years; long enough to deter future amateur hackers. However, the defense is trying to wave off the crime as a "silly prank." It concerns me that this could be a commonplace assertion, that if no real physical damage takes place, than the crime can only be classified as a "prank." Thankfully, in her testimony on Friday, Palin accused Kernell of some serious damage to her family life and her campaign.

More importantly, this instance has raised national awareness on how to make passwords more secure on the consumer side. Attached to almost every article covering this event was a "how-to" on password security. With so many Americans online, and so much of the web requiring usernames and passwords, we should make an example and learn from Palin’s online vulnerability. Overall, while some might blow this off as insignificant event or assign partisan meaning to the event (Kernell’s father is a Democratic state legislator in Tennessee), I believe that this trial could help the nation prevent smaller-scale cybercrime.

Deven said...

Christopher, I'm glad you brought this up. I too have been following the Kernell case and am very interested to hear what the court decides.
Kernell faces convictions on four felony charges – identity theft, wire fraud, intentionally accessing Palin's e-mail account without authorization and obstructing an FBI investigation. These charges combined could send Kernell to prison for up to 50 years.
According to this article here on the Huffington Post, "Kernell is accused of accessing Palin's Yahoo! e-mail account by answering a series of personal security questions, resetting the password to "popcorn," making screen shots and posting the contents online using the nickname "rubico.", which to me seems pretty harmless.

At the same time, this case can show (not only as you mentioned, about the ease with which passwords need to be safe), but also how easily accounts can be hacked. What is Kernell was a malicious attacker? Palin used this account for state governor business on occasion and confidential information could have been easily disclosed.

Eric H said...

I feel like Singel and Clarke have very extreme views at opposite ends of the spectrum. While (hopefully) no one is capable of pulling off a Live Free or Die Hard style scenario, there seems to be evidence that many of the individual parts of such an attack are possible. For example the Pentagon and power grid have been hacked. Most of the other things seem like they are in the realm of possibility. So the scenario that Singel critiques may not be possible to pull off in fifteen minutes or even at all at this point in time, but the possibility for catastrophic damage exists.

Even though Singel charges Clarke with promoting unnecessary fear and militarism, maybe a strong warning will start to make people aware. No one has denied that China and other governments are building up their cyber capabilities and to avoid warning people of an impending problem only to avoid causing alarm is silly.

Julia said...

First of all, as I do not like that Richard Clarke tries to make money of his knowledge gained through the 30 years as a U.S. government employee (, I think that some of his theories may be reliable. I think his theories should be considered just because he knows about it more than others. They may be outrageous, but he nevertheless seems to be a more reliable source than random rumors online.
In my opnion Singel went to far with the vary last sentence. “undermining a communications system that has arguably done more to connect the world’s citizens than the last 50 years of diplomacy”. Maybe it has done a lot to connect world’s citizens, but it has done so much evil too. Moreover, it opened up a new level of evil and war, which we do not really understand. Because in reality nobody understands every single part of technology and the internet. All those 1,802,330,457 internet users ( do not understand how the internet works, nor how their computers work or most of the technology they use and trust with their most intimate secrets. They may know how to use (some better, most worse), but they do not understand what happens once they click “enter”. Therefore, I think that cyber warfare, which is beyond our understanding is more than only possible.
I think that a “cyber fire sale is a possibility. (fire sale = fictitious term for a cyber attack that stops/destroys all communication, transportation and other important infrastructure for a country to exist; interestingly the explanation for it has been deleted from Wikipedia).

Jamee said...

This article is very interesting because the use of exaggerated or sensationalized/yellow journalism can translate to the threat of a virtual 'cyber apocalypse'. It is like a cyber Cold War with the always looming threat of a cyber nuclear bomb. While I was researching for my paper I came across an article about an upcoming debate on the exaggeration of cyber warfare, on June 8th at the Newseum. More information about the debate if anyone is interested in attending:

After taking this class I can see how people can become paranoid and anxious about all the potential threats that the internet and technology has opened on our privacy and security. It is obvious that these cyber threats are real but the debate seems to lie in just how probable it is on whether these threats or attacks will actually take place. I found it interesting on how the article specifically cites the usual of 'rhetoric' that could lead to an exaggeration of the cyberwar. It seems that it's not only the promotion of the ideas that an apocalyptic cyberwar but the constant use of words that generate emotional responses and creates an anxious audience of readers. I think that Clarke like many others takes advantage of the naivety and the lack of knowledge that the public has on the current cyberwar. He plays off of the fears that people have of technology and its capabilities. I also do think that the cyberwar is a threat that people should want to know more about and through his possible exaggerations this could lead to more discussions and research on the subject not just by experts or people in the field but by ordinary everyday people. More literacy about the cyberwar could lead to people learning more about how to protect themselves and their information on the internet. I think that though Clarke maybe exaggerating the severity of the cyberwar, I think that the writer of this article maybe exaggerating the effects that Clarke's and those at Wire Magazine have on the opinions of the masses.

Andy M said...

What is preventing us from taking the offensive? We could be aggressive in reacting, treating anyone who engages us as a fair target for retaliatory attacks. Any lesser reaction could be taken as a sign of weakness and invite further intrusion. While Chinese nationals chip away at the foundation of our cyber-defenses, we spend our time on building stronger fortifications. Instead of trying to build ourselves a protective bubble, our focus ought to be identifying and counter-attacking them and any associates of theirs and taking out their servers as a warning shot to any aspiring cyber-warriors. Furthermore, we might also better utilize our capabilities against enemies abroad like Iran, North Korea, and the numerous terrorist groups that militarize online. State and non-state actors that pose a significant threat to our National security need to be dealt with, quickly, thoroughly, and completely. Say for instance, Iran refuses to back down when we demand that they cease enriching uranium. We plan a targeted denial of service attack that paralyzes the computer systems of their facilities and leave them incapacitated, with the tacit implication that their non-compliance will only result in further retribution. While I am fairly certain this would be a nearly impossible attack to pull off in real life, our current policy of playing punching bag for the international hacking community needs to end. How politically unfeasible is a simple pre-emptive cyber-attack on a terrorist chat room? I doubt many Americans would take issue with the installation of an insidious Trojan-Horse virus on every potential Jihadist’s computer, especially if it helped us track their movements and actions. The ACLU would certainly be concerned, but they rarely win where terrorists are concerned (see Act, Patriot). If our most sensitive servers are truly vulnerable, the Chinese, Iranians, Koreans, and Jihadists cannot possibly be that far ahead of us in terms of cyber-defenses. With the recent push by the Obama Administration for the reduction of nuclear arsenals worldwide, we are removing a stigmatizing weapon that has far reaching moral implications with regard to its use. In cyber, we have a much cleaner, hopefully cheaper, and certainly subtler weapon at our disposal, and I think it would be irresponsible of us not to consider our own capability to wage cyber warfare. With its ability to disturb nearly any facet of our target’s infrastructure, it has much more focused destructive power than the rest of our interventionary arsenal, with few of the side effects. Moral and political feasibility arguments to the contrary intentionally disregard that these actions are in our own best interest, and the parties involved are enemies of the state who likely have a strong interest in causing us harm. Mutually assured destruction relies too much on inaction; on the internet, that could be misconstrued as timidity. Why must we wait for their action to counterpunch?

izzy said...

This reminds me of a similar subject that I did some research on for another class. The class is about ethnicity and conflict in post-colonial and colonial Africa, a seemingly unrelated subject. One of the reading topics for the week as the subject of democracy within ethnically divided communities, and how these communities are mobilized through new communicative technologies. Essentially, there is a political struggle being waged in Kenya, and other African nations undergoing the process of democratization, where political citizenship is divided between the regional, ethnically defined political groups, and attempts at a national, inclusive political community. D. Ndirangu Wachanga’s article “Info-ethnic warfare: the 2007 Kenyan post-election violence and the new communication” deals with the application of this theoretical duality of citizenships, and how it is related to ethnic violence, and exacerbated by new forms of communicative technology. Wachanga has researched the influence of widespread text messaging, blogging, and chain emails on polarizing ethnic groups along party lines. He argues that these new communicative technologies are by nature democratic tools, yet they are also cultural constructs manipulated by ethnically defined political parties as a way for the dominant, hegemonic class to subjugate the minority group. The conflict then arises between this democratic tool of communication, as Wachanga cites “the Kenyan information warfare festered more in cellular devices because of their affordability,” and this struggle to manipulate these forms of communication along power and ethnic lines. Wachanga says “instead of depending on outright manipulation of information, those in and with power can craft ideology-modeling measures that normalize the status quo in a manner that defies objection." He draws many of his conclusions from a collection of twenty text messages, which he then organized into categories and subcategories depending on their intended purpose. The reality of these text messages was that the ethnically charged language was stark and not at all hidden. A sense of the other is prominent within all the text messages, as the groups compete for political power that they can only find through ethnic allegiances. Wachanga also talks about "Much has been written about the new communicative technologies, especially the Internet, as a territory of information conflict. Sturges notes that “the question for students of information warfare may be the extent to which all modern information environments are like war zones.” He also uses Crilley's definition of information warfare: “The use of smart technology in a traditional war or use of IT systems to attack part of a country’s infrastructure.” Studies in information warfare
often revolve around information manipulation, erection of barriers to information flow, “various
forms of systemic distribution of information, use of technology for new and unintended
purposes, and most of all the adjustment of boundaries between truth and lies” But manipulation of information propagation and dissemination can be in two facets a) those in and with power can legislatively or draconically ban transmission of certain information, ban certain channels, censor certain material, or criminalize certain
information sources.

It's a pretty interesting document, and you can find the entire thing on reserve at the library.