Is the cyber threat overblown?

Professor Walt,

Thank you so much for articulating more clearly and persuasively some of the feelings that I've had concerning this issue.

One area that I would like to see you discuss some more is how "cyber threats" fit into theories of offensive realism or defensive realism. For instance, should both these traditions be more concerned with "cyber threats?" Or more importantly, what would an offensive realist or defensive realist perspective have to say about "cyber threats?" My reading of both realist traditions seems to be that both are essentially concerned with actions of unitary, state actors. Much of the recent "cyber threat" literature talks about how this is a mechanism that can be used by weaker, non-state actors. Are "cyber threats" simply a lacunae in realist theories or does the issue of "cyber threats" indicate how behind the times realist theories are concerning 21st century national security threats?

I have found your blog immensely erudite and thoughtful and would love to hear more of your thoughts on this matter.

This whole argument is worse than Pokemon, and less realistic.
khairi janbek. paris/france

Allow me as an Information Security professional to weigh in that the treat is FAR larger than most people will ever understand. I will struggle to keep this short.

The main parts of the "cyber" threats can be broken down into a few parts:

1. Corporate Intellectual Property being stolen and copied.
2. Blackmail Potential (corporate and govt.)
3. Denial of Service type attacks
4. Hacking of Bank accounts (electronic fraud)

1) Google felt the sting more than most. Why? Think about it! It's not necessarily about their lack of profits in China! Their website is their "Golden Goose"! Without the special search engine algorithms and code that makes Google, Google, they are NOTHING. When Chinese hackers are inside their network stealing information and the govt. there wont stop local threats, you must pull out. The money they make in China is peanuts compared to their other markets. You would do the same thing. They wont openly talk too much about this because they got owned because they were using Microsoft's Internet Explorer version 6, and the Chinese hackers used a Zero-Day (means un-reported flaw) exploit to compromise it. It's sad because they make their own browser called Chrome, not to mention there is Firefox out there too. Why use the enemy's browser?

Now China's Baidu, (a google clone) has 80% of the market there. Eventually the Chinese will do the same with Boeing's airplanes and stuff GE makes for their markets, then turn around and give contracts to Chinese that make the same thing. These companies are foolish or know that and don't care.

2) With the companies I've worked for, you get the managers that ask, why can't I use an iPhone like my CEO buddies? Well if you got email related to the oil and gas industry and your company flying around unsecured, regular ol' insider trading cannot compare to leaked information like your typical Houston Area Oil Executive's mailbox. That kind of info can even be used against them by others and other govt. Same thing goes for govt. officials. Which is why locked down Blackberries are essential for now. Remember when Paris Hilton's T-Mobile Sidekick's phone numbers were hacked and stolen?

3) Denial of Service (DoS Attacks) are the main attacks everyone seems to be talking about. The power grid is the common one. Ever think about the 911 emergency system taken down? Iran, Brazil, Russia, and China have some nasty hacktavists that would love to take down a major US hospital's network for several hours if it could. A air-traffic controller tower? Sure! Hackers think outside of the box, it's a requirement to be one.

4) Banking fraud cybercrime according to the FBI went from 265 Million in 2008 to 560 million this year. What's to blame? Anti-Virus products struggling to keep up with botnets, the Confiker worm, ignorant end-users, and Zeus trojan horses running out of control and stealing people's banking usernames and passwords. In fact it is HIGHLY dangerous to bank online with the same computer you use to browse the internet with. The TJ-MAX hacker just last week got sentenced to 20 years in prison for all the credit cards he hacked and used. In fact he was on the secret service's payroll while he did this!

There is faaar more to it than this. This is why the Obama administration is trying hard to deal with it because it is not just a personal or corporate responsibility anymore. When your domestic consumers and businesses are getting their money and services stolen, govt. need to protect their interests. Educating the public will be even tougher, the computer as it is, is already "difficult" to use for most people.

A blizzard is somewhat predictable. At least you know what caused it within seconds of the grid going out.

A cyber attack causes several hours to asses. If you can even get the system back online if you have not been entirely locked out of it. Then you have to figure out how to clean up the servers, etc and figure out how they got in, did they elevate their access and de-elevate the higher access accounts....etc.

Not to mention you have no idea when that is coming at all, unlike the bad weather.

I feel like the same could be said of global warming alarmism -- large potential payoffs for (corporate or political) beneficiaries who have hand in shaping GW responses; proliferation of pseudo-experts (Al Gore,et al); lots of diverse problems lumped under the "green" banner; and lack of a comprehensive cost/benefit analysis (will diversion of resources toward GW responses, hurt other aid efforts, e.g. malaria, access to clean water, HIV, etc.)

I have been following the "cyber-war" claims ever since Winn Schwartau began hyping them in the 1990s, and they've never struck me as especially credible. In the open literature there is a remarkable lack of attention to the actual technical plausibility of the more extreme scenarios that are bandied about. As you point out, there is serious potential for cyber-vandalism and disruption of commerce, but that is a completely separate issue from making power plants blow up over the Internet.

You mentioned Greenwald and Poulsen -- the go-to name for serious analysis of cybersecurity is Bruce Schneier of Counterpane Security. If you want to understand these issues then his books and website are the best place to start.

of your ideal-type Red Team. It's such an interesting idea, but as Betts' noted, an institutionalized devil's advocate loses its power, because it's known to be the devil's advocate, and hence its recommendations lose power. Partly I'm railing in a comment about another post you wrote far too long ago for me to remember. But I suppose what is prompting me to write is I wonder how effectual blue ribbon commissions actually are. Amy Zegart's work on intelligence reform came to mind. How many commissions existed prior to 9/11? Similarly, would the use of a blue-ribbon commission be cosmetic rather than "actual?" I can see the PR value; pushing through "action channels" (Allison) seems more difficult, particularly if the commission has little power. Perhaps, rather than call for a blue-ribbon commission, one should call for more submissions to journals like "International Security" or "Security Studies" - a special issue? - and hope the ideas percolate downwards (or upwards, depending on your perspective) to The Washington Quarterly or the American Interest or Foreign Affairs (essentially, magazines you can purchase at Barnes & Noble) and hope *from there* that the ideas of those who have thought about the idea reach policymakers. That to me seems perhaps preferable to a "blue-ribbon commission" whose recommendations can easily be swept away for lack of members' political power.

Steve, the "blue ribbon" National Academies' panel has looked at this:

http://www.nap.edu/openbook.php?record_id=11925&page=1

"The potential consequences of a lack of security in cyberspace fall into three broad categories. First is the threat of catastrophe—a cyberattack, especially in conjunction with a physical attack, could result in thousands of deaths and many billions of dollars of damage in a very short time.

Second is frictional drag on important economic and security-related processes. Today, insecurities in cyberspace systems and networks allow adversaries (in particular, criminals) to extract billions of dollars in fraud and extortion—and force businesses to expend additional resources to defend themselves against these threats.

If cyberspace does not become more secure, the citizens, businesses, and governments of tomorrow will continue to face similar pressures, and most likely on a greater scale.

Third, concerns about insecurity may inhibit the use of IT in the future and thus lead to a self-denial of the benefits that IT brings, benefits that will be needed for the national competitiveness of the United States as well as for national and homeland security."

Unlike the "EMP" threat, the Cyber threat is real.

National Academy of Sciences:

http://www.nap.edu/openbook.php?record_id=11925&page=224

The Committee on Improving Cybersecurity Research in the United States believes that the cybersecurity threat is real, imminent, and growing in severity. Moreover, as one of the most technologically advanced nations in the world, the United States has much to lose from the materialization of this threat. But this committee is not the first committee—and this report is not the first report—to make this claim.

As early as 1973, the Electronic Systems Division of the U.S. Air Force noted the ease with which then-contemporary systems (such as OS/360 and GCOS) had been penetrated and argued that fundamental design flaws were responsible for allowing these penetrations.1 In 1974, Fortune published an article for the general public presenting a general overview of the vulnerability of multiaccess computer systems to unauthorized tampering, the reliability of access controls, and ways in which systems have been exploited.2

In 1991, the National Research Council weighed in. Computers at Risk stated: [3]

We are at risk. Increasingly, America depends on computers. They control power delivery, communications, aviation, and financial services. They are used to store vital information, from medical records to business plans to criminal records. Although we trust them, they are vulnerable to the effects of poor design and insufficient quality control, to accident, and perhaps most alarmingly, to deliberate attack. The modern thief can steal more with a computer than with a gun. Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.

Computers at Risk was also one of the first reports to suggest that networking between computers would dramatically worsen the cybersecurity situation by enabling problems to propagate electronically and by enlarging the set of potential attackers—and indeed this is exactly what has taken place.

In 1997, the President’s Commission on Critical Infrastructure Protection noted:4

[T]he right command sent over a network to a power generating station’s control computer could be just as devastating as a backpack full of explosives, and the perpetrator would be more difficult to identify and apprehend….

[Furthermore,] the rapid growth of a computer-literate population ensures that increasing millions of people around the world possess the skills necessary to conduct such an attack. The wide adoption of common protocols for system interconnection and the availability of “hacker tool” libraries make their task easier.

While the possibility of chemical, biological, and even nuclear weapons falling into the hands of terrorists adds a new and frightening dimension to physical attacks, such weapons are difficult to acquire. In contrast, the resources necessary to conduct a cyber attack have shifted in the past few years from the arcane to the commonplace. A personal computer and a telephone connection to an Internet Service Provider anywhere in the world are enough to cause harm….

The Commission has not discovered an immediate threat sufficient to warrant a fear of imminent national crisis. However, we are convinced that our vulnerabilities are increasing steadily, that the means to exploit those weaknesses are readily available and that the costs associated with an effective attack continue to drop. What is more, the investments required to improve the situation—now still relatively modest—will rise if we procrastinate.

1

R.R. Schell, P.J. Downey, and G.J. Popek, “Preliminary Notes on the Design of Secure Military Computer Systems,” January 1973, HQ Electronic Systems Division, Hanscom Air Force Base; available at http://csrc.nist.gov/publications/history/sche73.pdf.

2

T. Alexander, “Waiting for the Great Computer Rip-Off,” Fortune, 90(1): 142-150, July 1974.

3

National Research Council, Computers at Risk: Safe Computing in the Information Age, National Academy Press, Washington, D.C., 1991.

4

President’s Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America’s Infrastructures, October 1997; available at www.fas.org/sgp/library/pccip.pdf.

http://www.atariarchives.org/bcc1/showpage.php?page=90

Professor Walt,
As a guy who goes to sea in the far east I can attest to our concern regarding the PRC Military geeks. Big issue and getting bigger.
Google it and you will find the official concerns on unclas websites.
M./R Ship Mike

Steve:

The cyber threat is NOT overblown. SOME individuals hype this issue or are misquoted. The latest hype about a cyber war is confusing because the assertion is not modified.

First, those who have fought in the front line of this war for years know the actual threat. Everyone else is a commentator or analyst with no first hand knowledge or insight into this issue.

I built and ran the Computer Crimes Division at NASA for the IG's office in the 1990's. It's an electronic OK corral shootout in cyberspace 24 hours a day with widespread wiretapping, thefts of IP, denial service, botnet attacks, malware, ad nausem, with cyber FACILITATED traditional crimes such as extortion, fraud schemes and other scams, traffickers in child pornography, etc.

There's three ways computers are used in cyber crime:
1) As weapons
2) As instruments in furtherance of a crime (e.g.using a computer to traffic in child porn)
3) As storage devices

60% of the suspects we targeted then were involved in new organized crime cyber groups --- not just traditional organized crime bodies in cyber space --- but new cyber organized crime groups. Of the suspects we arrested, about 50-60% had weapons on them at the time or nearby (within reach) --- often automatic weapons. We learned a long time ago that cyberspace crimes were used by criminals as an attack vector to facilitate traditional approaches to corporeal space crimes --- a form of weakening victims before corporeal space attacks occurred. In some cases, we had 5,000 felonies a day at just one NASA Center alone. This type of activity surely does not imply the work of juveniles. In fact, most of our suspects were adults, with (then) about 80% of attacks attributable to organized crime cyber groups and lone hackers and about 20% to foreign governments. These percentages have shifted over the last 10 years with a greater proportionality of attacks and problems stemming from traditional criminals using computer to facilitate non-cyber space crimes with more active involvement by foreign governments.

Second, there is no cyber war (declared) ongoing between nations. This is why Howard Schmidt said so in an interview with Wired. But, there is an ongoing criminal cyber war full time as I have mentioned. And with the attribution issues with attacks, nations do have their interactions on matters involving host nation attacks. In this sense we are at war full time.

Third, I agree with your first two points, and I believe I have addressed your points somewhat. With the third issue, I disagree a bit. One of the gigantic failures of the US Government over the past 30 years was to defer dealing with this cyberspace problem until the threat could be quantified. This occurred in the face of overwhelming cry's (I was among them) to deal with this issue before it got out of control. I was one of the early advocates telling the White House NOT to commercialize the Internet without addressing safeguards. Now, it is too late. We cannot fix this problem --- cyberspace crime is now a behemoth out of control and accountable to no entity, no person, no nation. It will get worse before it gets better: we are headed for an appointment with a bad disappointment.

Fourth, we don't need another commission. The US Government has had two on this issue, and the Government always uses a commission to study a problem to defer dealing with it for a variety of reasons. We need to implement the mitigating controls we can now --- even though it is too late to fix the problem.

Fifth ... cybersecurity is a bad situation about to get worse. But it is the overall looming problem --- just an indicator of what is the big problem to come. Our failure as a nation to come up with constructive approaches to deal with pandemic problems up front like the cyber issue is the focal point. We fail to recognize the consequences of our own decisions and actions. Any future novel technology with communicative properties can be hacked. We're on a converge course with novel technologies and IT. Once these new technologies merge, which will happen quickly, we're going to have far more difficult and complicated problems to deal with. We don't have the policy mechanisms or mind set in in place to deal with these future threats.

Tom Talleur
Advanced Technology Programs Executive (Ret.)
NASA OIG
http://www.tomtalleur.com

In my opinion we won't have a good grasp on exactly how dangerous it is until someone actually tries an all out attack and we get to see how it plays out. Georgia and Estonia might provide some clues, but we don't know what kind of impact it might have on a developed nation yet.

I have four words for Professor Walt: Denial of Service Attack.

It doesn't take a great deal of programming prowess to flood a server with so many users with the purpose to overload and take it down.

If so much of our infrastructure weren't not computerized, then the threat might be marginalized. But as long as we're increasing the use of cyber networks and GPS based systems for civilian or military purposes, a cyber threat is not to be ignored. Calling it "too esoteric" merely says to me that Walt thinks if the average person doesn't understand the programming that its not a threat. Is that not like saying because most of the population doesn't understand nuclear weapons in a technical sense that its not a threat?... See More

As to his argument for the sub-cyber categories... that's up to the bureacracy. I agree in part that not all types of cyber-crime are the same and sub-specialities should be considered.

In regards to his dispute over the cost-benefit analysis of fighting cyber crime's threat to the power grid compared to nature... does comparing the danger of a storm crashing a power grid compared to a terrorist bombing it mean we shouldn't spend money on physical security?

Walt concludes his remarks by admitting his lack of expertise in the area. Well, he sure is right about that! His comments belie a serious unfamiliarity with computer/IT/cyber issues.

In my opinion, the best strategy for the government is to hire people capable of these sorts of attacks. The government can simultaneously learn the methods used, keep up to date on the trends that such people would be privy to, and fight fire with fire if a cyber-attack occurred. I'm not saying condone the hires' illegal activities, but provide serving the country as an alternative to their ...other activities.