Now repeat poster, Ben, was chomping at the bit to be share his thoughts on (brace yourself) Cyber War. Further, he wanted it introduced with some AC/DC lyrics from “Thunderstruck”. We at least thought we could go with “Let’s have a war” by Fear (or A Perfect Circle) instead. Someone should update it for “Let’s have a (cyber)war” sometime. With some level of protest… have at it.
…I was caught
In the middle of a railroad track (Thunder)
And I knew there was no turning back (Thunder)
My mind raced
And I thought what could I do (Thunder)
And I knew
There was no help, no help from you (Thunder)
Sound of the drums
Beatin’ in my heart
The thunder of guns
Tore me apart
You’ve been – thunderstruck..
by Ben Tomhave (@falconsview)
I’ve been reading Richard Clarke’s latest book, Cyber War, recently in an effort to delve deeper into the topic. Maybe it’s been all the recent inflammatory rhetoric, or maybe it’s an earnest interest, or maybe – just maybe – it comes from an innate interest in fighting obtuse uses and abuses of FUD.
The tone of the book initially is far less FUD-y than one might expect. Some of the tech details are clearly off a bit, but overall it’s been surprisingly level-headed. Except for the scenarios. These are some of the most over-the-top scenarios I’ve seen since “digital Pearl Harbor” in 2000. However, in this case it gives me pause, and not just because of the glaring FUD factor.
What I wonder is this: just how much data and control must we lose before we stand up and start taking action? How much proprietary designs, plans, formulas, etc., must be compromised? How many SCADAsystems have to be pwnd? Is it really going to take a massive blackout before energy company execs wake up and smell the ozone?
Clarke asserts that foreign assets already have embedded attack tools (“logic bombs”) into many, if not all, critical infrastructures. We’ve not done an adequate job of supply chain management, so consider that his assertion may, in fact, be fact-based and plausible. Now add factual assertions that massive research databases (academic, government, and corporate) have been copied wholesale by these same foreign assets. Accept this as fact, if you will, and not as FUD. How does this change your perspective on the topic?
The Case For FUD
Taking the previous examples as fact (as an example here – we can debate the depth of pwnage, but I think we can all agree that there are serious concerns here), there may be a valid case for FUDtastic scenarios like the ones Clarke uses in his book. The “digital Pearl Harbor” example of yore is nothing. He puts an interesting spin on it: what if there is reasonable upside to a foreign power to take down our critical infrastructure in a single, well-coordinated attack? What if our assumption of a “cold war” styled standoff (based largely on a belief in economic interdependency) isn’t actually valid?
If anybody has attended Black Hat and DEFCON, then they should know definitively just how good the breakers are these days, and just how behind the curve most organizations really are. Pulling out a book like Clarke’s can help drive home this point in a wonderfully FUDerific manner. “If you don’t fix things NOW, then you will lose everything!!!” Or so it might go in your head. After all, there’s nothing like a healthy dose of fear to motivate people. Or does it really work that way?
The Case Against FUD
There are a couple deficiencies with using FUD to make an argument. Excessive and continuous use of FUD can elevate the message to a state of background noise. It can also hurt your credibility. If every time you open your mouth FUD spews forth, then people will tune you out or avoid you. We in infosec – especially vendors – seem to be guilty of this historically, as evidenced by how hard it is to get the attention of execs.
Another problem is context. If everything is expressed as the highest of high risks, then how do you decide how to respond? If everything rates a 10 (on a 10-pt scale), then does that mean everything must be addressed immediately? How do you justify that?
Along these same lines, there’s also typically a lack of adequate supporting data to justify the consistently hyped state. Where are the metrics and measurements? Have the risk factors been measured and ranked using a reliable method? FUD tends to not have these supporting structures, which further damages credibility.
“We’re So Screwed”
This statement probable summarizes our situation today, at least from the U.S. perspective. How do we get this message across? If we have a high degree of credibility, and if we haven’t abused the use of escalated rhetoric, and if we have some facts to back us up, then and only then can we whip out some FUD to make our point (of course, we could debate if this is really FUD, but I digress…). You have all thattoday, right? No? Uh oh. Now what?
This, I think, reflects our current situation. We are sorely in need of a breakthrough, too (SCADA owners – I’m looking at you!). One such step being taken is that DHS is now sending teams off to energy companies to help with security, but this seems unlikely to be sufficient. We have decent methods for modeling risk (e.g. FAIR). How do we take the next step? How do we get the message across in a meaningful way that spurs meaningful action?
What do you think?