Beware of Falling Turtles (Plus other things that shouldn’t really frighten us)
I hereby pronounce today "Cyber-FUD-Friday". I don't know about you, but I tend to whince anytime someone uses the word "Cyber". Combine that with an emotive word like "war" and suddenly everyone has an opinion and is touted as an "expert". Huh, kinda reminds me of Cloud Security ;-). This weeks guest post delivers a much needed dose of perspective. Thanks Jayson!
By Jayson E. Street456 BC: Aeschylus, a Greek playwright, was killed when an eagle dropped a live tortoise on him, mistaking his bald head for a stone. The tortoise survived.
Dying by a falling turtle has been documented and therefore is a proven threat. However it still remains unlikely for you to die that way. Cyber-War (what the cool kids are calling it) has in fact happened. This proven threat does not necessarily mean a country’s smart grid is going down anytime soon. I started doing research for a book I am writing which includes cyber-warfare. During that process I was startled by a few things I observed.
1.People who know what is going on don’t talk about it to either confirm or deny it. Conversely, people who don’t really know what is going on have no problem speaking about it at great length with much authority.
2.In a realm where anonymous attacks are the norm not the exception, people are really quick to lay blame on who is doing what.
3.Everyone is INVOLVED!Observation One: I am not an expert on cyber-warfare. This is just something I started researching for supporting material in a book. Like a lot of people I had been reading about on this subject, I had not been to any of the countries commonly named as participants in cyber-warfare. I knew I would not get good answers without “boots on the ground” experience. I applied for my passport and took my first trip outside of the USA. I wanted to see what was really going on. The best place to begin seemed like China. After all, the people where were doing the talking were dropping that name with great frequency. I attended Xcon where I had dinner with GoodWell, the founder of the Green Army. He is commonly known as the godfather of the Chinese hacker movement in with activity going back to 1997. He has gone the way of his Western counterparts. He has left his past to apply the knowledge gained from underground hacking and illegal breaches for a more legitimate profession that pays better and comes with cool business cards. He now consults with billion-dollar clients. I was amazed to sit there and listen to his concerns of how hacking has become more a tool of crime rather than exploration and political action. Here was one of the major figures of the Chinese hacking culture expounding on the problems with criminal hackers and worried about so many attackers assailing Chinese networks. In fact, the typical Chinese home computer user is under constant attack from bots, Trojans and also a virus here and there (sound familiar?). So my first trip abroad was a real eye opener. I learned to not be so quick to judge or take everything I here about “Cyber-Warfare” as gospel. It was after I returned home that I started listening more to what “experts” were saying about cyber-war. I realized most have been using data from certain 2003 incidents. Their opinions were not based from data gained first-hand. Since then I have traveled to other countries and gained a more open perspective of what is going on in this realm. The most important thing I have learned still remains what I knew from the beginning. I am not an expert, but I can form opinions based on what I know first hand. I am limited to information in the public domain, but that is not all there is to the story. Most of the sources offering opinions have the same limitation. Observation Two: I believe this to be the biggest problem facing those who are on the front lines – the battlefield is virtual. A physical attack is much easier to detect and trace back to the source. You can see the path the attackers take. You can see the bullets they fire. The person attacking you with a DDOS is harder to trace. The recent attack on South Korean and United States websites showcases the perils of being quick to judge and even quicker to accuse. For example, within a week of the attacks Congressman Peter Hoekstra of Michigan (1) insisted we needed “to send a strong message.” Yet to this day there has been no positive proof who was actually responsible. With $50,000 USD anyone can hire a botnet to replicate these attacks. It is that easy because most criminals are not motivated by politics but by money. This also poses another problem. When anyone can hire or create their own army of compromised computers does it make the impact less because it was a guy in Paraguay who was curious and wanted to see if he really could take down the White House website? In a way it would be more comforting if such activity were limited to the high tech branch of a rouge nation launching an opening salvo in a cyber-attack. That can be an easier target for a response. But the same damage is felt regardless of who dealt the blow. As time goes on expect to hear about more cyber attacks that are “thought” to be either this country or that country but with no publicly available proof of who was responsible. This is a problem that will not be going away. So how can you protect and more importantly trace the attacks when the bullets appear from everywhere including from your own side? This brings us to Observation Three: who is now involved in cyber-war activity? The answer is EVERYONE! I would say (just my opinion based on my research) that most every industrialized nation is working on a military hacking division (or whatever a government wants to call it). The Chinese were probably the first with the Indonesian cyber-skirmish in 1998(2). 1998 was also a notable year for the ramping up of cyber-warfare capabilities in the USA. Attacks on Serbian air command were used to help facilitate USA airstrikes as well as targeting enemy bank accounts (3). Also in the late 1990s, a computer specialist from Israel's Shin Bet was able to compromise the mainframe of the Pi Glilot fuel depot north of Tel Aviv (4). So here we are over 10 years later still wondering what “Cyber-Warfare” is, who is doing what, and what can we do to defend ourselves? It is also a safe assumption that everyone is also getting much better at attacking. We are not learning from the past and the old adage bears true that we will likely repeat it. The 1980’s were the decade to fear the nukes. This decade we fear the digital arsenal. The good news is we did not die in atomic fire (though that was a proven threat). The bad news is we found something else to fear (and we always will). We need to understand the threat of a digital holocaust is a possibility. And so could a nuclear war break out, Swine flu become an epic pandemic, a meteor wipe out all life on the planet or a falling turtle kill one of us. The threats are real. But should we panic? No, probably not.
1. http://www.scmagazineus.com/cyber-retaliation-debate-is-north-korea-guilty-of-ddos/article/139968/
2. http://www.disasterpreparednessblog.com/disaster-preparedness-blog/2009/10/22/chinas-cyber-warfare-capabilities-highlighted-in-report-to-c.html
3. http://findarticles.com/p/articles/mi_qa5332/is_1_48/ai_n28827258/?tag=content;col1
4. http://www.alertnet.org/thenews/newsdesk/LV83872.htm
