Marcus Ranum is an expert on security system design and chief security officer for Tenable Network Security.
I've worked on information security for more than 20 years, and during that time, there hasn't been a year that has gone by without news like "hacker breaks into Department of Defense computer networks" or "industrial spies access high-tech plans." Suddenly, the steady drumbeat of computer/network security has been pushed to center stage, and now our government is talking about "cyberwar" and pointing a finger at China. Unless you've been asleep for a decade, you ought to be worried when our government starts using the rhetoric of warfare—especially vocabulary like "pre-emptive" and "deterrence." Why the sudden change?
Anyone involved in sales knows the "FUD sell"—based on fear, uncertainty, and doubt. Some of the talking heads who are declaring us to be in danger want to sell billions of dollars of solutions to the problem. They are often the same people who had "ownership" of the problem before they stepped through the revolving door into private-sector executive positions. Now they'll get it right? I'm skeptical.
Let's consider what they're saying. The notion of cyberwar is that it would serve as a "force multiplier" for conventional operations. Preparatory to attacking a target, communications networks and command/control systems would be disrupted, power systems might be temporarily crashed, navigation systems confused, etc. Proponents of cyberwar claim that it might save lives; I've even heard them claim it's more effective to recoverably crash a nation's power grid than to bomb it with precision airstrikes. The misdirection works, however. We're now down into the technical weeds and lose track of the main question: "What war?"
When some pundit says that we're losing a cyberwar to China, is he saying that China is preparing to crash our electronic infrastructure so that it can invade? The mind boggles. The last time I asked a cyberwar proponent that question, he quickly explained that, no, we were talking about potential economic warfare. But isn't there already an ongoing economic war we call "the global economy"? Assuming China would try to deliberately crash our economy presupposes that the Chinese are so stupid that they'd want to devalue the huge chunk of the U.S. economy that they already own, and crater their own economy while they were at it. I keep waiting for a spokesperson of the Chinese government to officially say, "Please stop assuming we're idiots." If China wanted to drop the hammer, it would start trading in euros instead of dollars. But who has the time and energy to invade, disrupt, or destroy? We're business partners, we're competitors, and there's money to be made!
Isn't it absurd that the FBI announces that our "smart power grid" systems are massively penetrated by cyberwarriors from "hostile powers" even as U.S. energy companies are bidding on multibillion-dollar contracts with the Chinese to sell them their own smart power grid?
All websites are constantly probed for weaknesses by robotic worms, spammers, hackers, and maybe even a government agent or two. Complaining will not work. Making threats will not work. If cyberwar changes one thing about the military landscape, it's that we can finally put away the hoary old saying, "The best defense is a strong offense." The only defense in cyberwar is having a good defense.
Intelligence—cyberespionage, if you will—is not cyberwar. It's just business as usual. But the cyberwar pundits lump everything in the same bucket, pointing the finger at another nation-state and saying we're under attack. What's scary is that the accusations are coming from places they shouldn't be. I think we're seeing a bureaucratic attempt at budget and turf enlargement by the FBI. But someone needs to ask why the nation's cops are suddenly involved in international diplomacy. That's the State Department's job.
And accusations should be accompanied and supported by publicly accessible facts, not just leaked classified reports. The reports apparently contain bizarre inaccuracies. According to journalist Gerald Posner, the FBI's classified report indicates that China has developed an army of 180,000 cyberspies. Were the Chinese planning human-wave attacks? Or did the FBI count every student studying computer science in China as a government-sponsored cyberwarrior? That might seem like a facetious question, but recently we learned that, in one of those reports, a computer science graduate student's paper on power-grid security was magically transformed into a road map for cyberattacks on the United States. Elsewhere, fevered claims that cyberwar could have "WMD-like effects" are offered, an insult to any reader's intelligence.
The Estonian cyberwar of 2007 is another good example. Initially, wild claims were that it was a Russian-sponsored attack of incredible sophistication, a possible preparation for a real assault. It turned out to be more a case that the Estonian government's defenses were weak, a handful of individuals caused all the trouble, and Russia wasn't involved.
Or consider the July 2009 attacks that initially appeared to come from North Korea, leading Republican Rep. Peter Hoekstra of Michigan to call for U.S. retaliation. Researchers determined that the attacks originated with a handful of individuals in the United Kingdom. If you can't be sure who is attacking you, retaliation is not just stupid, it's immoral.
As taxpayers, we have a problem: Give more money to someone who built a disaster, and you'll get a bigger, more expensive disaster. The need for a mature, national-level approach to cybersecurity is painfully clear, and it starts with leadership, rational assessment of our problems, cessation of finger-pointing and yellow-peril screeching, and an honest after-action review of how we got to where we are today.
Ready why cyberwar counterstrike capabilities protect America, by security analyst James Lewis.