“Hiroshima of cyberwar”  22.10.11

How could I miss that line in Michael J. Gross’ Stuxnet article in the April edition of Vanity Fair:

Stuxnet is the Hiroshima of cyber-war. That is its true significance, and all the speculation about its target and its source should not blind us to that larger reality. We have crossed a threshold, and there is no turning back.

Nice alteration to recently excavated rhetoric corpse of the Digital Pearl Harbour by the Washington Post. “Hiroshima of cyber-war” is an allegory conveying ideas and association probably not intended by the author:

  • The dawn of a new age of geopolitics defined by control over certain technological artefacts.
  • The assumption by US security circles that unilateral and sole control over these artefacts equals incontestable geopolitical power, a truly “unipolar moment” (Charles Krauthammer) that should have lasted considerably longer than 1949 when the Soviets managed to assemble their “Fat Man” equivalent.
  • The militarisation and secretisation of a potentially benevolent technology.
  • The institution of a nuclear umbrella which served as a foreign policy instrument and “provided a cooperative structure, linking the United States in a mutually beneficial way to a wide range of friends, allies, and neutral nations.” (Nye/Owens 1996, p. 26)

A Hiroshima of cyberwar?

The ineradicable cyber-myth  21.10.11

The Epoch Times reports:

Although the attacks on Estonia—one of the world’s most wired countries—did not involve physical attack, virtually the whole country came to a standstill as banks, communications, and government fell victim to cyberattacks.

It did not come to a standstill. Whenever an article starts with this meme, enjoy the line of argument ahead. Like this one:

“Just as organized crime groups have hired hackers, it is possible that nation states could hire or distantly support jihad networks and launch cyber-attacks through them,” states an April 17 report from Project Cyber Dawn, part of The Cyber Security Forum Initiative.

I guess the story the author wants to convey is: Botnets can bring down a country (Estonia, Georgia), there is an underground market for botnets, you can rent a botnet from a criminal group or person, you can “weaponize” a botnet, elite hacker groups can consist of jihadists. Hence you can bring down the US or one of its allies by renting a botnet from jihadists.

What you could read is: Estonia was not brought down to a standstill – thanks to the intervention of some capable, mostly local IT experts –, even though it’s a small country with just 1.3 m inhabitants.

cyberwar ‘not just for a run around town’  20.10.11

Eric Schmitt and Thom Shanker, NYT:

But administration officials and even some military officers balked, fearing that it might set a precedent for other nations, in particular Russia or China, to carry out such offensives of their own, and questioning whether the attack could be mounted on such short notice. …

“We don’t want to be the ones who break the glass on this new kind of warfare,” said James Andrew Lewis, a senior fellow at the Center for Strategic and International Studies, where he specializes in technology and national security. …

“These cybercapabilities are still like the Ferrari that you keep in the garage and only take out for the big race and not just for a run around town, unless nothing else can get you there,” said one Obama administration official briefed on the discussions. … 

Some officials also expressed concern about revealing American technological capabilities to potential enemies for what seemed like a relatively minor security threat to the United States.

Read: Cyber-attack capabilities are built up in the shadows, quantity and quality unknown, to be used only in conflicts on the ‘vital-interest’-level – or as yet another deterrence (the attribution problem aside).

“so big it does my head in”  14.10.11

The unnamed Economist author shares her notes of a prep-conference for the upcoming cyber sec conference in London next month.

A “senior” participant remarked:

“It is so big it does my head in.”

But why? The author notes:

“Because this stuff is all mashed up. The interconnectedness of cyberspace breaks down borders and distinctions around which societies and states are organised.

It mashes up people and geography. …

Cyber mashes up functions. …

Cyber mashes up the trivial and the critical. …

It mashes up weapons. …

Finally, the internet mashes up state and private … “

Release often, release early:

By definition we need international co-operation. … So we should start with something small and build out. I see it as a quilt, a patchwork…  The role of NGOs, think-tank and private experts in sensitising governments, without it seeming a form of electronic imperialism, is important.

The role of states:

Whatever the threat, it seems to me that the private sector will be involved in almost all responses. One working group made the point that “knowledge implies more responsibility”.

Indeed, indeed. Operationally, cyber security rests on those who control the components that make up the internet.

In any case, it is hard to translate rules and practices of war. Two examples: – Is private industry ready to be the warfighter? – How do you put red crosses on hospitals and orphanages? Do we have to put them on separate networks, ie, create a “dot.humanitarian” domain? Here we start to move into polders. Should we create “dot.secure” areas? People are willing to give up a lot of privacy in social networking. It seems to me that they would be wiling to do it for security.


The Prince of Wales moment in cyberspace  13.10.11

Stewart Baker, former official at DHS and NSA, in an article called “Denial of Service” on Foreign Policy:

“We should not wait for our own Prince of Wales moment in cyberspace.”

Now, that’s disturbing. Virtual Pearl Harbour no more. Welcome to: Oh, that I were a bot upon that machine that I might touch that juicy data? Well, I shouldn’t start reading articles at their very last paragraph. The second last comes to rescue.

In 1941, the British sent their most modern battleship, the Prince of Wales, to Southeast Asia to deter a Japanese attack on Singapore. … It took Japanese bombers 10 minutes to put an end to their fantasy, to the Prince of Wales, and to hundreds of brave sailors’ lives.

Besides that, the message is:

But the lesson of all this for the lawyers and the diplomats is stark: Their effort to impose limits on cyberwar is almost certainly doomed.

Therefore, cyber strategies are necessary:

The offense must be powerful enough to deter every adversary with something to lose in cyberspace, so it must include a way to identify attackers with certainty. The defense, too, must be realistic, making successful cyberattacks more difficult and less effective because resilience and redundancy has been built into U.S. infrastructure.

How to identify attackers with certainty without fundamentally altering the architecture of the internet or the ability to enforce collaboration of intermediaries such as ISPs worldwide? The latter could be accomplished in several ways: a) by foreign governments as a proxy, convinced by diplomatic influence ad-hoc or by institutions such as international treaties; or b) by supportive worldwide technical communities.

Seymour Hersh’s 6731 words take on “the online threat”  26.10.10

Summary: There is no cyberwar-problem, only cyber espionage. Cyberwar is made up by cybergeddonists, who happen to work for security contractors after having left their public cyber-security posts. China has no interest in launching a cyberwar against the US, even if it might possibly have the means. Cyberwar is hardly wageable, because of unintended consequences caused be the openness of the web. Espionage could be dealt with by obligatory encryption, which however is costly and hard to operate and maintain. Non-encryption however might not be the underlying cause for internet security problems. And military activities can however have unintended consequences. Nevertheless, recommended reading.

The political situation:

In the next few months, President Obama, who has publicly pledged that his Administration will protect openness and privacy on the Internet, will have to make choices that will have enormous consequences for the future of an ever-growing maze of new communication techniques: Will America’s networks be entrusted to civilians or to the military? Will cyber security be treated as a kind of war?

Blurring definitions of cyber war and cyber espionage…

Blurring the distinction between cyber war and cyber espionage has been profitable for defense contractors—and dispiriting for privacy advocates.

The cybergeddonists’ false scenarios:

The most common cyber-war scare scenarios involve America’s electrical grid. … There is no national power grid in the United States. There are more than a hundred publicly and privately owned power companies that operate their own lines…. …an electrical supplier that found itself under cyber attack would be able to avail itself of power from nearby systems.


If Stuxnet was aimed specifically at Bushehr, it exhibited one of the weaknesses of cyber attacks: they are difficult to target and also to contain. India and China were both hit harder than Iran… The real hazard of Stuxnet, he [Schneier] added, might be that it was “great for those who want to believe cyber war is here.”

On Army General Keith Alexander (head of US cyber command, director of NSA):

One of Alexander’s first goals was to make sure that the military would take the lead role in cyber security and in determining the future shape of computer networks.

Military-civilian relationship:

If the military is operating in “cyberspace,” does that include civilian computers in American homes?

Encryption as he solution for the cyber security problems (citing John Arquilla):

“We would all be far better off if virtually all civil, commercial, governmental, and military internet and web traffic were strongly encrypted.” … “Today drug lords still enjoy secure internet and web communications, as do many in terror networks, while most Americans don’t.”

A Maginot line mentality (citing Marc Rotenberg, EPIC):

“The question is: Do you want an agency that spies with mixed success to be responsible for securing the nation’s security? If you do, that’s crazy.”

Clipper-Chip 2.0:

The legislation, similar to that sought two decades ago in the Clipper Chip debate, would require manufacturers of equipment such as the BlackBerry, and all domestic and foreign purveyors of communications, such as Skype, to develop technology that would allow the federal government to intercept and decode traffic.

A long list of interviewees and sources:

Jonathan Pollack, Whitfield Duffie, Jeffrey Carr, “a retired four-star Navy general”, John Arquilla, Marc Rotenberg, Howard Schmidt, “a senior official in the Department of Homeland Security”, William J. Lynn III, James Lewis (senior fellow at CSIS), Bruce Schneier, J. Michael McConell, Army General Keith Alexander (head of US cyber command, director of NSA), “a defense contractor” (“one of America’s most knowledgeable experts on Chinese military and cyber capabilities”), Richard Clark (cybergeddonist, security contractor and Bush’s man for cybersecurity, “poison gas clouds…”), J. Michael McConell (Bush’s second director of National Intelligence, now cybergeddonist and security contractor, “Our cyber-defenses are woefully lacking”).

Links on states’ recent activities in internet security  29.11.09

UK cybersecurity centre starting operations in March – ZDNet.co.uk
Administered by Cabinet Office; staff partly to be recruited from GCHQ, should have hacker mentality; “primarily … a defensive role “, cyberattack as “last resort”.UK also has an Office of Cyber Security (OCS), set up last summer. UK launches dedicated cybersecurity agency – ZDNet.co.uk Gordon Brown: “we … have to secure our position in cyberspace in order to give people and businesses the confidence they need to operate safely there”
As UK is at it: Digital Economy Bill passed:

Britain’s new Internet law — as bad as everyone’s been saying, and worse. Much, much worse. – Boing Boing Including 3-strikes, stricter video-game ratings, ISPs forced to deliver data with content industry, business secretary gets carte blanche to come up with stricter regulations.
“It’s a declaration of war by the entertainment industry and their captured regulators against the principles of free speech, privacy, freedom of assembly, the presumption of innocence, and competition.” (BoingBoing)

The cyberwar plan, not just a defensive game – Nextgov
Stupid headline – who would think that cyber-warfare is about defense only.
„Computerized tools to penetrate an enemy’s phone system“, „computer viruses and malicious software programs that can disable electrical power systems, corrupt financial data, or hijack air traffic control systems“, „cyber-intruders have probed our electrical grid“ (no, not the squirrel terrorists), “we’d have cadres of people who’d know how to do that”, “Military forces fight for the ownership of that domain [cyber-battlefield]”, “Defense Department graduates only about 80 students per year from schools devoted to teaching cyber-warfare”, ” proposed building a military “botnet,” an army of centrally controlled computers to launch coordinated attacks on other machines”. “The risk of losing control of a weapon provides a powerful incentive not to use it”

See also: National Journal Magazine – The Cyberwar Plan

Who’s in Big Brother’s Database? – The New York Review of Books
Degree of surveillance measured in electricity bills: 70 millions per year http://bit.ly/3DwW49

Information Security News: NIST Drafts Cybersecurity Guidance
“tackling criticism that federal cybersecurity regulations have placed too much weight on periodic compliance audits”; “more onus on applying risk management throughout the lifecycle of IT systems”. Yawn.

[ISN] Inside the Ring – Chinese, Russian cyberwarfare
Like nuke-counting in the eighties.
Noteworthy: a new Cyber Security Alliance 14 tech firms form cybersecurity alliance for government — Government Computer News

Australian government overhauls national cyber security arrangements – Government & Policy “against increasing online espionage and attacks on critical infrastructure”, new CERT Australia, Cyber Security Operations Centre (CSOC), details undisclosed

Automated Social Networking Surveillance Systems Statebook is going to be developed!?

How the Internet Ruined Newspapers, TV, Music, Movies, Microsoft – Newsweek 2010, The Internet: A Decade of Destruction – Internet Use/New Technologies „wherever companies were profiting by a lack of transparency or a lack of competition, wherever friction could be polished out of the system, those industries suffered“ – What about national political institutions (in the wider sense) then?