Cyberwar Is the New Yellowcake, Fueling a Cybersecurity-Industrial Complex
http://www.wired.com/threatlevel/2012/02/yellowcake-and-cyberwar/
We do have a “Cybersecurity-Industrial Complex” exactly like the military industrial complex with the revolving door between the government and the companies sucking on its tits. However, the problem potential is not overblown. Unlike the WMD issue which required physical substances at physical locations with at-location presence of people with particular skill sets, cyber warfare does not require any (additional) physical substances, we supply the networks and servers; physical locations, thanks to the Internet an attack can originate anywhere there is ‘net access; or people with particular skills being at any specific location, again, due to the ‘net, skilled attackers can collaborate scattered across the globe. I have studied infosec for nigh on a decade now and I can state with a bit of authority that our cyber security protection level could most generously be described as cheese cloth rent full of holes. Major network providers are focused on highly disruptive events like DDOS attacks and not on the vastly more consequential (in the long term, clearly if their network level of service is allowed to suffer they will suffer in the market place) attacks by security professionals. The mind set in much of the infosec world is that attackers are dumb (you may have heard of the term ‘script kiddies’), therefore one need only up the bar to a certain level and you are safe. That is totally wrong and it is amazing how many high-level decision makers in the infosec world (forget about the actual executives that cut checks, they are totally clueless!) think that is the real threat. The real threat is the highly skilled, highly motivated, often highly compensated individuals or groups that are _at least_ as knowledgeable about infosec as the ‘good guys’ (indeed, given that half of all (known) attacks are done by insiders, they _are_ the good guys, at least part of the time).
Yes, this is hyperbole:
In his 2010 bestseller Cyber War, Richard Clarke warns that a cyberattack today could result in the collapse of the government’s classified and unclassified networks, the release of “lethal clouds of chlorine gas” from chemical plants, refinery fires and explosions across the country, midair collisions of 737s, train derailments, the destruction of major financial computer networks, suburban gas pipeline explosions, a nationwide power blackout, and satellites in space spinning out of control.
but each individual element is plausible and defensible (if extreme) and in certain cases there is indeed evidence that some attempts have been made. I believe that without people making such radical statements no one would listen as no one has listened as infosec professionals have been shouting about this stuff for decades. Sometimes to get the sheeple motivated you need to point out the extremes of what is plausible just to get their attention. However, when (and I am certain it is a when) proof of these attacks is finally available it will be available because we have all failed to get light when we turned the switch or get water when we opened the taps or get dead air when we pick up the phone. Tearing apart the specific alarmist examples is the opposite of proof that nothing bad can happen. This is in direct opposition to the WMD example where it is possible to pick apart the chain of evidence and have the failure of a single link prove the chain is nonexistent. In the world of infosec ANY insecurity means there is no security. Sort of like fencing in a building. Even if we discount digging under or scaling the fence, if the damn fence isn’t complete there is no protection at all! If the fence is contiguous but is knee high in portions then it is again no protection! That is the challenge of infosec and that is the challenge that is not being met by the infosec community because those who have been ignored so long they start to use hyperbole in an effort to get their point across are further marginalized because of their hyperbole.
This is a bad situation that is only going to get worse! Unfortunately, the people currently in charge are so hopelessly clueless about the risks that even if they listen to their infosec professionals (the ‘real’ ones and not the ones that were promoted because they told the executives what they wanted to hear) their clueless bumbling will be creating holes faster than the infosec professionals can patch them.
Real security is hard and a pain in the ass. I get to deal with real security every day at work and it takes a dramatic toll on my productivity, yet much of the security I have to deal with is still based on trust and anyone can trivially violate that trust (much like Bradley Manning) and even if there is no intentional violation, social engineering is enormously effective and that isn’t even considering direct espionage by the bad guys (remember when we used to hear about Russian spies all the time? They might not be Russian, but there are still plenty of them!).
So in this case, be afraid, very afraid!
So, how to address this? Short of giving an IQ injection to our lords and masters (would it even take? I bet their immune system would reject it ;-)) I am not sure there is any possibility. Being able to prove that professionals have even penetrated your systems and stolen things of interest can be challenging even ignoring the requirements of police investigation constraints (presuming they can even carry out the investigation) and rules of law. When someone states that they are certain that China is behind such and such attack they are either stupid (highly probable) or bald faced liars (somewhat less probable, I suppose, because it is easier to convince dumb-assed executives to lie on their behalf) since only if someone were careless (hence a ‘script kiddie’ instead of a professional) is it even possible to trace an attack to its origin. It is also trivial to produce a traceable path that is totally manufactured, so it is actually simple for, say, Russians to make it look like the Chinese have done it. The only way I have thought to provide even minimal (effective) security is to put an artificial intelligence program in charge and that is just hustling down the path to Skynet and our eventual demise at the hands of our own weapons (or you can fantasize about alternatives if you lie).
