Cyberwar Is Harder Than It Looks

Internet vulnerability to attacks exaggerated, says new report.

Ronald Bailey | 1.18.2011 5:15 PM

Modern life is made possible by sets of tightly interconnected systems, supplying us with electricity, water, natural gas, automobile fuels, sewage treatment, food, telecommunications, finance, and emergency response. In wartime, combatants have traditionally sought to disrupt their enemies' supply systems, generally by blowing them up. Nowadays, many of these systems are increasingly directed and monitored through the Internet. Would it be possible for our enemies to disrupt these vital systems by "blowing up" the Internet?

The Obama administration is evidently worried about this possibility. In May 2009, the administration issued its Cyberspace Policy Review [PDF] which declared, "Threats to cyberspace pose one of the most serious economic and national security challenges of the 21st Century for the United States and our allies." A year later the U.S. Cyber Command was launched with the aim of protecting U.S. information technology systems and establishing U.S. military dominance in cyberspace. A new market research report identifies the cyberwar sector as "single greatest growth market in the defense and security sector," forecasting that global spending on cyberwarfare will reach $12.5 billion this year.

A new report, Reducing Systemic Cybersecurity Risk, [PDF] by British researchers Ian Brown and Peter Sommer for the Organization for Economic Cooperation and Development (OECD) evaluates threats to the security of the Internet and other aspects of cyberspace, including hacking, viruses, trojans, denial-of-service, distributed denial of service using botnets, root-kits, and disruptive social engineering techniques. Such weapons have become ubiquitous and already used in government and industrial espionage, identity theft, web-defacements, extortion, system hijacking, and service blockading.

The recent denial of service attacks on Estonia and Georgia give us some sense of the effectiveness of cyber attacks. As James Lewis at the Center for Strategic and International Studies noted, [PDF] "These countries came under limited cyber attack as part of larger conflicts with Russia, but in neither case were there casualties, loss of territory, destruction, or serious disruption of critical services."

Brown and Sommer conclude, "It is unlikely that there will ever be a true cyberwar." By cyberwar, they mean one fought solely over and with information technologies. Why? Because it takes a lot of effort to figure out new vulnerabilities in already protected critical systems and the effects of an attack are difficult to predict, including blowback on the perpetrators. More importantly, they note, "There is no strategic reason why an aggressor would limit themselves to only one class of weaponry." In a real war, cyberattacks would be an adjunct to conventional efforts to blow up critical infrastructure.

Because attacks can be launched from any set of computers, attackers can remain hidden. Consequently, a strategy of deterrence will not work in cyberwarfare because the target for retaliation is unknown. This means that resilience is the main defense against cyberweapons, a combination of preventive measures and contingency plans for a quick post-attack recovery. If cyberwarfare against infrastructure was easy, terrorists like Al Qaeda would have already tried the tactic against us and our NATO allies.

Brown and Sommer observe that the Internet and the physical telecommunications infrastructure were designed to be robust and self-healing, so that failures in one part are routed around. "You have to be cautious when hearing from people engaging in fear-mongering about huge blackouts and collapses of critical infrastructures via the Internet," says University of Toronto cyberwarfare expert Ronald Deibert in the January/February 2011 issue of the Bulletin of the Atomic Scientists. "There is a lot of redundancy in the networks; it's not a simple thing to turn off the power grid." In addition, our experience with current forms of malware is somewhat reassuring. Responses to new malware have generally been found and made available within days and few denial of service attacks have lasted more than a day. In addition, many critical networks such as those carrying financial transactions are not connected to the Internet requiring insider information to make them vulnerable.

While not everyone uses up-to-date malware detection, most government agencies, major businesses, and many individuals do, which means that would-be attackers must take the time and effort to find new flaws and develop new techniques. For example, the success of the Stuxnet worm that attacked and disabled Iranian nuclear centrifuges required very extensive intelligence gathering and knowledge of specific software flaws as well as someone able to walk into the facilities with an infected USB drive.

Brown and Sommers urge governments to ratify the CyberCrime Convention. The chief treaty holdouts are Russia and China, countries from which many recent cyberattacks appear to have originated. "We should not forget that many of the countries that are havens for cybercrime have invested billions in domestic communications monitoring to supplement an already extensive set of police tools for political control," notes James Lewis. "The notion that a cybercriminal in one of these countries operates without the knowledge and thus tacit consent of the government is difficult to accept. A hacker who turned his sights from Tallinn to the Kremlin would have only hours before his service were cut off, his door was smashed down and his computer confiscated."

Another fruitful way to address emerging cyber threats suggested by the authors is to strengthen connections between national Computer Emergency Response Teams (CERTs). CERT experts operate as a kind of early warning system who also devise software fixes to stop the spread of new malware. And they think that public policy, including procurement, can be used to encourage the development of properly tested hardware and software.

While blowing up the Internet probably won't happen, espionage, hacking, and malware will be with us always. Whatever we do to defend against them, will also defend against the threat of cyberwarfare.

Ronald Bailey is Reason's science correspondent. His book Liberation Biology: The Scientific and Moral Case for the Biotech Revolution is now available from Prometheus Books.

Start your day with Reason. Get a daily brief of the most important stories and trends every weekday morning when you subscribe to Reason Roundup.

NEXT: Illinois Ridiculed By Peers, Poked To See If Jobs Come Out

Hide Comments (63)

Editor's Note: As of February 29, 2024, commenting privileges on reason.com posts are limited to Reason Plus subscribers. Past commenters are grandfathered in for a temporary period. Subscribe here to preserve your ability to comment. Your Reason Plus subscription also gives you an ad-free version of reason.com, along with full access to the digital edition and archives of Reason magazine. We request that comments be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of reason.com or Reason Foundation. We reserve the right to delete any comment and ban commenters for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.

ChicagoSucks 14 years ago

Security is expensive and nobody wants to pay for it.
1. name 14 years ago
  
  Security is expensive for deranged killers like the americans (and similar imperialists)
Virginia 14 years ago

http://willusingtheprefixcyber.....idiot.com/
1. Almanian 14 years ago
  
  Also, ^^ this!
anarch 14 years ago

one of the most serious economic and national security challenges of the 21st Century

How accurate could such a pronouncement about the twentieth century have been in 1911?
1. Pro Libertate 14 years ago
  
  Depends. If you said it about the Kaiser's push to challenge Great Britain on all fronts internationally, you'd have been right. Fucked up the whole century.
  1. anarch 14 years ago
    
    Stop harshing my mellow with retroactive prescience. 😉
    1. Pro Libertate 14 years ago
      
      Just one dude gave us two world wars, multiple totalitarian states, mass slaughter. . .and denied us the use of luxury zeppelins. One dude!
      1. - 14 years ago
        
        He should have his own Godwin.
      2. anarch 14 years ago
        
        "One Dude, Two Wars" in Stereopticon?
      3. herp 14 years ago
        
        ... One dude?
        
        Derp.
Almanian 14 years ago

U.S. Cyber Command

I so am picturing two guys in a bunker wearing green Army helmets, with a banks of 5 1/4" floppy discs stacked around them, and a bank of dusty, off-white IBM XT's (now with 512K RAM!).

"Murphy, we are the last, best chance of a hopeful nation...."
1. Almanian 14 years ago
  
  Guy1: "God DAMN IT! Pass me that Norton Utility disc! I've got to unjam the....Murphy!!! Murphy?! MURPHY!!!"
  
  *sees Murphy's dead*
  
  "NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!!!!!"
  
  *unloads disc, types format C:/*
  1. Pro Libertate 14 years ago
    
    I'd agree with you, except that the OS should be CP/M.
  2. Predicador 14 years ago
    
    *unloads disc, types format C:/*
    
    Like any historical fiction, this does not pay attention to detail 🙂
    
    a) DOS used backslash, not forward slash to separate file address elements;
    b) format c: did not require any slash anyway.
    1. Ebeneezer Scrooge 14 years ago
      
      Hey, don't rain on his parade. He's probably too young to have ever seen a real DOS prompt.
Zeebs 14 years ago

Ian Brown is a researcher at OECD now? He's come a long way since he was the frontman for the Stone Roses.

(I got nothin'.)
1. dunkel 14 years ago
  
  Well, their second album was a colossal turd. Better to accept that and move on...
? 14 years ago

So what you're saying is "Cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber cyber."

Interesting.
1. Shaft Backup Singers 14 years ago
  
  Shuh cho mowf!
heller 14 years ago

Whatever happened to cybersex?
1. SugarFree 14 years ago
  
  People realized that a USB dildo and force-feedback gloves do not a hot Saturday night make. It always sounded better than reality of it was.
  1. Episiarch 14 years ago
    
    So you're saying heller's Saturday nights aren't hot?
    1. SugarFree 14 years ago
      
      I'm sure they are just as hot as heller wants them to be.
      1. Episiarch 14 years ago
        
        I'm sure the friction makes the dildo mighty hot.
        
        heller 14 years ago
        
        You know what else is "harder than it looks?"
        
        Fatty Bolger 14 years ago
        
        Sudoku?
2. Fatty Bolger 14 years ago
  
  They're working on it
omg 14 years ago

Are you saying "Live Free or Die Hard" was inaccurate?
Episiarch 14 years ago

Let's see: what's the least regulated environment in the developed world? The internet. So, of course, the government declares that the greatest threats of the next 90 years will come from there. I wonder why they would do that?
1. Pro Libertate 14 years ago
  
  Gosh, they do hate freedom and unpredictable consequences, don't they? It explains the latent Ludditism in many statists.
  1. Episiarch 14 years ago
    
    I'm being serious here. Why the sudden "OMG alert level red" talk about "cyberattacks"?
    1. . 14 years ago
      
      Stuxnet has been in the news lately is maybe why.
    2. heller 14 years ago
      
      WIKILEAKS!!!!!!1111WON
    3. herp 14 years ago
      
      Because Israel is doing it. The USA has finally come around.
    4. Pro Libertate 14 years ago
      
      Because it's a technology and capability they can't control. And, of course, one that presents a real, if in practice limited, threat.
      
      There's also just the "it's in vogue" answer. Like harping on cyberbullying or some other such nonsense.
    5. sarcasmic 14 years ago
      
      They want to regulate the internet and need an excuse.
      
      That's all.
      
      They need to convince the general public that the world is going to end so Congress can create ten regulatory agencies to control every bit and byte that travels through cyberspace.
2. Ebeneezer Scrooge 14 years ago
  
  Consider the fact that 1,000 years ago, the Eurasian Steppes was one of the least regulated environments in the world. Every so often, a Mongol horde would come screaming out of there and raise hell in Europe, China, or both.
  
  When living things (like even governments) smell a potential existential threat, they tend to react to it. It's just what living things do.
  
  The Turks and Mongols were not brought to heel until the advent of decent field artillery. But until then, the barbarians were periodically able to wreck havoc and and sometimes conquer entire civilizations.
  
  What we have here is a technology venue that could -- sooner or later -- give the little guy a big advantage in a fight. We could have "barbarians" taking over from BF Egypt.
  
  I personally don't think things have evolved to quite that point yet. But a) the potential is there, and b) computers/internet is a place where big nation-state actors could conceivably do one another some real harm, already today.
  
  There's a certain very large nation in Asia that has invested vast sums of resources, with the intent of sooner or later being able to do just that.
Almanian 14 years ago

While blowing up the Internet probably won't happen, espionage, hacking, and malware will be with us always. Whatever we do to defend against them, will also defend against the threat of cyberwarfare.

CYBER BULLIES!!!

*shakes fist*
EscapedWestOfTheBigMuddy 14 years ago

Cyberwar may be hard---even very hard---but it seems that someone is getting to understand it pretty well.
Fist of Etiquette 14 years ago

What is it cybergood for?
1. Hooha 14 years ago
  
  Abcyberlutely nuthin'!
Heroic Mulatto 14 years ago

But...but...CHINA!!!!
Aresen 14 years ago

Does this mean my plan to download all the gold in Fort Knox won't work?
Ebeneezer Scrooge 14 years ago

Well, Reasons is still at it, claiming that computer security (or cyberspace or whatever you want to call it) is a "Nothing to see here, move along" kind of issue.

Wasn't it Katherine who put out an article on this general subject several months back? Which was so bad I had to give her a D- at best. This one is at least better, I'll give you a C- this time. Keep trying and you might get there.

Think for just a second -- you can't buy a piece of military hardware today that's any more sophisticated than a .22 shell, without it's got some kind of software running on it, and a data link to the outside world.

Anything that runs software is vulnerable unless you encase it in a 55 gallon drum of concrete.

Anything with a data link is vulnerable unless you stomp it to death beneath your feet.

There is an issue here with "cyber-security" (coin your own term if you don't like the pop term) and it does need to be addressed. From a libertarian perspective, the real threat is the fact that so many people in government today have no respect for what we used to call "inalienable rights".

But I guess that wouldn't make for as many neat headlines. Anyway, this article in itself is an excercise in "I really have no evidence to back up the position I'd like to take but let's plow ahead anyway."

Brown and Sommer conclude, "It is unlikely that there will ever be a true cyberwar." By cyberwar, they mean one fought solely over and with information technologies.

That much is true,

Why? Because it takes a lot of effort to figure out new vulnerabilities in already protected critical systems and the effects of an attack are difficult to predict, including blowback on the perpetrators.

but by this time we've already lost the trail. Do you think there are no governments out there with the resources and the will to carry out this kind of "perpetration"?

C'mon, we can do better than this. Oh wait,

For example, the success of the Stuxnet worm that attacked and disabled Iranian nuclear centrifuges required very extensive intelligence gathering and knowledge of specific software flaws as well as someone able to walk into the facilities with an infected USB drive.

I see. We do get it. Governments with the will and resources to develop this class of software must in fact exist, somewhere on planet earth.

Though I will add, we are assuming here that Stuxnet actually did do the damage that the NYT article claims was done. That Stuxnet exists, we can believe. That it succeeded in messing up Iran's facilities? Maybe. Or maybe it's to Iran's benefit, for whatever reasons of state, to let the world believe it is so.

"If cyberwarfare against infrastructure was easy, terrorists like Al Qaeda would have already tried the tactic against us and our NATO allies. "

Uh, no. AQ wants suicide bombers, it's part of their whole M.O. Besides if they were willing to do things "the easy way" there are many, much easier ways to wreck destruction than cyberwar. Not to mention the fact that while nation-state governments can manage the resources necessary to pull off something like Stuxnet, Stuxnet class software is very likely beyond the capacities of an organization like AQ.

It's way easier to teach people how to build bombs than it is to develop a Stuxnet class piece of software.

To finish this out, tell me how it is that we do not have an utter contradition between these two statements:

1) Because attacks can be launched from any set of computers, attackers can remain hidden. Consequently, a strategy of deterrence will not work in cyberwarfare because the target for retaliation is unknown."

2) The notion that a cybercriminal in one of these countries operates without the knowledge and thus tacit consent of the government is difficult to accept.

And this comes straight from the primary source that you're basing your case on. I call your primary source "highly susupect".

I'll give you what's genuinely intended to be a friendly piece of criticism. Ron is more likely to get his arms around this topic than anyone else currently on the Reason staff. But computer and internet security is no simple subject to get your arms around. If you really want to go into this topic area, I'd give serious consideration to a) hiring someone who actually knows what they're talking about or b) give this particular topic a pass.

Don't underestimate the depth of the water. To understand computer and internet security, you just about need someone who eats, sleeps, and breaths this subject, day in and day out. It just isn't armchair philosophy. I see real prospects of Reason making itself look not so good by putting out articles that are misinformed.
1. asdf 14 years ago
  
  Awesome a response as long as the article, I'm sure everyone will read it.
2. Jonathan 14 years ago
  
  The inability to identify an attacker is the primary technological limitation in applying conventional legal doctrine to cyberwar. This limitation is technological, though, so it can be solved technologically.
3. Ron Bailey 14 years ago
  
  Ebenezer: Someone once defined journalism as getting one's education in public. In the age of internet commenters that is doubly so. Thanks for your comments, but I am puzzled by a couple of them. For instance, I wrote that if it were easy to do cyberwar, then Al Qeada would have already tried it. You appear to disagree and then write: "Besides if they were willing to do things "the easy way" there are many, much easier ways to wreck destruction than cyberwar." Well, yes, that's what I thought I had written.
  
  One vision of cyberwar that I believe the authors are arguing against is that somehow "pandemic" weapons that could take down all computers and networks in a country might be developed. They give good reasons for why they think that this is implausible. They do worry about EMP as weapon, but that is not by their definition a cyberweapon.
  
  With regard to nation states, they do have the ability to develop sophisticated cyberweapons, but do they have the motivation to use them? The authors argued (persuasively to me) that nation states would fear blowback from unleashing whatever cyberweapons they develop, and so in some sense are self-deterred.
  
  In any case, I certainly do take your criticism on this topic as friendly and please keep doing it.
  1. Ebeneezer Scrooge 14 years ago
    
    Ron, I'm glad you responded. I think I understand what you meant better now, and I think we're a lot more in agreement than I had initially thought.
    
    Well, yes, that's what I thought I had written.
    
    My bad on that one.
    
    Maybe its the color of my glasses. Let's say I have some familiarity with the kinds of problems the police, military, and industry at large face in "cyberspace" (a term I dislike but it works). It would be nuts to even suggest that there are no problems there, because they are legion.
    
    But the context that matters for security is all out war, when state actors might use everything they've got.
    
    There is the issue that so much computer hardware is manufactured in China today. Some might like to believe that doesn't matter, but I think they're wrong.
    
    OTOH, I'm afraid that the people who are going to be addressing these problems (and they will be), are going to trample all over our rights in the process.
    
    So I think we are largely on the same page after all. That wasn't clear to me on first reading, but maybe I need to take my glasses off first from now on.
4. IT Policy Guy 14 years ago
  
  Some of us do eat, sleep and breathe the subject at least a few hours each day, and I think Ron's pretty much on target here. If it were that easy to take down a power grid somebody would have already done so--there are lots of smart, crazy geeks out there.
  Same goes for any other doomsday cyberscenario.
  1. Ebeneezer Scrooge 14 years ago
    
    As far as smart crazy geeks, you're right.
    
    Your comment made think -- as this debate unfolds in the public arena, we need to draw a crystal clear line between threats from ordinary hackers, and threats from state actors. They aren't the same thing.
    
    I sincerely doubt that even an AQ grade hacker network, could marshal the resources to do something like Stuxnet.
    
    On the other hand, China could. And while they probably couldn't take the whole electric grid down, I wouldn't say that they couldn't do us some real harm. In a real war, I'd expect them to try.
    
    That's another distinction to be made clear: are we talking about "normal" life, or are we talking about all out war? Under normal conditions yes, state actors will hold back for obvious reasons. During a war they probably won't hold back.
    
    If we want to preserve our rights, I believe we need to clearly identify the conditions under which "cybersecurity" is, and isn't, an issue that the government ought to be worried about. So that we can draw lines like "Yes, the government does need tanks to defend the country" but "No, they don't need to be using tanks to police shoplifters at grocery stores."
    
    We should not let anyone blur these lines as the debate progresses.
R C Dean 14 years ago

Personally, my working assumption is that any threat assessment by any government is grossly exaggerated in order to secure funding.
1. Aresen 14 years ago
  
  DING! DING! DING!
  
  We have a winner!
Tristan Yates 14 years ago

Thanks for injecting some common sense into the debate. Hackers make headlines but any programmer or admin can tell you that software rushed into production is a heck of a lot more frightening.
1. sarcasmic 14 years ago
  
  Nobody is better at rushing untested software into production than government.
  
  I know from personal experience.
  
  And yes, it is very frightening.
Bugs 14 years ago

I get the feeling that any "real" attacks on the Internet will come from somewhere other than within the Internet. People are always the weakest part of a security system.
1. Nopers 14 years ago
  
  Amen. Nothing like having your highly expensive, perfectly configured firewall circumvented by some jerk with an 8 dollar thumbdrive.
KharmicKhaos 14 years ago

The internet is used for spying on the population, that is why governments move to police it. It gives them an excuse like Y2K to fulfill the arguement that people should be watched all the time.
Kirk 14 years ago

Right, not everyone uses up-to-date malware detection softwares. Maybe viruses, spywares and other malwares are come from several computer security software company, so clients will buy their products...
nike running shoes 14 years ago

is good
Scarpe Nike Italia 14 years ago

is good
kangzhu 14 years ago

This plan has no merit
alipay 13 years ago

good

Please log in to post comments

Cyberwar Is Harder Than It Looks

Internet vulnerability to attacks exaggerated, says new report.

Latest

Report: California Continues To Spend a Lot of Money on Poor Quality Roads

Mahmoud Khalil Is an Easy Call

The 10 Worst Republican Budget Gimmicks

Elon Musk, Who Promised To Be 'Maximally Transparent,' Makes DOGE's Numbers Even Harder To Check

Trump's Threatened 200 Percent Tariffs on European Booze Are His Least Sensible Trade Move Yet

Recommended

Login Form