The consensus is in. Stuxnet, the malicious software that inflicted physical damage on Iran’s nuclear program, is cyber war. But China’s attacks on Google a year ago and the whole WikiLeaks thing are not. WikiLeaks, in fact, is more like piracy.
This consensus has been emerging during the RSA Conference on information security being held this week in San Francisco, and especially during today’s panel “Cyber war, Cyber security, and the Challenges Ahead”.
Some delegates had been telling security specialist James Lewis that they saw WikiLeaks as an attack on the United States. “WikiLeaks is ‘the first battle in the first cyber war’,” he said. “All that strikes me as nonsense.”
Bruce Schneier, widely respected as a guru of information security, and whose blog is a must-read, agrees.
“The State Department I think has finally learnt what the music and video industry learned 10 years ago, that it’s really easy to share digital files on the internet. Welcome to the internet!” Schneier said. “You might have relied on the difficulty of moving big stacks of paper, or records, or movies for your security before, but you can’t any more.”
Schneier thinks we might be seeing the emergence of a new business model in secrecy. “The old model isn’t working. You can’t have a system with a hundred thousand million people having access to it and expect it to be secure, just like you can’t give a CD to a million fans and expect them not to copy it,” he said.
For the past 25 years, information security has primarily concentrated on perimeter security, on preventing the bad guys getting in. That’s what network firewalls do. That approach has been wrong, according to Mike McConnell, a former director of the US National Security Agency and Director of National Intelligence to George W Bush.
“We increasingly have to have people start to spend their time and energy on the fact that you could lose the thing that’s most dear to you from someone that’s on the inside that has legitimate access,” McConnell said. Which is precisely what Bradley Manning is accused of in relation to WikiLeaks.
The consensus is also that Stuxnet represents a phase shift in information warfare, and there’s more to come.
As US Deputy Secretary of Defence William Lynn told the conference yesterday, the attacks they had seen until this point had only caused disruption. They were relatively unsophisticated, short in duration and narrow in scope. The ability to cause physical damage “marks a strategic shift in the cyber threat”.
“When you look at the cyber tools that are available, it is clear that this capability already exists. It is possible to imagine attacks on military networks or critical infrastructure like our transportation system and energy sector that could cause severe economic damage, physical destruction, or even loss of life,” Lynn said.
Bob Dix, a critical infrastructure protection specialist from Juniper Networks, put it more bluntly. “We need to understand the capabilities in this cyber realm can kill people, and folks need to understand that capability is here today.”
*Stilgherrian is attending the RSA Conference in San Francisco as a guest of Microsoft.
And may be it isn’t.
Wikileaks is like piracy? How?
Informing citizens what their governments are doing secretly in their name seems more like restitution than theft to me.
“WikiLeaks, in fact, is more like piracy?”
WikiLeaks, in fact, is more like publishing.
What kind of person was Manning.Was he caring,what were his motives,did the cynicism/deception of govt change his psyche to the point where his “Well Being”no longer mattered to him.Surely he must have known that he would be caught and interrogated to within nanoseconds of insanity/death.This information has confirmed what many suspected of our Governments worldwide and we should be grateful to the Manning’s of this world and what people like him lose.Just don’t expect to see many more leaks,the price for a leaker/whistleblower is unbearable to imagine.
The HB Gary emails leak showed how naked the cybercop emperor is. They excel at selling cliche collages to no-clue soldiers and politicians, but these guys fail to deliver so routinely its .. curious. Fresh in the news is eTreppid, just the latest multimillion$ clusterfuck courtesy of (US) defence procurement,
http://www.smh.com.au/technology/security/geek-cons-us-out-of-20m-with-bogus-software-to-stop-alqaeda-20110222-1b2x2.html
The things you can get away with if you’re a well connected rightwing fundamentalist.
Who wants to start a list of true-blue cyber-cons of our DoD? (Firepower p/l doesn’t count, nor the JSF)
@ Stilgherrian – since you’re there, can you ask Peter Theil of Facebook if breaking the FB Terms of Service to scrape data for Palantir’s corporate security contracts (eg. Bank of America vs. wikileaks) bothers him much.