When it comes to cyber defence, assessing the risk of online warfare, or even of a “cyber Pearl Harbor”, as opposed to common-or-garden crime or espionage, is made more difficult by the lack of detail around cyber attacks and the conflation of unrelated attacks.
The revelations this week about “Operation Shady RAT”, the multi-year Chinese effort to spy on a host of foreign governments and corporations, plainly related to regulated security and commercial espionage. That is, it was a continuation of ordinary spying activities — particularly by China, where impressive levels of education don’t seem to have yet produced a strong culture of technological innovation — online, rather than a peculiarly online form of attack, and certainly not any “cyber war”. Specific details of that spying campaign, however, are typically scarce, because neither governments nor corporations are eager to reveal the extent to which they have been penetrated or the amount and type of information that has been stolen.
Worse is the tendency to lump together quite different forms of online activity. Take an AP article from a fortnight ago. After reporting the breathless urgency of the need to “achieve cyber security”, the report admits that in fact there’s been a significant fall in “the number of records compromised in data breaches” in the past year. Nonetheless, there were “3 billion malware attacks last year”. And the FBI, the report notes, recently arrested Anonymous members for “hacking into” PayPal’sweb site.
Not merely is the claim about Anonymous simply wrong — there was no “hacking” into PayPal’s site, but a DDOS attack — but the “3 billion malware attacks” relates to private and corporate exposure to viruses and Trojans, rather than any strategic cyber attacks or systematic espionage such as Operation Shady RAT. And the “records compromised in data breaches”? Well, if the report used by the journalist is anything to go by (it’s here, and it’s surprisingly readable), the next “cyber Pearl Harbor” is coming soon to a restaurant near you — 65% of the recorded breaches were in retail or hospitality — criminals looking for credit card or identity details. Only 4% of attacks targeted government.
That is, despite the impression conveyed by the Shady RAT revelations, the vast majority of illicit cyber activity is criminal, and has little to do with governments, let alone constituting any “cyber war”.
This dollop of cyber warfare stupidity was recycled ad nauseum by newspapers and websites across the world, including by Fairfax here, with no effort to see if its evidence or internal logic stood up, or why it conflated credit card theft with online activism, common-or-garden viruses and cyber warfare. Similarly, Lieberman’s “digital Pearl Harbor” piece conflated attacks on Sony — carried out by 1. criminals stealing data, 2. Anonymous as part of #oppayback for Sony’s persecution of the man who jailbroke the Playstation 3, and 3. Lulzsec for, well, the lulz — with the Iranian government’s successful raid on a Comodo affiliate to stealSSL certificates to enable it to pursue dissidents online and Chinese attacks (inevitably either done by or with the approval of the Chinese government) on the IMF. Then Lieberman threw Stuxnet — which was made by or with the assistance of the US government — in to top it off.
We get this lack of detail, and conflation of quite different forms of online attack to justify the call to cyber arms here as well. In a recent speech launching the Cyber White Paper, Attorney-General Robert McClelland talk vaguely about “cyber crime”, cited UK figures and placed the development of the White Paper in the context of intellectual property (i.e. the copyright industry). At least MacClelland avoided using the inflammatory rhetoric of “cyber warfare”. But judging by the vast volume of traffic, filesharing is plainly not regarded as cyber crime by most citizens, despite the best efforts of the copyright industry and its agents in government.
Even the supposed assessments of cyber warfare exercises are devoid of detail. The report from the 2010 Cyberstorm 3 exercise that was recently made public only has two — count ’em, two — pages of text, all of which is bureaucratic boilerplate.
All this works to vague up and conflate extraordinarily different types of activity, including the translation online of traditional crimes such as fraud, and spying, with activities such as filesharing that offend a powerful industry determined to keep gouging its customers, and online-native political activism.
This may merely be the cluelessness of politicians and journalists. But it takes on a different hue when one considers the sorts of bills being put forward by governments to address cyber threats. Lieberman’s “Pearl Harbor” claim was to advance the cause of a cyber security bill before Congress that, though absent its original “internet kill switch” proposal — hastily abandoned following the Arab Spring — would give the Department of Homeland Security control over private networks and enable information sharing about users between ISPs and network operators and the DHS with no privacy protections.
In May, the infamous Patriot Act, which contains a series of assaults on the basics liberties of Americans, was extended on the eve of expiry, amid speculation the Obama administration, like that of his predecessor, was using it to justify using mobile phone data to track people.
The overriding of privacy concerns in the name of cyber security is also reflected in the new Cybercrime Legislation Amendment Bill 2011 here, designed to bring Australia into line with the draconian European Convention on Cybercrime, which allows foreign governments to demand that Australian ISPs and telcos preserve user data, including emails, voicemails and SMSs.
And readers will recall a similar process of threat conflation went on with the recently-passed “WikiLeaks” amendment extending the ability of ASIO to gather foreign intelligence, which the government justified by explaining it was designed, variously, to address the problems of weapons proliferation and illegal fishing.
The reflexive tendency of lawmakers in “cyber war” mode — similar to their reaction to terrorism — is to tighten internet controls and remove privacy protections, and hand more money to the cyber defence industry. The Lieberman bill — which is backed by the Obama administration — would require extensive use of consultants by the Department of Homeland Security — and thus more funding for industry. Insights into the operations of the cyber defence industry continue to emerge from the Anonymous crack of HBGary Federal in February, which reveal that firm’s struggles to break into the lucrative cyber security tender market overseen by the US Departments of Defence and Homeland Security.
Most recently, Barrett Brown’s research revealed a large outsourced program, Romas/COIN, to systematically spy on Arab mobile and internet users on a vast scale. HB Gary Federal of course also proposed to team with other cyber security contractors to conduct operations against domestic US targets including journalists and trade unions.
The irony is that at the same time as the cyber defence industry is enjoying a boom in government funding and cyber war rhetoric, its own vulnerabilities are being exposed like never before. HBGary Federal was merely the first of a string of cyber defence companies, including major defence contractors, law enforcement and government agencies that have been cracked or socially engineered this year. The HBGary Federal crack remains the standout in terms of information — Anonymous tends to overhype the material it frequently obtains — but the attacks have revealed widespread problems with security basics such as shared passwords or vulnerability to exploits derided by hacking veterans as “script kiddie” efforts.
Click below for a map of significant cracks and DDOSs relating to government, military and defence institutions or personnel since February 2011.
The combined result is an industry sector that is being given greater power, greater access to information, including personal information, greater freedom in its activities including explicit briefs to engage in espionage, and most of all greater taxpayer funding, while there remain real questions over how secure that industry itself is.
Update: The original version of this article incorrectly stated that an Iranian attack had occurred on RSA Security to obtain SecurID okens; in fact that attack related to an affiliate of Comodo which produced SSL certificates.
BK says:
“That is, it was a continuation of ordinary spying activities — particularly by China, where impressive levels of education don’t seem to have yet produced a strong culture of technological innovation..”
Well duhh!
You don’t get innovation in totalitarian regimes unless it has to do with new forms of repression or improved techniques to dumb down the masses so they cannot think or take issue with the massive rip[offs the elites have perpetrated upon them.
Having operated under this model for 60 years and relied on stealing everybody else’s ideas, the Chinese are scrapping their Naplan-type, rote learning, mind-numbing, stimulus response education system in favour of a more liberal approach, just as the absolute cretins in this country (as well as UK, USA and Canada) strive to introduce the verry design the Chinese are intent on scrapping.
My understanding is that the Chinese are sick of hiring westerners to solve their management problems and design their stuff and so, they are moving to a more generalised approach to learning and discovery, enabling an ability to think outside the prevailing paradigm (lost on climate change theorists by the way); while the dunces in Canberra are bringing in the rote learning, multiple choice tests in schools and X-Ray machines in airports and the villains run amok behind the airport barriers and the public is conditioned to accept the next big terrorism scam – the “papers please” outside the entrance to our supermarkets. Wait for it folks…..you ain’t seen nothin’ yet.
techniques to dumb down the masses so they cannot think or take issue with the massive rip[offs the elites have perpetrated upon them.
Sounds just like home.
It’s amazing how powerful, valuable and dangerous “information” has become. It is definately the new weapon.
– Aaron
David’s opinion is well taken though brief, as is any attempt to not only name but to rectify the dumbing down of the population at the hands of the government and media. It is being quite clear for some time that the government of whatever colour prefers to keep the average Joe afraid and quiet, and in many respects this is achieved by reducing the amount of information handed out by the media at the behest of the government.
Think back to the days when one watched the ABC news to keep informed of current events, when items were exposed in some detail, and frequently followed on to the 7.30 report, we are even more light was shone on the shady areas. That no longer occurs even on the ABC were entire famine affecting 20 million people gets about 15 seconds of coverage. There has been some attempt to tidy this up with the advent of Q and A, which not only dissects the issues from either a political or boffin perspective, but also take on board the views of the studio audience. I noticed recently, the studio audience has also been categorised by their voting habits, which whilst not adding anything to the debate certainly identifies on occasion some of the reasoning behind questions raised.
The problem for me, is that we just accept that the government knows what’s good for us and if we just toed the party line everything will be alright. Those of us with half an interest in having a view of the thing really don’t get much of a look in when it comes to descriptions of public anger in terms of our treatment and acceptance of our treatment at the hands of not only government will also, media. We accept what they present to us as “news”, and move on without taking a moment to think just what that use can do to us by way of its emotional, political or financial effect. The fact that we do accept that really just proves that Davids position vis a vis our being dumbed down at the hands of both the media the government is accurate but what is worse is that it is accepted.
I suppose it would be difficult to get a firing line together but I certainly remember in the 70s when the mongrel cur sacked the elected government, after the Liberal party broke one of the basic laws of Westminster parliamentary system, and denied supply. Now, we have a Prime Minister leading a minority government allowed to remain in power by a decision by the Greens to support her, when it is patently obvious pillow has no interest whatsoever in Australia as the wonderful, free and caring country that it has always been, until Gillard and Abbott suddenly realised that the denizens of Western Sydney in their unemployed drug assisted hazes have enough votes to make a difference at election and therefore should be catered to at every opportunity, irrespective of the fact that they do not contribute to the economy, they are a net social financial drain, and in general are far less intelligent than most of the population.
When I think about it, and see them as just a mass of ne’er-do-wells, who are non-productive, non-contributory net drains on the economy, squealing about refugees coming into Australia and taking the jobs of the “proper Australians”, I almost find myself sickened to my stomach that this government and the current opposition would suck up to these drains to ensure their power base now and at the next election.
The final point of course is that access to media for these people, premised on the fact they have nothing else to do in their lives except watch television and drink beer, (not that I would suggest they spend a lot of time watching the news), take in their daily dose of information in 7 to 12 second soundbites, which in reality is about the limit on their capacity to manage, due to their abysmally low intellect. And these people shape the government views? Appalling.
Must be a Monday..