Cyber warfare and cybersecurity are the most heavily hyped threats in public policy since the war on terror began.
This morning, Prime Minister Julia Gillard toured the Cyber Security Operations Centre in Canberra to show off the new “Australian Cyber Security Centre” she is establishing. In the last two years, the war to shore up cybersecurity has been the basis for numerous policies, strategies and white papers across the world, and even an extension of the ANZUS alliance. Moreover, the media displays no scepticism in its reporting of claims about cyber attacks. Cybersecurity is also a huge industry. According to two of the best US researchers on the issue, Jerry Brito and Tate Watkins:
“The U.S. government is expected to spend $10.5 billion per year on information security by 2015, and analysts have estimated the worldwide market to be as much as $140 billion per year. The Department of Defense has also said it is seeking more than $3.2 billion in cybersecurity funding for 2012.”
Accordingly, it pays to be sceptical whenever politicians, commentators or companies talk about the massive threat cyber warfare poses. To help, Crikey has compiled a reading guide to some of the claims made both about cyber warfare and cybersecurity generally, and to some of the specific incidents that are used by advocates of “cybersecurity” …
Claim: 1982, Siberia: A major Soviet pipeline was destroyed by a CIA “logic bomb” (Thomas Reed, At The Abyss, 2004)
Reality: “There are also no media reports from 1982 that confirm such an explosion, though accidents and pipeline explosions in the Soviet Union were regularly reported in the early 1980s. Something likely did happen, but Reed’s book is the only public mention of the incident and his account relied on a single document. Even after the CIA declassified a redacted version of Reed’s source, the agency did not confirm that such an explosion occurred.” (Thomas Rid, “Think Again: Cyberwar“, April 2012.)
Claim: August 2003: The major north-eastern blackout that left 55 millions American and Canadian people without power was caused in part by the “Blaster” worm
Reality: Wrong.
Claim: 2007: A blackout in Brazil that left millions in darkness was the result of criminal hacking of the power system
Reality: Wrong (it was soot).
Claim: 2007: Russian denial of service attacks crippled the digital economy of Europe’s most wired state, Estonia
Reality: Wrong — the attacks on networks and government websites only briefly disrupted commerce for a few days. The online services of the country’s largest bank were only taken offline for 90 minutes on one day, and two hours the next. The Estonian economy grew at 7.1% in 2007.
Claim: 2009: The US power grid was penetrated by Chinese and Russian hackers and laced with logic bombs for later use
Reality: Unverified. The only source for the article was unnamed “current and former national-security officials”.
Claim: 2009: Spies infiltrated Pentagon computers and stole terabytes of top-secret data related to the F-35 Joint Strike Fighter “potentially making it easier to defend against the craft”
Reality: Wrong. Information was unclassified data such as maintenance and self-diagnostic schedules.
Claim: 2011: The Sayano-Shushenskaya power station disaster was “an example of what could happen in a cyberattack” (Gen. Keith Alexander, head of US Cyber Command)
Reality: Wrong — the disaster was an example of what can result from poor maintenance and management: “The ill-fated turbine had been malfunctioning for some time, and the plant’s management was notoriously poor. On top of that, the key event that ultimately triggered the catastrophe seems to have been a fire at Bratsk power station, about 500 miles away. Because the energy supply from Bratsk dropped, authorities remotely increased the burden on the Sayano-Shushenskaya plant. The sudden spike overwhelmed the turbine, which was two months shy of reaching the end of its 30-year life cycle, sparking the catastrophe.”
Claim: 2010: Stuxnet is revealed — a “miracle weapon” that opened a new era of war (various, but one example)
Reality: Wrong — Stuxnet “destroyed perhaps a tenth of the Iranian centrifuges at Natanz and delayed some uranium enrichment for a few months, but the vulnerabilities it exposed were soon repaired. Its limited and fleeting success will also have led Iran to take measures to hinder future attacks.”
Claim: 2013: The number of cyber incidents is increasing (Julia Gillard, January 2013, among many others)
Reality: It’s impossible to get specific data, or the definitions on which data are based, about cyber attacks from independent sources — claims about rising attacks come from security software companies or from governments themselves. As CRN’s John Hilvert has noted, Australian cybersecurity data has been thin on the ground until DSD’s Cyber Security Operations Centre gave some figures last year (the same ones used by the PM) — but we still don’t know what constitutes an “incident” eg: is a hacker probing a site for a weakness, finding it secured and then moving on, an “attack”?.
Because of this lack of clarity, it’s impossible to test the government’s claim that the number of incidents is on the rise. But Crikey has previously debunked a claim by the Attorney-General about rising cybercrime. Polling by Essential suggests “identity theft” that results in actual loss of money is negligible in Australia (0.6%) while around 7% of Australians had experienced some online fraud in which they’d lost money. For more serious “cyber warfare” attacks, two academics have recently tried to break down the actual numbers:
“Our research shows that although warnings about cyberwarfare have become more severe, the actual magnitude and pace of attacks do not match popular perception. Only 20 of 124 active rivals — defined as the most conflict-prone pairs of states in the system — engaged in cyberconflict between 2001 and 2011. And there were only 95 total cyberattacks among these 20 rivals. The number of observed attacks pales in comparison to other ongoing threats: a state is 600 times more likely to be the target of a terrorist attack than a cyberattack.”
Claim: June 2012: “Cyber weapons are the most dangerous innovation of this century”, “thousands of times cheaper” than conventional armaments (Eugene Kaspersky)
Reality: “A closer examination of the record, however, reveals three factors … First is the high cost of developing a cyberweapon, in terms of time, talent, and target intelligence needed. Stuxnet, experts speculate, took a superb team and a lot of time. Second, the potential for generic offensive weapons may be far smaller than assumed for the same reasons, and significant investments in highly specific attack programs may be deployable only against a very limited target set. Third, once developed, an offensive tool is likely to have a far shorter half-life than the defensive measures put in place against it. Even worse, a weapon may only be able to strike a single time; once the exploits of a specialized piece of malware are discovered, the most critical systems will likely be patched and fixed quickly. And a weapon, even a potent one, is not much of a weapon if an attack cannot be repeated”. (Thomas Rid)
Claim: A cyber attack could send western countries back to the Stone Age (various)
Reality: “Few nations have yielded to trade embargoes alone, even to universal trade embargoes. It is unclear that a cyberwar campaign would have any more effect than even a universal trade embargo, which can affect all areas of the economy and whose effects can be quite persistent. Even a complete shutdown of all computer networks would not prevent the emergence of an economy as modern as the U.S. economy was circa 1960 — and such a reversion could only be temporary, since cyberattacks rarely break things. Replace — computer network in the prior sentence with — publicly accessible network (on the thinking that computer networks under attack can isolate themselves from the outside world) and — circa 1960 becomes — circa 1995. Life in 1995 provided a fair measure of comfort to citizens of developed nations.” (Martin Libicki, Cyberdeterrence and Cyberwar, RAND Corporation, 2009)
Take a look at the Crikey server’s secure and message logs – they will be filled with break in attempts from China. Nowadays 99% of brute force attacks come from China. To the point where it’s probably a good idea to simply block China IPs completely and leave the Middle Kingdom behind the firewall.
This release from the PMs office today is claiming 5.4 million Australians “fell victim to” cyber crime in 2012 at an estimated cost of $1.65 billion. Where do these figures come from? If 80% of Australian adults have internet access and there are around 11 million homes with internet connections, unless my maths is failing me, those 5.4 million victims would be between 30% and 50% of the internet using adult population. I simply don’t believe it….sorry!!
No definition of what cyber crime is comprised of – data leaks, failed corporate security or counting of IP numbers from spam operators? Could be anything really.
Release is here
http://www.pm.gov.au/press-office/australian-cyber-security-centre
I think there may be a few too many external consultants with shiny power point presentations around and not enough real research or use of ACMA’s own published data.
ACMA reports with lots of stats (and they publish heaps of information) are here
http://www.acma.gov.au/WEB/STANDARD/pc=PC_311301
Simon,
“Nowadays 99% of brute force attacks come from China.”
Some evidence please.
Google ‘CIA” Harry
yep, its all bullshit, designed to hype up the security services budget. When there is an actual cybersecurity intrusion, they do nothing, and never prosecute anyone. Bit like the rubbish overpriced ‘report’ Robert Cornall and Rufus Black did on ASIO, just lots of pompous windbaggery pumping up threats to keep the well paid jobs coming.