Jan 29, 2008

The Unbearable Lightness of Cyber-Threat Iconophiles

...read a top notch, iconoclastic article by Michael Tanji out of Haft of the Spear. I doubt not that it will be misunderstood by more than a few, less of course our seasoned and skewed regulars. Shucks - but what's new 'bout that?

I’m tired of hearing about all the “new” things going on in the cyber-war, cyber-terrorism, cyber- insert- your- term- here business. Nothing I’ve read on these issues in the last few years is any different from anything I read fifteen years ago. Issues that make headlines today were actually new when the IBM XT was a hot piece of hardware. So as a public service your author provides you with five factors to evaluate when deciding on whether or not to buy the next book or magazine with an article that suggests iDeath or e-horror is imminent. Take a pass if you detect any two in a scan of the dust jacket or lede.

Nothing is New. Any time someone talks about how new a given cyber issue is, watch out for wet paint. Winn Schwartau’s 1994 book Information Warfare was essentially the tipping point for the cyberspace-is-a-dangerous-place genre. Years earlier Cliff Stoll’s The Cuckoo’s Egg laid out what evils were in store for the nascent Internet (contrary to popular opinion, Latvia is just the latest target upon which Russian’s have unleashed hackers). Phishing and man-in-the-middle attacks are just variations on a theme; Computer Capers (© 1978!) talks about how people were using computers to commit financial crimes back when a portable computer required a fork lift.

More Metaphors = More B.S. Any story you read that has someone fusing a lot of physical-world terms with Internet-related terms should invoke one reaction: check your wallet. The military are particularly egregious abusers in this area. After years of studying the issues, the Pentagon still has few sound ideas about how to fight and win a battle in cyberspace. That hasn’t stopped the Air Force from setting up new cyber warfighting command (watch for the other Services to follow the money). Among the many unanswered questions: If we are about to launch an attack, do we have to get fly-over rights from Verizon? If an apparent foreign source takes out a purely commercial concern in the US, do we attack said foreign nation’s capitol? Since accurately identifying the source of a cyber attack is near impossible, how do we minimize friendly-fire or collateral damage? Scratch beneath the surface and you find no solid answers.

Net-centricity is as dangerous as it is helpful. Data is not knowledge and being able to process a lot of data does not provide wisdom. Careless application of technology – particularly in a military context, though you find parallels in business as well - threatens to send us into a retrograde spin to the days of the “squad leader in the sky.” The phrase refers to the practice of some military commanders in Viet Nam who would fly above an operation and attempt to direct action on the ground (much to the dismay of those who were actually being shot at). Does having a lot of data on a dashboard fundamentally improve our ability to make decisions, or does it simply foster the illusion of situational awareness and operational control? More importantly, how wise is it to pursue such efforts given the fact that we can barely secure the networks we have now?

The “Expert” Probably Isn’t. Who do you see quoted in stories about cyber-Armageddon? Sometimes they’re white hat hackers, sometimes engineers, sometimes soldiers, but more often than not they’re people who know a lot of buzz-words and not a lot of details. I belong to a professional organization that addresses issues related to conflict in cyberspace, but there is no one in this diverse and august group who knows it all - and more importantly they would never pretend to. Being able to crack passwords doesn’t make you a digital soldier; an ex-pilot assigned to an INFOSEC job while awaiting retirement is no cyber-warrior; and a General who read Strategic Warfare in Cyberspace isn’t the information age’s Sun Tzu. The “expert” who sounds like an evangelist on this stuff isn’t a holy man; he’s a con man.

The World Doesn’t End if the Internet Goes Dark. Cyberwar breaks out tomorrow and then what? The sun will still come up and life will still go on. Everything will become more tedious and time-consuming, but for those raised in the analog age, life will seem very familiar indeed. This is not to say that there will not be economic and other implications that will hurt us as a nation, but we’re not facing life in a new dark ages or a war against the CHUDs. Coloradans dealt with the snow storm of 2007; New Englanders dealt with the ice storm of 1998; levels of individual preparedness vary, but the country doesn’t suddenly become one big post-Katrina New Orleans (especially since New Orleans post-Katrina wasn’t as bad as some made it out to be) just because connectivity drops off.

Lector Caveo should be your watchwords every time you pick up a book or magazine that purports to tell you something you don’t already know with regards to the hazards of cyberspace. Variations on well-worn themes are as multitudinous as there are bits stored on a 40 TB RAID. There is nothing revolutionary about coming up with a new way to waste money on an old idea dolled up in lipstick and pancake makeup. Threats in cyberspace are real, but what is actually scary is the fact that we readily rush headlong to expose ourselves for convenience or merely for cachet. Done properly technology should enable us to do things effectively and safely, but since security is hard, people are lazy, and hope is cheap; we usually end up hoping for the best. We’re in our second decade of cyber threats being on the national security radar and we are still not dramatically better off today than we were when we started. For an issue that should be moving at Internet time, we are still clearly operating at the speed of government.

Thanks to Rick Forno, Bob Gourley, and Joel Harding for their help in putting this together. All the good parts are theirs; all the bad parts are mine.

rticle jacked from Michael Tanji over at Haft of the Spear.

No comments: