This “Cyberwar” Is a Cybersnooze
The AP and other sources have been reporting on a “cyberattack” affecting South Korea and U.S. government Web sites, including the White House, Secret Service and Treasury Department.
Allegedly mounted by North Korea, this attack puts various “cyber” threats in perspective. Most Americans will probably not know about it, and the ones who do will learn of it by reading about it. Only a tiny percentage of people will notice the absence of the Web sites attacked. (An update to the story linked above notes that several agencies and entities “blunted” the attacks, as well-run Web sites will do.)
This is the face of “cyberwar,” which has little strategic value and little capacity to do real damage. This episode also underscores the fact that “cyberterrorism” cannot exist – because this kind of attack isn’t terrifying.
As I said in my recent testimony before the House Science Committee, it is important to secure web sites, data, and networks against all threats, but this can be done and is being done methodically and successfully – if imperfectly – by the distributed owners and controllers of all our nation’s “cyber” assets. Hyping threats like “cyberwar” and “cyberterror” is not helpful.
Some Thinking on “Cyber”
Last week, I had the opportunity to testify before the House Science Committee’s Subcommittee on Technology and Innovation on the topic of “cybersecurity.” I have been reluctant to opine on it because of its complexity, but I did issue a short piece a few months ago arguing against government-run cybersecurity. That piece was cited prominently in the White House’s “Cyberspace Policy Review” and — blamo! — I’m a cybersecurity expert.
Not really — but I have been forming some opinions at a high level of generality that are worth making available. They can be found in my testimony, but I’ll summarize them briefly here.
What We Have Here Is a Failure to Communicate
There are two parts to securing a country: making the country secure and making the country feel secure.
The head of U.S. Strategic Command, General Kevin Chilton, failed at the latter when he talked about security in a way that produced the following headline: U.S. General Reserves Right to Use Force, Even Nuclear, in Response to Cyber Attack.
As a theoretical matter, every element of military power should be on the table to respond to attacks. But the chance of responding to any “cyber attack” with military force is vanishingly small. To talk about responding with nuclear weapons simply helps spin our country into a security tizzy.
Politicians and military leaders should stop inflating the risk of cyber attack.
Filed under: Foreign Policy and National Security; Telecom, Internet & Information Policy
Awesome, Fearsome, Awesome – Or Maybe Silly
This video is making the rounds because Senator Jay Rockefeller (D-WV) muses in it that perhaps the Internet shouldn’t have been invented.
He immediately grants, “That’s a stupid thing to say” – perhaps for political reasons, or perhaps because he recognizes that the Internet makes us much better off despite every risk it carries and security flaw in it.
But he goes on to overstate cybersecurity risks excessively, breathlessly, and self-seriously. Not quite to the point of stupid – maybe we can call it “silly.”
The Department of Defense, he says, is “attacked” three million times a day. Well, yeah, but these “attacks” are mostly repetitious use of the same attack, mounted by “script kiddies” – unsophisticated know-nothings who get copies of others’ attacks and run them just to make trouble. The defense against this is to continually foreclose attacks and genres of attack as they develop, the way the human body develops antibodies to germs and viruses.
It’s important work, and it’s not always easy, but securing against attacks is an ongoing, stable practice in network management and a field of ongoing study in computer science. The attacks may continue to come, but it doesn’t really matter when the immunities and failsafes are in place and continuously being updated.
More important than this kind of threat inflation is the policy premise that the Internet should be treated as critical infrastructure because some important things happen on it.
Of cyber attack, Rockefeller says, “It’s an act . . . which can shut this country down. Shut down its electricity system, its banking system, shut down really anything we have to offer. It is an awesome problem.”
Umm, not really. Here’s Cato adjunct scholar Tim Lee, commenting on a report about the Estonian cyber attacks last year:
[S]ome mission-critical activities, including voting and banking, are carried out via the Internet in some places. But to the extent that that’s true, the lesson of the Estonian attacks isn’t that the Internet is “critical infrastructure” on par with electricity and water, but that it’s stupid to build “critical infrastructure” on top of the public Internet. There’s a reason that banks maintain dedicated infrastructure for financial transactions, that the power grid has a dedicated communications infrastructure, and that computer security experts are all but unanimous that Internet voting is a bad idea.
Tim has also noted that the Estonia attacks didn’t reach parliament, ministries, banks, and media – just their Web sites. Calm down, everyone.
But in the debate over raising the bridge or lowering the river, Rockefeller is choosing the policy that most enthuses and involves him: Get critical infrastructure onto the Internet and get the government into the cyber security business.
That’s a recipe for disaster. The right answer is to warn the operators of key infrastructure to keep critical functions off the Internet and let markets and tort law hold them responsible should they fail to maintain themselves operational.
I have written elsewhere about maintaining private responsibility for cyber security. My colleague Ben Friedman has written about who owns cyber security and more on the great cyber security freakout.
Cato on Facebook
Cato on Twitter
Cato on YouTube
Cato Tweets