Thursday, November 10, 2011
Cyber-Terror: Still Nothing to See Here
Cybersecurity is a hot policy / legal topic at the moment: the SEC recently issued guidance on cybersecurity reporting, defense contractors suffered a spear-phishing attack, the Office of the National Counterintelligence Executive issued a report on cyber-espionage, and Brazilian ISPs fell victim to DNS poisoning. (The last highlights a problem with E-PARASITE and PROTECT IP: if they inadvertently encourage Americans to use foreign DNS providers, they may worsen cybersecurity problems.) Cybersecurity is a moniker that covers a host of problems, from identity theft to denial of service attacks to theft of trade secrets. The challenges are real, and there are many of them. That's why it is disheartening to see otherwise knowledgeable experts focusing on chimerical targets.
For example, Eugene Kaspersky stated at the London Cyber Conference that "we are close, very close, to cyber terrorism. Perhaps already the criminals have sold their skills to the terrorists - and then...oh, God." FBI executive assistant director Shawn Henry said that attacks could "paralyze cities" and that "ultimately, people could die." Do these claims hold up? What, exactly, is it that cyber-terrorists are going to do? Engage in identity theft? Steal U.S. intellectual property? Those are somewhat worrisome, but where is the "terror" part? Terrorists support malevolent activities with all sorts of crimes. But that's "support," not "terror." Hysterics like Richard Clarke spout nonsense about shutting down air traffic control systems or blowing up power plants, but there is precisely zero evidence that even nation-states can do this sort of thing, let alone small, non-state actors. The "oh, God" part of Kaspersky's comment is a standard rhetorical trope in the apocalyptic discussions of cybersecurity. (I knock these down in Conundrum, coming out shortly in Minnesota Law Review.) And paralyzing a city isn't too hard: snowstorms do it routinely. The question is how likely such threats are to materialize, and whether the proposed answers (Henry thinks we should build a new, more secure Internet) make any sense.
There are at least two plausible reasons why otherwise rational people spout lurid doomsday scenarios instead of focusing on the mundane, technical, and challenging problems of networked information stores. First, and most cynically, they can make money from doing so. Kaspersky runs an Internet security company; Clarke is a cybersecurity consultant; former NSA director Mike McConnell works for a law firm that sells cybersecurity services to the government. I think there's something to this, but I'm not ready to accuse these people of being venal. I think a more likely explanation flows from Paul Ohm's Myth of the Superuser: many of these experts have seen what truly talented hackers can do, given sufficient time, resources, and information. They then extrapolate to a world where such skills are commonplace, and unrestrained by ethics, social pressures, or sheer rational actor deterrence. Combine that with the chance to peddle one's own wares, or books, to address the problems, and you get the sum of all fears. Cognitive bias matters.
The sky, though, is not falling. Melodrama won't help - in fact, it distracts us from the things we need to do: to create redundancy, to test recovery scenarios, to deploy more secure software, and to encourage a culture of testing (the classic "hacking"). We are not going to deploy a new Internet. We are not going to force everyone to get an Internet driver's license. Most cybersecurity improvements are going to be gradual and unremarkable, rather than involving Bruce Willis and an F-35. Or, to quote Frank Drebin, "Nothing to see here, please disperse!" Cross-posted at Info/Law.
TrackBack URL for this entry:
Listed below are links to weblogs that reference Cyber-Terror: Still Nothing to See Here:
This is refreshing to see written out. I think your intuition is correct that some folks are extrapolating from the specific few (and legitimate) cases of extreme hacking to a widespread risk. In part, I think the "failure" of logic leading to this type of "generalization from the anecdotal" comes from the way in which security folks were trained during the heyday of the Cold War and the military-industrial complex, with a strong focus on "assurance" and "high-reliability."
For example: yes, it is quite true that most commercial web application servers are not provably secure. Many (most?) I suspect have, at any given time, at least one active known vulnerability which has not been patched, and probably many more. But that does not mean they are *likely* to be hacked, nor does it mean the vulnerability can be exploited to any dangerous use.
Risk prevention and risk mitigation are two different things; with the former correlating to the desire for "provable" security (e.g., it's not connected to the network, so it can't be hacked) and the latter correlating with private organizations making decisions about accepting levels of risk (e.g., yes, we're leaving that FTP port open in the hardware firewall, but most hosts aren't running a service accepting connections on it, so it's an acceptable risk).
This isn't to say that there isn't a lot of "low hanging fruit" out there for regulators. There is. But it seems to me that, as your post suggests, most of it pertains to dangers to consumers and economic factors (e.g., fraud) - not airplanes falling out of the sky (sorry, Jack Bauer).
Looking forward to reading the Article!
Posted by: David Thaw | Nov 13, 2011 11:30:27 PM
The comments to this entry are closed.