Wednesday, March 15, 2017

Overselling Cyberwar

With most of us still smarting about the Russian hacking of the emails of the DNC and John Podesta, and today's stunning announcement of the indictment of two Russian intelligence officials for the huge hack of Yahoo, cyber issues are very much in the forefront.  This is a big issue for our country, and we need to take it seriously.

One problem, however: the news media too often directs us from the real issues.  While some cyber espionage uses highly sophisticated tools, in most cases, the biggest hacks involve very simple and quite unsophisticated tools to get into our systems.  The best analogy is that we are leaving our doors and windows open.  The bad guys don't need to (and often can't) pick locks.

Evan Osnos had a piece in the New Yorker today (with the great title "How Not To Freak Out About Cyber War") that does a good job making this point:
Almost always, journalists and analysts describe the latest cyber attack as a “sophisticated” operation, even when technical experts describe them as ordinary and preventable. Ben Buchanan, a Harvard researcher and the author of a new book called “The Cybersecurity Dilemma,” wrote this week on the Cipher Brief, a security blog, that “when every case is described as unprecedented and every threat actor billed as nearly unstoppable, it fuels what I call ‘the legend of sophistication.’ The effect of such a legend is to paint a picture of a world with so many talented adversaries that practical cybersecurity is out of reach.”

In some cases, the costliest attacks are relatively low-tech. Hackers accused of working for Russian intelligence breached the Gmail account of John Podesta, the chairman of Hillary Clinton’s campaign, using an old-fashioned technique called “spear-phishing”: sending an e-mail under false pretenses to garner personal information, such as a password. Thomas Rid, a scholar at King’s College, in London, told me, “It’s like an I.E.D. In the nineties, leading up to Afghanistan, you had this expectation that the future of warfare would be very high tech, and that America would be leading because the American Armed Forces were spending so much money on network-centric platforms. But then what happened is the I.E.D. improvisation. If you drive with a vehicle that has wheels, it can be attacked. If you have an e-mail account, it can be hacked.”
 As Osnos notes, while policymakers spend a great deal of time and attention devoted to applying Cold War deterrence thinking to cybersecurity, what we really ought to be thinking about is "why don’t accounts like Podesta’s have two-factor authentication by default?”  You can read the entire piece here.


2 comments:

  1. Thanks for the post, with all due respect, the post describes the more soft parts or consequences of such cyber attacks. The real issue , is the one compromising not personal mail accounts and so forth….but , compromising national security and state infrastructure , and here , well , this is a real danger , a hell of one !! In fact , there is a growing discussion in the international legal community , concerning the classification of such attacks as crimes against humanity or at first place act of war etc….

    Just some few negligible illustrations :

    Russians hackers , suspected of trying to infiltrate the utility system ( electricity ) of Vermont , here :

    http://www.reuters.com/article/us-usa-russia-cyber-vermont-idUSKBN14K01H

    Cyber attack and the right of self defense , here :

    https://opiniojuris.org/2010/04/15/the-right-of-self-defense-includes-offensive-cyber-attacks/

    Chinese hackers suspected of breaching and accessing the plans of the " Iron dome " of the Israelis ( takes serious sophistication ) here :

    http://www.bbc.com/news/technology-28583283

    The nuclear program of Iranians at the time , a malware inserted , creating mess there :

    https://www.theguardian.com/world/2012/jun/01/obama-sped-up-cyberattack-iran

    Those are serious issues , jeopardizing very basic systems and function of a state .


    Thanks

    ReplyDelete
  2. just a correction to my comment above:

    instead of " accessing the plans of the " Iron dome " it should be simply :

    accessing sensitive data rather ....

    Thanks

    ReplyDelete