Is Cyber Warfare Imminent, Or Is the Hype Overblown?

    April 3, 2012

Is cybersecurity one of your top concerns? Whatever your opinion might be, the government has taken a particularly strong interest in it lately, as security breaches appear to be on the rise. In recent years, the U.S. has seen corporations such as Sony and Citibank hacked as well as various divisions of the government including the Senate and the Pentagon.

As a result of this influx of attacks, Congress is currently weighing legislation that would attempt to prevent cyber warfare. In fact, more than fifty bills have been introduced in Congress toward this effort.

Should cybersecurity be a top priority for the government? Share your thoughts.

Last year, WebProNews reported that cyber warfare was a very real threat and that social media played a significant role in it. Charles Dodd, a U.S. government consultant on cyber defense, told us then that terrorists are recruiting hundreds and thousands of people every couple of months through social media.

“Cyber will be the next generation warfare,” he said.

For more on his perspective, check out his complete interview:

Jerry Brito, Director of Technology Policy Program at George Mason University One analyst, however, believes the rhetoric is being overblown. Jerry Brito, the Director of the Technology Policy Program at George Mason University, told us that, while there are some very real cybersecurity concerns, the issues that the proponents of legislation are pushing are misleading.

Senator Jay Rockefeller is one lawmaker that is aggressively pushing for legislation, and he spoke about the urgency of it in a hearing earlier this year.

“The threat posed by cyber attacks is greater than ever, and it’s a threat not just to companies like Sony or Google but also to the nation’s infrastructure and the government itself,” Rockefeller said at a Senate Intelligence Committee hearing.

“Today’s cyber criminals have the ability to interrupt life-sustaining services, cause catastrophic economic damage, or severely degrade the networks our defense and intelligence agencies rely on. Congress needs to act on comprehensive cybersecurity legislation immediately.”

According to Brito, the evidence doesn’t match what’s being said. What the evidence does show, he pointed out, is distributed-denial-of-service (DDoS) attacks, which happen when a server is overwhelmed. This type of attack, he explained, is what happened to the Senate and CIA and is typically from a state actor or from a group like Anonymous.

Shawn Henry, the executive assistant director of the FBI, recently gave a grim summation of the U.S.’s efforts to fight these attacks, saying: “We’re not winning.” Brito, however, believes that cybersecurity should not be measured in terms of winning or losing. While a loss of information is never good, he told us that government officials are focusing on the wrong areas.

“The threat that they [proponents of legislation] cite is that a cyber attack could cause a critical infrastructure to fail, causing blackouts,” said Brito.

“This is a very real threat – it’s bad, but when you look at what sort of damage it causes, [but] more than anything else, it is an inconvenience,” he continued.

Cyber espionage is another threat that is happening, for instance, between the U.S. and China. In an effort to prevent the threats from getting worse, the U.S. government is expected to crack down in this regard this year. However, Brito told us that while cyber espionage is a serious concern, it doesn’t result in mass casualties.

The third type of cybersecurity threats and the one that is the most dangerous is kinetic cyber weapons. Stuxnet, which was said to have targeted Iranian organizations, is an example of this type of threat. Although these weapons are extremely dangerous, Brito pointed out that even Stuxnet is yet to have any known casualties.

“There really is little evidence for us to believe that we are on the brink of real calamity,” said Brito.

At the Homeland Security and Government Affairs Hearing recently, the White House performed a classified demonstration of how the government would respond to an attack on New York City’s electrical grid. While details are classified, several people have speculated that the simulation resulted in a blackout and mass casualties. Speaking at the hearing, Senator Joe Lieberman, who is also advocating legislation, has equated the current threats to September 10th, 2001, or the eve of the tragic September 11th attacks.

“The system is blinking red – again. Yet, we are failing to connect the dots – again,” he said.

Brito, although admitting that the simulation was confidential, again, does not believe the evidence matches the rhetoric. As he explained to us, numerous blackouts have happened in history, but they have not had devastating outcomes.

“Something like a blackout, while something that is bad and something we should definitely try to avoid, it is not the end-of-the-world scenario that a lot of folks would portray it to be,” said Brito.

“If a blackout is to cause mass chaos and a panic, we’re in big trouble not just in a cyber event but just if a tree branch falls and causes a blackout,” he added.

In response to the growing threat of cyber attacks, two bills have been introduced to Congress. Sens. Lieberman, Rockefeller, and Susan Collins wrote the Cybersecurity Act of 2012, which would require companies to meet certain security standards. Senator John McCain has also introduced a bill called the Secure IT Act that focuses on information sharing instead of regulatory enforcement.

Brito told us that he does not support legislation that would compel businesses to secure their networks in a particular way. According to him, companies are aware of the problems that exist and are more than capable of taking the security steps they need to protect themselves without the government intervening.

“There is no real need it seems for companies to be told how to secure their own networks,” he said.

Instead of legislation that regulates companies, he thinks the barriers that prevent the private sector from sharing information about cyber threats with the government should be removed. Brito believes this would be a more effective approach than legislation, as long as consumer privacy is maintained.

Richard Clarke, Cybersecurity Expert Incidentally, in the April 2012 edition of Smithsonian, U.S. cybersecurity advisor Richard Clarke discussed these very issues, and specifically, addressed the threats with cyber espionage.

“My greatest fear,” Clarke says, “is that, rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts. Where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China….After a while you can’t compete.”

Ron Rosenbaum, who wrote the report, closed it by making a comparison similar to the one from Senator Lieberman:

“I left Clarke’s office feeling that we are at a moment very much like the summer of 2001, when Clarke made his last dire warning. ‘A couple people have labeled me a Cassandra,’ Clarke says. ‘And I’ve gone back and read my mythology about Cassandra. And the way I read the mythology, it’s pretty clear that Cassandra was right.'”

Where does the evidence point: toward cyber warfare or manageable cyber threats? We’d love to hear your thoughts in the comments.