Tuesday, June 23, 2009

Cyber-Scare (Boston Review)

Evgeny runs the net.effect blog at Foreign Policy.

 

Cyber-Scare

The exaggerated fears over digital warfare
 

The age of cyber-warfare has arrived. That, at any rate, is the message we are now hearing from a broad range of journalists, policy analysts, and government officials. Introducing a comprehensive White House report on cyber-security released at the end of May, President Obama called cyber-security "one of the most serious economic and national security challenges we face as a nation." His words echo a flurry of gloomy think-tank reports. The Defense Science Board, a federal advisory group, recently warned that "cyber-warfare is here to stay," and that it will "encompass not only military attacks but also civilian commercial systems." And "Securing Cyberspace for the 44th President," prepared by the Center for Strategic and International Studies, suggests that cyber-security is as great a concern as "weapons of mass destruction or global jihad."

Unfortunately, these reports are usually richer in vivid metaphor—with fears of "digital Pearl Harbors" and "cyber-Katrinas"—than in factual foundation.

Consider a frequently quoted CIA claim about using the Internet to cause widespread power outages. It derives from a public presentation by a senior CIA cyber-security analyst in early 2008. Here is what he said:

We have information, from multiple regions outside the United States, of cyber-intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyber-attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet.

So "there is information" that cyber-attacks "have been used." When? Why? By whom? And have the attacks caused any power outages? The CIA may have some classified information, but very little that is unclassified suggests that such cyber-intrusions have occurred.

Or consider an April 2009 Wall Street Journal article entitled "Electricity Grid in U.S. Penetrated By Spies." The article quotes no attributable sources for its starkest claims about cyber-spying, names no utility companies as victims of intrusions, and mentions just one real cyber-attack, which occurred in Australia in 2000 and was conducted by a disgruntled employee rather than an external hacker.

It is alarming that so many people have accepted the White House's assertions about cyber-security as a key national security problem without demanding further evidence. Have we learned nothing from the WMD debacle? The administration's claims could lead to policies with serious, long-term, troubling consequences for network openness and personal privacy.

Cyber-security fears have had, it should be said, one unambiguous effect: they have fueled a growing cyber-security market, which, according to some projections, will¬†grow twice as fast as the rest of the IT industry. Boeing, Raytheon, and Lockheed Martin, among others, have formed new business units to tap increased spending to protect U.S. government computers from cyber-attacks. Moreover, many former government officials have made smooth transitions from national cyber-security policy to the lucrative worlds of consulting and punditry. Speaking at a recent conference in Washington, D.C., Amit Yoran—a former cyber-security czar in the Bush administration and currently the C.E.O. of NetWitness, a cyber-security start-up—has called hacking a national security threat, adding that "cyber-9/11 has happened over the last ten years, but it's happened slowly, so we don't see it." One way for the government to protect itself from this cyber-9/11 may be to purchase NetWitness's numerous software applications, aimed at addressing both "state and non-state sponsored cyber threats."

From a national security perspective, cyber-attacks matter in two ways. First, because the back-end infrastructure underlying our economy (national and global) is now digitized, it is subject to new risks. Fifty years ago it would have been hard—perhaps impossible, short of nuclear attack—to destroy a significant chunk of the U.S. economy in a matter of seconds; today all it takes is figuring out a way to briefly disable the computer systems that run Visa, MasterCard, and American Express. Fortunately, such massive disruption is unlikely to happen anytime soon. Of course there is already plenty of petty cyber-crime, some of it involving stolen credit card numbers. Much of it, however, is due to low cyber-security awareness by end-users (you and me), rather than banks or credit card companies.

Second, a great deal of internal government communication flows across computer networks, and hostile and not-so-hostile parties are understandably interested in what is being said. Moreover, data that are just sitting on one's computer are fair game, too, as long as the computer has a network connection or a USB port. Despite the "cyber" prefix, however, the basic risks are strikingly similar to those of the analog age. Espionage has been around for centuries, and there is very little we can do to protect ourselves beyond using stronger encryption techniques and exercising more caution in our choices of passwords and Wi-Fi connections.

To be sure, there is a war-related caveat here: if the military relies on its own email system or other internal electronic communications, it is essential to preserve this capability in wartime. Once more, however, the concern is not entirely novel; when radio was the primary means of communication, radio-jamming was also a serious military concern; worries about radio go back as far as the Russo-Japanese War of 1904-1905.

Before accepting the demands of government agencies for new and increased powers, we should look more closely at well-defined dangers.

The ultimate doomsday scenario—think Live Free or Die Hard—could involve a simultaneous attack on economic e-infrastructure and e-communications: imagine al Qaeda disabling banks, destroying financial data, disrupting networks, and driving the American economy back to the nineteenth century. This certainly sounds scary—almost as scary as raptors in Central Park or a giant asteroid heading toward the White House. The latter two are not, however, being presented as "national security risks" yet.

There are certainly genuine security concerns associated with the Internet. But before accepting the demands of government agencies for new and increased powers to fight threats in cyberspace and prepare for cyber-warfare, we should look more closely at well-defined dangers and ask just where existing technological means and legal norms fall short. Because the technologies are changing so quickly, we cannot expect definitive answers. But cyber-skeptics—who argue that cyber-warfare is still more of an urban legend than a credible hazard—appear to be onto something important.

One kind of cyber-security problem grows out of resource scarcity. A network has only so much bandwidth; a server can serve only so much data at one time. So if you want to disable (or simply slow down) the computer backbone of a national economy, for example, you need to figure out how to reach its upper limit.

It would be relatively easy to protect against this problem if you could cut your computer or network off from the rest of the world. But as the majority of governmental and commercial services have moved online, we expect them to be offered anywhere; Americans still want to access their online banking accounts at Chase even if they are travelling in Africa or Asia. What this means in practice is that institutions typically cannot shut off access to their online services based on nationality of the user or the origin of the computer (and in the case of news or entertainment sites, they do not want to: greater access means more advertising income).

Together, these limitations create an opportunity for attackers. Since no one, not even the U.S. government, has infinite computer resources, any network is potentially at risk.

Taking advantage of this resource scarcity could be an effective way of causing trouble for sites one does not like. The simplest—and also the least effective—way of doing this is to visit the URL and hit the "reload" button on your browser as often (and for as long) as you can. Congratulations: you have just participated in the most basic kind of "denial-of-service" (DoS) attack, which aims to deny or delay the delivery of online services to legitimate users. These days, however, it would be very hard to find a site that would suffer any noticeable damage from such a nuisance; what is missing from your cyber-guerilla campaign is scale.

Now multiply your efforts by a million—distribute your attacks among millions of other computers—and this could be enough to cause headaches to the administrators of many Web sites. These types of attacks are known as "distributed denial-of-service" or DDoS attacks. Administrators may be able to increase their traffic and bandwidth estimates and allocate more resources. Otherwise they have to live with this harassment, which may disable their Web site for long periods.

DDoS attacks work, then, by making heavier-than-normal demands on the underlying infrastructure, and they usually cause inconvenience rather than serious harm. Not sure how to do it yourself? No problem: you can buy a DDoS attack on the black market. Try eBay.

In fact, your own computer may well be participating in a DDoS attack right now. You may, for example, have inadvertently downloaded a trojan—a hard-to-detect, tiny piece of software—that has allowed someone else to take control of your machine, without obvious effect on your computer's speed or operations. Some computer experts put the upper limit of infected computers as high as a quarter of all computers connected to the Internet.

Because a single computer is inconsequential, the infected computers form "botnets"—nets of robots—that can receive directions from a command-and-control center—usually just another computer on the network with the power to give commands. What makes the latest generation of botnets hard to defeat is that every infected computer can assume the role of the command-and-control center: old-fashioned methods of decapitation do not work against such dispersed command-and-control. Moreover, botnets are strategic: when network administrators try to block the attacks, botnets can shift to unprotected prey. Commercial cyber-security firms are trying to keep up with the changing threats; thus far, however, the botnets are staying at least one step ahead.

DDoS threats have been far more commercial than political. The driving force has been cyber-gangs (many of them based in the former Soviet Union and Southeast Asia) which are in the extortion business. They find a profitable Internet business that cannot afford downtime and threaten to take down its Web site(s) with DDoS attacks. The online gambling industry—by some estimates, a $15-billion-a-year business—is a particularly appealing target because it is illegal in the United States: it cannot seek protection and take advantage of robust U.S. communications infrastructure. Thus, administrators of popular gambling sites commonly receive threats of DDoS attacks and demands for $40,000-$60,000 to "protect" the sites from attacks during peak betting periods (say, before big sporting events such as the Super Bowl). Many legitimate businesses fall victim to cyber-extortion, too. Since it is better to dole out a little cash to stop future attacks than to deal with the PR fallout—and possible drop in stock prices—that usually follows cyber-attacks, cyber-crime is underreported and underprosecuted.

The risks to online freedom of expression may be considerable: saying anything controversial may trigger cyber-attacks that your adversaries can purchase easily.

Another commercial opportunity for cyber-gangs is the creation of a large army of for-hire botnets, with extremely powerful attack capabilities. It is currently quite straightforward to rent the destructive services of a botnet ($1000/day is a going rate). The point was made forcefully by a controversial recent experiment: a group of BBC reporters purchased the services of a botnet 22,000 infected-computers strong from a vendor of cyber-crime services and used it to attack the site of a cyber-security company.

The commercial availability of DDoS-attack capability has generated excitement about political applications. The risks to online freedom of expression may be considerable: saying anything controversial may trigger a wave of cyber-attacks that your adversaries can purchase easily. These attacks are financially burdensome and politically disabling for the victim. Getting your server back online is usually the least of your problems. Your Web hosting company may kick you off its servers because the cost of dealing with the damage caused by cyber-attacks usually outweighs the monetary gains of hosting controversial groups, from political bloggers to LGBT groups to exiled media from countries such as Burma (just to mention some recent victims of DDoS attacks). Protection from DDoS is available, but usually too expensive for nonprofits.

An alternative to expensive DDoS protection is a kind of distributed defense network. Imagine an idealized world in which every computer has the latest anti-virus update and where users do not open suspicious attachments or visit dubious Web sites. Cyber-gangs would then be left to their own devices—to attacking with computers they own—and the security issues would be considerably diminished. This perfect world is impossible to achieve, but the right policies could get us pretty close. One option is to go "macro"—to ensure that all critical national infrastructure is prioritized and protected, with extremely flexible resource allocation for the key assets (part of the job of a cyber-czar). This, however, would do little to curb the DDoS market. Indeed, it might embolden the attackers to ratchet up their capabilities. An alternative is to go "micro"—ensure that people who are responsible for the creation of this market in DDoS attacks in the first place (i.e., you and me) are knowledgeable (or at least literate) in cyber-security matters and do not surf with their antivirus protection turned off. This latter solution could eliminate the problem at root: if all computers were secure and computer users careful, botnets would significantly shrink in size. This, however, is a big "if," and most skepticism over whether the federal government is well-placed to educate about these threats is justified.

The security threats from DDoS attacks pale in comparison with the potential consequences of another kind of online insecurity, one more likely to be associated with terrorists than criminals and potentially more consequential politically: data breaches or network security compromises (I say "potential" because very few analysts with access to intelligence information agree to speak on the record). After all, with DDoS, attackers simply slow down everyone's access to data that are, in most cases, already public (some data are occasionally destroyed). With data breaches, in contrast, attackers can gain access to private and classified data, and with network security compromises, they might also obtain full control of high-value services like civil-aviation communication systems or nuclear reactors.

Data breaches and network security compromises also create far more exciting popular narratives: the media frenzy that followed the detection of China-based GhostNet—a large cyber-spying operation that spanned more than 1250 computers in 103 countries, many of them belonging to governments, militaries, and international organizations—is illustrative. Much like botnets, cyber-spying operations such as GhostNet rely on inadvertently downloaded trojans to obtain full control over the infected computer. In GhostNet's case, hackers even gained the ability to turn on computers' camera and audio-recording functions for the purposes of remote surveillance, though we have no evidence that attackers used this function.

In fact, what may be most remarkable about GhostNet is what did not happen. No computers belonging to the U.S. or U.K. governments—both deeply concerned about cyber-security—were affected; one NATO computer was affected, but had no classified information on it. It might be unnerving that the computers in the foreign ministries of Brunei, Barbados, and Bhutan were compromised, but the cyber-security standards and procedures of those countries probably are not at the global cutting edge. With some assistance on upgrades, they could be made much more secure.

In part, then, the solution to cyber-insecurity is simple: if you have a lot of classified information on a computer and do not want to become part of another GhostNet-like operation, do not connect it to the Internet. This is by far the safest way to preserve the integrity of your data. Of course, it may be impossible to keep your computer disconnected from all networks. And by connecting to virtually any network—no matter how secure—you relinquish sole control over your computer. In most cases, however, this is a tolerable risk: on average, you are better off connected, and you can guard certain portions of a network, while leaving others exposed. This is Network Security 101, and high-value networks are built by very smart IT experts. Moreover, most really sensitive networks are designed in ways that prevent third-party visitors—even if they manage somehow to penetrate the system—from doing much damage. For example, hackers who invade the email system of a nuclear reactor will not be able to blow up nuclear facilities with a mouse click. Data and security breaches vary in degree, but such subtlety is usually lost on decision-makers and journalists alike.

Hype aside, what we do know is that there are countless attacks on the government computers in virtually every major Western country, many of them for the purpose of espionage and intelligence gathering; data have been lost, compromised, and altered. The United States may have been affected the most: the State Department estimates that it has lost "terabytes" of data to cyber-attacks, while Pentagon press releases suggest that it is under virtually constant cyber-siege. Dangerous as they are, these are still disturbing incidents of data loss rather than seriously breached data or compromised networks. Breakthroughs in encryption techniques have also made data more secure than ever. As for the data loss, the best strategy is to follow some obvious rules: be careful, and avoid trafficking data in open spaces. (Don't put important data anywhere on the Internet, and don't leave laptops with classified information in hotel rooms.)

Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

Although there is a continuous spectrum of attacks, running from classified memos to nuclear buttons, we have seen no evidence that access to the latter is very likely or even possible. Vigilance is vital, but exaggeration and blind acceptance of speculative assertions are not.

So why is there so much concern about "cyber-terrorism"? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety. Journalists do not help. Gloomy scenarios and speculations about cyber-Armaggedon draw attention, even if they are relatively short on facts.

Politicians, too, deserve some blame, as they are usually quick to draw parallels between cyber-terrorism and conventional terrorism—often for geopolitical convenience—while glossing over the vast differences that make military metaphors inappropriate. In particular, cyber-terrorism is anonymous, decentralized, and even more detached than ordinary terrorism from physical locations. Cyber-terrorists do not need to hide in caves or failed states; "cyber-squads" typically reside in multiple geographic locations, which tend to be urban and well-connected to the global communications grid. Some might still argue that state sponsorship (or mere toleration) of cyber-terrorism could be treated as casus belli, but we are yet to see a significant instance of cyber-terrorists colluding with governments. All of this makes talk of large-scale retaliation impractical, if not irresponsible, but also understandable if one is trying to attract attention.

Much of the cyber-security problem, then, seems to be exaggerated: the economy is not about to be brought down, data and networks can be secured, and terrorists do not have the upper hand. But what about genuine cyber-warfare? The cyber-attacks on Estonia in April-May 2007 (triggered by squabbling between Tallinn and Moscow over the relocation of a Soviet-era monument) and the cyber-dimension of the August 2008 war between Russia and Georgia have reignited older debates about how cyber-attacks could be used by and against governments.

The Estonian case is notable for the duration of the attacks—the country was under "DDoS-terror" for almost a month, with much of its crucial national infrastructure (including online banking) temporarily unavailable. The local media and some Estonian politicians were quick to blame the attacks on Russia, but no conclusive evidence emerged to prove this. The Georgian case—widely discussed as the first major instance of cyber-attacks (primarily DDoS) accompanying conventional warfare—has barely lived up to its hype. Many Georgian government Web sites were, in fact, targets of severe DDoS attacks. So was at least one bank. Yet, the broader strategic importance of such attacks within the Russian military operation is not clear at all, nor did Russia acknowledge responsibility for the attacks.

Although the attacks on Estonia and Georgia are often grouped together—perhaps because of the tentative Russian involvement in both—they are also very different. One important difference is in the degree of technological sophistication of the two countries. Attacking the Internet in Estonia, which made Internet access a basic human right in 2000, is like attacking the banks in Lichtenstein: the country's economy, politics, and even some emergency services are pegged to it so tightly that being offline is a national calamity.

Georgia, on the other hand, is a technological laggard. When Georgia's major government Web sites became inaccessible during the war, the Foreign Ministry was slow in finding a temporary home on a blog. The lapse may have gone largely unnoticed: 2006 Internet statistics gathered by the United Nations show that Georgia had about seven Internet users per one hundred population compared to 55 in Estonia and 70 in the United States. The Georgian case also highlights the danger of drawing too many strategic lessons from cyber-attacks. After all, one common result of the loss of Internet access is power outages, common during wartime regardless of cyber-attacks.

Moreover, both Georgia and Estonia are in a sense "cyber-locked," with limited points of connection (even in Estonia) to the external Internet. This limited connectivity and the two country's dependence on physical infrastructure heighten their vulnerability. Less cyber-locked nations do not face the same risk. As Scott Pinzon, former Information Security Analyst with WatchGuard Technologies, told me, "If Georgia or Estonia were enmeshed into the Internet as thoroughly as, say, the State of California, the cyber-attacks against them would have been reduced to the level of nuisance." The smartest way to guard against future attacks may, then, be to build robust infrastructure—laying extra cables, creating more Internet exchange points (where Internet service providers share data), providing incentives for new Internet service providers, and attracting more players to sell connectivity in places that now have limited infrastructure. The United States has actually done quite a bit of this already, so the Estonian experience may have little to teach Americans. While it might benefit Estonia and some other countries to invest heavily in upgrades, the United States may be able to forego dramatic and costly changes in favor of regular maintenance and incremental improvements.

Quite apart from the technological issues of cyber-warfare, there is the question of what even constitutes cyber-war. How do existing legal categories apply in this new setting?

Using the metrics of conventional conflicts to assess these attacks is not easy. How severe must the damage be in order for the cyber-attacks to qualify as armed attacks?

For largely geopolitical reasons, Estonia initially called the cyber-attacks a cyber-war, a move that now seems ill-considered (on a recent trip to Estonia, I noticed that Estonian officials had replaced the term "cyber-war" with the more neutral "cyber-attacks"). The militarization of cyberspace that inevitably comes with any talk of war is disturbing, for there is no evidence yet to link the current generation of cyber-attacks to warfare, at least not in the legal sense of the term. However, the attacks on Estonia and Georgia did each pose an intriguing legal question, and neither has yet been answered definitively. First, do cyber-attacks constitute a "use of armed force" as understood by international law (the Estonian case)? Second, what kind of cyber-attacks are allowed under the laws of war once the conflict has already begun (the Georgian case)?

The first question is the trickiest. Commenting on the attacks, the Estonian defense minister said "such sabotage cannot be treated as hooliganism, but has to be treated as an attack against the state." But did the cyber-attacks constitute the beginning of an armed conflict, as understood by the Geneva Conventions or Article 51 of the United Nations Charter? If the cyber-attacks constituted an armed attack, Estonia's NATO allies should have followed Article 5 of the North Atlantic Treaty, which treats an attack against one member state as an attack against all and calls for collective defense. NATO only sent a team of experts to assess the damage. Using the metrics of conventional conflicts to assess the severity of these attacks is not easy. How intense and severe must the damage be in order for the cyber-attacks to qualify as armed attacks? Does damage in cyberspace qualify, even in the absence of offline damage? Is inconvenience to Internet users enough? What about the duration of the attacks?

However such questions are answered, the aggrieved party would still have to prove that a cyber-attack was state-sponsored, and it is unclear how one makes this argument in a legally convincing fashion. Are states only responsible for actions they directly control? Are they also responsible for all cyber-activity in their territory? And how far does that responsibility extend? At least one computer with an IP address belonging to the Russian government was identified as part of a botnet used in the Estonian attacks, but it is hard to build a case for Russian government responsibility on that IP address alone, since there were thousands of other participating computers.

If state involvement cannot be proven beyond doubt, cyber-attacks should be treated as crimes and dealt with under national and, in some cases, international criminal law. But there are difficulties on this front as well. For example, unlike Estonia and many countries, Russia has never signed the Council of Europe Convention on Cybercrime, which is the first international treaty seeking to harmonize national laws and facilitate cross-border cooperation among states on issues of cyber-crime. This makes it impossible to hold Russia to the standards envisioned in the Convention, and international law also provides few mechanisms for punishment.

The second question—what kinds of attacks would be allowed under the law of armed conflict?—presents another theoretical challenge, though for now at least, existing legal standards may suffice to address the issues.

Common sense dictates that the severity and targets of such attacks should be guided by international law, particularly the Geneva Conventions and associated protocols. Broadly speaking, current norms state that the conduct of war must meet three fundamental standards: belligerents must distinguish military from civilian objects when selecting targets; balance military necessity with humanitarian concern (the choice of weapons is not unlimited and must be made with the avoidance of unnecessary suffering in mind); and shun the use of force that is disproportionate, in the sense that it shows insufficient attention to the unnecessary suffering that might result. These principles have proved very hard, but not impossible, to interpret in conventional conflict; applying them to cyberspace is not an insurmountable challenge.

The careful application of these three principles to the conduct of war could explain why militaries might shy away from cyber-attacks. First, it is hard to predict the consequences of such attacks; cyber-attacks typically lack surgical precision and are notorious for side effects—a virus planted in a military network could easily spread to civilian computers, causing much unanticipated collateral damage.

Second, precisely targeted cyber-attacks could be a more humane way of conducting warfare. Instead of bombing a military train depot, with collateral civilian deaths, one can temporarily disable it by hacking into its dispatch system. However, the rules of war also stipulate that once a belligerent has used a more humane weapon, it ought to use that weapon in similar situations—and who would voluntarily abandon tanks in favor of computers only?

Third, most cyber-attacks are hard to justify in strategic terms and therefore would open associated personnel to prosecution for war crimes. For example, if there is little to be gained from attacking a poorly maintained Web site of the Georgian parliament, Russia could not justify an attack on it in military terms. If it went ahead with such an attack, its commanders woul risk prosecution for a disproportionate use of force.

The Internet does create one complexity worth considering in the context of applying existing laws of war: civilians on both sides can now participate in hostilities remotely. At the height of the war with Georgia, Russian blogs were full of detailed instructions on how to enlist in the cyber-war effort. Currently, humans are of little value in this process: a conventional botnet attack is more damaging. Yet, it is possible that human-powered botnets—or "meatbots"—could soon play a more serious role. Would participants then be liable for war crimes for their actions as civilians, who, unlike combatants, do not enjoy immunity under the law of war for their participation in hostilities? Would such civilian actions fall under the category of "direct participation in hostilities," outlined in Commentary to Additional Protocol I to the Geneva Conventions ("Direct participation in hostilities implies a direct causal relationship between the activity engaged in and the harm done to the enemy at the time and the place where the activity takes place")? We may need a special clarification of this concept for cyberspace, but other metrics—the damage caused, the targets chosen, and so forth—could still apply.

There is a line between causing inconvenience and causing human suffering, and cyber-attacks have not crossed it yet.

The legal options are also complicated in the case of classical rather than meatbot-powered DDoS attacks because there are often at least five parties to it: attackers, computer users whose machines are enlisted by the attackers, target Internet sites, software vendors responsible for the exploited security vulnerabilities, and various Internet service providers who deliver the attack traffic. These parties have different degrees of responsibility, and some of them are liable for negligence, itself a murky legal area.

Putting these complexities aside and focusing just on states, it is important to bear in mind that the cyber-attacks on Estonia and especially Georgia did little damage, particularly when compared to the physical destruction caused by angry mobs in the former and troops in the latter. One argument about the Georgian case is that cyber-attacks played a strategic role by thwarting Georgia's ability to communicate with the rest of the world and present its case to the international community. This argument both overestimates the Georgian government's reliance on the Internet and underestimates how much international PR—particularly during wartime—is done by lobbyists and publicity firms based in Washington, Brussels, and London. There is, probably, an argument to be made about the vast psychological effects of cyber-attacks—particularly those that disrupt ordinary economic life. But there is a line between causing inconvenience and causing human suffering, and cyber-attacks have not crossed it yet.

The usefulness of cyber-attacks as a military tool is also contested. Some experts are justifiably skeptical about the arrival of a new age of cyber-war. Marcus J. Ranum, Chief Security Officer of Tenable Network Security, argues that it is pointless for superpowers to develop cyber-war capabilities to attack non-superpowers, as they can crush them in more conventional ways. As for non-superpowers, their use of cyber-capabilities would almost certainly result in what Ranum calls "the Blind Mike Tyson" effect: the superpower would retaliate with offline weaponry ("blind me, I nuke you"). If Ranum is right, we should forget about the prospect of all-out cyber-war until we have technologically advanced superpowers that are hostile to each other. Focusing on cyber-crime, cyber-terrorism, and cyber-espionage may help us address the more pertinent threats in a more rational manner.

In the meantime, those truly concerned about the future of the Internet, global security, and e-Katrinas would be advised to watch a recent South Park episode, in which the Internet suddenly disappears and hordes of obsessed families head to the Internet Refugee Camp in California, where they are allowed to browse their favorite Web sites for 40 seconds a day, while the military fights the no-longer-blinking giant Internet router. Finally, a nine-year-old boy plugs the router back in, and its magic green light returns. This would make a sensible strategy for many governments, which are all-too eager to adopt militaristic postures instead of focusing on making their own Internet infrastructures more robust.

No comments: