Report: U.S. Is Hyping Threat Of Cyber War

A new report suggests that lawmakers, policy wonks and
corporations are sensationalizing the risk of cyber attacks far beyond the
actual threat. The inflation of cyber security threat, like the inflation of the threat of Communism during the Cold War, or terrorist acts in the wake of the 9/11 attacks, could lead to laws
that curtail individual freedoms and regulate the Internet in
unnecessary ways, the report concludes.

CyberwarA new report suggests that lawmakers, policy wonks and
corporations are sensationalizing the risk of cyber attacks far beyond the
actual threat. The inflation of cyber security threat, like the inflation of the threat of Communism during the Cold War, or terrorist acts in the wake of the 9/11 attacks, could lead to laws
that curtail individual freedoms and regulate the Internet in
unnecessary ways, the report concludes.

The paper by Jerry Brito and Tate Watkins at the Mercatus Center at George Mason University is “Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy
(PDF). It appears in an environment of heightened debate about the
breadth and consequences of U.S. government investments in cyber
security. Incidents like the breach at security firm HB Gary have raised the specter of sophisticated cyberwarfare tools and tactics being used for civilian or commercial ends. At the same time, independent
research has thrown a shadow of doubt over official and industry
proclamations about the comparative strength of nations like China
or its ability to triumph should a cyber war actually happen.

Warnings about a pending “digital Pearl Harbor” have been floating
around for much of the last decade, but have often had difficulty
catching the notice of lawmakers who were more focused on dirty bombs
than ddos attacks. Today, after high profile cyber attacks the U.S. and
other governments and western technology and defense firms have made
headlines, politicians and policy makers have suddenly “discovered” the
cyber threat. But now the pendulum may be swinging too far in the other direction.

Brito and Watson compare the current panic about cyber
security among the Washington D.C. political and policy elite with the
Bush Administration’s now notorious run up to Operation Iraqi Freedom,
the 2003 invasion of Iraq that toppled Saddam Hussein.

As with the
alleged ties between Saddam Hussein and Al Queda, and the rumored
weapons of mass destruction (WMD) hidden in Iraq, warnings about the
looming threat of cyber war are hard to justify based on facts, the
researchers suggest. Seminal reports like the Center for Strategic and
International Studies’ Commission on Cyberssecurity for the 44th
Presidency and the 2010 book Cyber War by former presidential
cybersecurity advisor Richard Clarke and Council on Foreign Relations
fellow Richard Knake rely more on innuendo than fact – portraying the U.S. as defenseless,
painting worst case scenarios about the real world fallout of a
successful cyber attack and insinuating about shadowy “planned attacks”
on U.S. infrastructure and ongoing actions
to create the impression of a pressing crisis. The prescription, in
both cases, is more regulation of the Internet” – a step the reports
authors say is hardly justified by the evidence.

The report is no
kinder to the media, which it accuses of accepting the dark picture
painted by Clarke, the CSIS at face value. Indeed, leading outlets like
The New York Times and Wall Street Journal have trumpeted defense
industry and Beltway claims of dire breaches without requiring named
sources for any of the information. The authors take particular umbrage
with the Wall Street Journal, where reporter Siobhan Gorman rang up a
series of cybersecurity scoops about breaches of classified netowrks,
all sourced to unnamed “current and former government officials.”

While
subsequent reporting contradicted some of the claims of the Journal
reports, “without any official statement on the matter, the result of
these reports can well be to raise public alarm without offering a clear
sense of the scope or magnitude of the threat,” the report concludes.

Finally,
the authors warn of the emergence of a “cyber industrial complex,” akin
to the military industrial complex that grew up in response to the
demands of the Cold War. Firms like McAfee, Symantec, Checkpoint and
traditional defense contractors are now positioning themselves to take
advantage of increased spending oncybersecurity, in an environment of
overall cuts to defense spending – competing against the likes of
Lockheed  Martin, Boeing, SAIC and Northrop Grumman, the authors said.

The
proposals to secure cyberspace: recommendations for closer monitoring
of Internet traffic by telecommunications and the government, changes to
core Internet protocols that would make it easier to identify the
source of attacks and those behind them. The premise of these programs:
that there is a “market failure,” and that private sector remedies are
inadequate to the cyber threat are only tenuously supported by tangible
evidence – if at all, they say.

Before creating new policies in
response to poorly scoped cyber threats, the authors recommend that
policy makers in the U.S. abandon the heated cyberwar rehtoric and
declassify information related to cyber threats so that the public can
properly sort out the true nature of the threat and the ways in which
new policies, laws and expenditures of tax dollars might best address
them.

Suggested articles

plugX malware loader TA416

TA416 APT Rebounds With New PlugX Malware Variant

The TA416 APT has returned in spear phishing attacks against a range of victims – from the Vatican to diplomats in Africa – with a new Golang version of its PlugX malware loader.

Discussion

  • duurrk on

    Certainly, there could be more information released for events like these, but not all breaches are business of the entire public. Generally, it remains many of these organizations' jobs to defend their networks and report what they must, and it is not to be the teachers of lessons learned. Sharing the wealth of information found through these experiences is always more beneficial to the security community, but it isn't at the top of everyone's list of priorities after a compromise.

    The speculation of threat inflation seems amiss when considering any of the corporate and government threats over even just the past year. Clearly, there is always a threat so long as a host can reach the cloud. When news is heard of networks of the vigilant and watchful being compromised (such as the recent Sony attack), it confirms that. And attacker groups like Anonymous have reiterated the point that only a fool should believe his network is invulnerable.

    Defense spending, whether corporate or government, should be justified by not only that organization’s direct threat, but also by the always-changing, infinite persistent threat.

  • anonymous on

    The last thing that should be done is declassifying critical information about cyber defensive and cyber offensive architecture. What could be more obvious? With clear reports of the buildup of the Chinese military spending on cyber warfare and hacking into DoD computers, the Pentagon, the VA, most major defense subcontractors and now Sony Playstations (70 million), it is clear we have a cyber war between computers and networks. When it reaches embedded devices of human beings, the cyberwarfare debate will be absolutely clear to the victims.

    Policy and rhetoric will not do one single thing to stop the complete disarmament of the United States cyber defenses and mandatory privacy of personal identifying information. Only a clear domestic manufacturing policy (with funding) of hardware and software standards will solve this major threat.

     

    The main reasons we are in this situation are 5:

     

    1) The US lost it's lead in consumer electronics, HDTV and the industry to Asia during the 80's due to Chicago politics and very wrong trade agreements, such as trading cigarettes for HDTV. We are now dependent on Asian manufacturers for hardware. Their intentions were known and ignored: ("The Japan that can say no" and "The Technopolis Strategy", DoD reports of 2005 and 2008 concerning China and Cyberwarfare.)

    2) Software "sharing" began information sharing and the perception that taking people's private documents and ideas was allowed. The IP of tech entrepreneurs, especially, who have no recourse to protect themselves. (They could never put up the bond money to enforce patents and agreements.) During the 80's, the US lost then, the jobs we do not have now. The loss of the rest of the information, now on data bases somewhere else, means dire circumstances for future jobs.

    3) Anonymity on the Internet was a disaster waiting to happen. It never was about protecting privacy. That is done by design. Anonymity was designed to provide cover for criminals and it has done so very well. An anonymous criminal has anonymous victims and there is no justice. There are ways to protect identity. Let's use them. Facebook is the most obvious example.

    4) The disaster policy of the Bush era e-initiative, which gave everyone access to the Gov servers and the DoD "sharing arrangement" with so-called friendly nations. As we now know, our friends change like the seasons.

    5) Vice President Cheney forgiving the Texas conviction of Sony for putting spyware on BluRay disks and then using it for DoD classified uses. He later went into business with Sony and the UAE, by the way. This set a precedence that building in spyware on disks, chips and set top boxes could not be prosecuted if there were politicians powerful enough to help them out for a business deal.

     

    6) Policy, Legal and Financial persons trying to make decisions for technical people. They have absolutely no idea what it means in words, let alone what it means in action. Johnson had that right with the laws he put in place and which have been largely ignored in favor of a "where's the money for our huge outdated military subcontractor force", types.

    At this very moment rules are being decided about the standards and rulemaking for brain computer interfaces, BCI. It is not just about forensics. Advertisers are not confused. They are aggressively pursuing neuromarketing agendas, like a Slate article about "taking a vacation in the minds of new born infants" a couple of years ago. (Sorry, no time to go find urls.)

    They failed to mention that this would be two way interactive with the baby, and which would probably be life threatening.

    It is time to see the writing on the wall and face reality about virtual reality...it is not going to be a pleasant experience. It is going to be an enslaved experience unless a major effort is made to overcome the threats and secure the networks.

    Ignoring threats until they happen, unfortunately, is a mistake we make over and over again. We cannot afford it this time in terms of our freedom, our jobs, our people, and perhaps our very sovereignty. We probably cannot afford it financially either with all those "black gloved hands in the pie". (In advance, this is not about skin color).

    We must fight against the delay tactics.

  • Anonymous on

    Can anyone see the noose tightening ever smaller, there are 1000+ deceptions carried out by thinking people, who...apparently, don't care as long as they have a paycheck coming in from the NWO.  It is NOT a conspiracy....just...Business as usual.!!  There doing the same thing to the US Dollar at the "Private" Federal reserve.  The NWO elitists are so bold now, that they allow Ron Paul to Chair the senate finance committee to oversee the Federal Reserve. Wow!!  America is a guted corpse of it's former self, having served it's purpose...will now be allowed to die.  and the same for the 360 million citizens.  A similar story is told in Russia, Britain, and EU countries. China has it's own demon's as well,namely...it's population size.!!  Not long before China goes down , when no consumers are buying around the world.  

    NWO consolidation is coming to a climax, cyber war is like...any other deception, the ruling  oligarchy pushes any button to futher their cause.

    Wake up,Get a macro on life people.

     

     

     

     

  • Emily on

    Why else would government cry wolf about cyber threat?  What if they could blame a monumental economy-busting attack that emptied the coffers of its pet banks on the cybercriminals of some other set of nations? - and handle the missing moneys like they handled the auto dealers in the 'cash for clunkers' program?  This is why this ole lady has no bank info online - none!  This is why this ole lady, when she has something she is doing on a computer that she doesn't want disturbed ... does it on a computer that is not attached to the internet.

     

  • Anonymous on

    "No one wants a  “cyber Katrina” or  a “digital Pearl Harbor.” But honestly assessing cyber threats and appropriate responses  does not mean that we have to learn to stop worrying and love the cyber bomb"

     

    The bomb went off in 2007, it's been detonating everywhere since, most of these "events" do happen and are never disclosed for confidentiality and risk reasons. Simply put, pay attention to your risks, but be aware, the digital threats that are posed to us are advancing in capability, skill and output every day. For every threat that is shut down, another more improved threat surfaces. 

    The Cyberbomb will always evolve, the reality is, a poignant and informed perspective is better than a muted one, given the evolution of social technologies, and the connectedness of our environments it stands to reason that if we ignore threat implications too much we will have a digital <insert epic sounding war event here> and it will likely be an unintentional effect of a sinister and well developed application.

    As with everything it requires some thought into how you approach the problem, but make no mistake we have increasing complexity in the problems we face today and the choice of complacency or a relaxed approach given the speed of advancing development is not one we can afford to make.

    I'd rather be oversecured and overbudget, then lose my pension, stocks, funds, investments, to a data breach that could likely have been prevented.

  • Anonymous on

    Another war on drugs, terrorism and on the middleclass wallet! The only things that government can do is besides creating wars is to throw money at a problem.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.