The Great Cyberscare

The White House likes a bit of threat. In his State of the Union address, Barack Obama wanted to nudge Congress yet again into passing meaningful legislation. The president emphasized that America’s enemies are "seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems." After two failed attempts to pass a cybersecurity act in the past two years, he added swiftly: "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy." Fair enough. A bit of threat to prompt needed action is one thing. Fear-mongering is something else: counterproductive. Yet too many a participant in the cybersecurity debate reckons that puffery pays off.

The Pentagon, no doubt, is the master of razzmatazz. Leon Panetta set the tone by warning again and again of an impending "cyber Pearl Harbor." Just before he left the Pentagon, the Defense Science Board delivered a remarkable report, Resilient Military Systems and the Advanced Cyber Threat. The paper seemed obsessed with making yet more drastic historical comparisons: "The cyber threat is serious," the task force wrote, "with potential consequences similar to the nuclear threat of the Cold War." The manifestations of an all-out nuclear war would be different from cyberattack, the Pentagon scientists helpfully acknowledged. But then they added, gravely, that "in the end, the existential impact on the United States is the same."

A reminder is in order: The world has yet to witness a single casualty, let alone fatality, as a result of a computer attack. Such statements are a plain insult to survivors of Hiroshima. Some sections of the Pentagon document offer such eye-wateringly shoddy analysis that they would not have passed as an MA dissertation in a self-respecting political science department. But in the current debate it seemed to make sense. After all a bit of fear helps to claim — or keep — scarce resources when austerity and cutting seems out-of-control. The report recommended allocating the stout sum of $2.5 billion for its top two priorities alone, protecting nuclear weapons against cyberattacks and determining the mix of weapons necessary to punish all-out cyber-aggressors.

Then there are private computer security companies. Such firms, naturally, are keen to pocket some of the government’s money earmarked for cybersecurity. And hype is the means to that end. Mandiant’s much-noted report linking a coordinated and coherent campaign of espionage attacks dubbed Advanced Persistent Threat 1, or "APT1," to a unit of the Chinese military is a case in point: The firm offered far more details on attributing attacks to the Chinese than the intelligence community has ever done, and the company should be commended for making the report public. But instead of using cocky and over-confident language, Mandiant’s analysts should have used Words of Estimative Probability, as professional intelligence analysts would have done.

An example is the report’s conclusion, which describes APT1’s work: "Although they control systems in dozens of countries, their attacks originate from four large networks in Shanghai — two of which are allocated directly to the Pudong New Area," the report found. Unit 61398 of the People’s Liberation Army is also in Pudong. Therefore, Mandiant’s computer security specialists concluded, the two were identical: "Given the mission, resourcing, and location of PLA Unit 61398, we conclude that PLA Unit 61398 is APT1." But the report conspicuously does not mention that Pudong is not a small neighborhood ("right outside of Unit 61398’s gates") but in fact a vast city landscape twice the size of Chicago. Mandiant’s report was useful and many attacks indeed originate in China. But the company should have been more careful in its overall assessment of the available evidence, as the computer security expert Jeffrey Carr and others have pointed out. The firm made it too easy for Beijing to dismiss the report. My class in cybersecurity at King’s College London started poking holes into the report after 15 minutes of red-teaming it — the New York Times didn’t.

Which leads to the next point: The media want to sell copy through threat inflation. "In Cyberspace, New Cold War," the headline writers at the Times intoned in late February. "The U.S. is not ready for a cyberwar," shrieked the Washington Post earlier this week. Instead of calling out the above-mentioned Pentagon report, the paper actually published two supportive articles on it and pointed out that a major offensive cyber capability now seemed essential "in a world awash in cyber-espionage, theft and disruption." The Post should have reminded its readers that the only military-style cyberattack that has actually created physical damage — Stuxnet — was actually executed by the United States government. The Times, likewise, should have asked tough questions and pointed to some of the evidential problems in the Mandiant report; instead, it published what appeared like an elegant press release for the firm. On issues of cybersecurity, the nation’s fiercest watchdogs too often look like hand-tame puppies eager to lap up stories from private firms as well as anonymous sources in the security establishment.

Finally, the intelligence community tags along with the hype because the NSA and CIA are still traumatized by missing 9/11. Missing a "cyber 9/11" would be truly catastrophic for America’s spies, so erring on the side of caution seems the rational choice. Yes, Director of National Intelligence James Clapper’s recent testimony was more nuanced than reported and toned down the threat of a very serious cyberattack. But at the same time America’s top spies are not as forthcoming with more detailed information as they could be. We know that the intelligence community, especially in the United States, has far better information, better sources, better expertise, and better analysts than private companies like Symantec, McAfee, and Kaspersky Lab. But for a number of reasons they keep their findings and their analysis classified. This means that the quality of the public debate suffers, as experts as well as journalists have no choice but to rely on industry reports of sometimes questionable quality or anonymous informants whose veracity is hard to assess.

The tragedy is that Obama actually has it right: Something needs to be done, urgently. But Washington’s high-octane mix of profiteering, protectiveness, and politics is sadly counterproductive for four reasons:

First, the hype actually makes it harder to focus on crucial engineering details. Security standards in industrial control systems and SCADA networks — the networks that control stuff that physically moves around, from trains to gas to elevators — are shockingly low. The so-called Programmable Logic Controllers widely used in critical infrastructure are designed to be safe and reliable in tough factory-floor conditions and harsh weather, not secure against outside attack. This year’s S4-conference in Miami Beach, organized by the small and specialized security outfit Digital Bond, again showcased how vulnerable these systems are. But Washington is too busy screaming havoc and too ill-informed to do something meaningful about concrete engineering issues. Just sharing information, as the inspector general of the Department of Homeland Security recommended in a report last month, is useful but it will not deliver security. Connecting critical infrastructure that was never designed to be linked to the Internet is also not the root of the problem — the built-in security flaws and fragility of these systems needs to be fixed, as Digital Bond’s Dale Peterson pointed out last week in response to the timid DHS report. The political dynamic behind this logic is clear: The more is declared critical, the harder it becomes to act on the really critical.

Second, the hype clouds badly needed visibility. A fascinating project at Free University Berlin has produced a vulnerability map. The map uses publicly available data from Shodan, the Google for control system hackers, and adds a layer of information crawled from the web to geo-locate the systems that often should not be connected to the Internet in the first place. Red dots on the map show those systems. The United States looks as if it has the measles. But note that the map is incomplete: It is biased towards German products, the project’s founder told me. If that flaw can be fixed, the United States and other countries would look as bloody red as Germany does already. The U.S. government’s attention-absorbing emphasis on offensive capabilities means it has very little visibility into what this vulnerability map would actually look like.

Third, sabotage and espionage are rather different things — technically as well as politically. SCADA systems are highly specific kit, often old and patched together over years, if not decades. That means these systems are highly specific targets, not generic ones. Affecting critical operations requires reprogramming these systems, not just disrupting them; the goal is modifying output parameters in a subtle way that serves the saboteur’s purpose. With Stuxnet, the U.S. government provided the — so far — most extreme and best-documented case study. The operation showed that successful sabotage that goes beyond just deleting data is far more difficult than successful espionage: It requires testing and fine-tuning an attack over many iterations in a lab environment, as well as acquiring highly specific and hard-to-get target intelligence. Stealing large volumes of intellectual property from a commercial competitor, by contrast, is a technically rather different operation — there is little to no valuable IP hidden inside control systems. To put it bluntly: China and others have a high commercial incentive to steal stuff, but they have no commercial incentive to break stuff. All threats are not created equal. What’s needed is nuance, surgical precision, differentiation, and sober analysis — not funk, flap, and fluster.

Finally, hype favors the offense over the defense. The offense is already sexier than the defense. Many software engineers who consider a career in public administration want to head north to the dark cubicle at Fort Meade, not bore themselves in the Department of Homeland Security — if they are not working happily in the Googleplex on bouncing rubber balls already. If the NSA sucks up most of the available talent and skill and puts it to work on the offense, the defense will continue to suffer. By overstating the threat, and by lumping separate issues into one big bad problem, the administration also inadvertently increases the resistance of powerful business interests against a regulatory over-reaction.

As President Obama mentioned in his State of the Union address, if we look back years from now and wonder why we did nothing in the face of real threats, the answer may be straightforward: too much bark, not enough bite.