Recently, Jim Harper, Director of Information Policy Studies at the CATO Institute, stated that “both cyber terrorism and cyber warfare are concepts that are gross exaggerations of what’s possible through Internet attacks,” and it rubbed some the wrong way. But the overall point he was making is somewhat lost when focusing on this quote alone. He also said:
the real problems are those worms, those scripts, those denial of service attacks … they are serious and we have to take care of them, but there isn’t a strategic advantage to be gained by cyberwarfare… we can be inconvenienced, it can be costly, so we do have to secure ourselves, but we are not going to be at cyberwar and we are not going to suffer cyberterrorism.
He’s not suggesting that there aren’t real threats just that the conceptual vehicles of cyberterrorism and cyberwar might not be that helpful. I’d suggest it is somewhat akin to the simple metaphors of “War on X” such as ‘War on Drugs“, “GWOT” that are used to invoke responses such as fear and suggest courses of action that would other wise be reserved for a state of emergency such as, well, war. Even GWOT has now been replaced with “Overseas Contingency Operation.”
But there is more. In “The War Metaphor in Public Policy” James Childress states:
We have to ask of each use of war as a metaphor: Does it generate insights or does it obscure what is going on and what should be done?
The metaphor of cyberwar invites us to find cases of intrusions and disruptions and layer on political context and significance which usually takes the form of “what if the (russians|chinese|terrorists) did it”? I believe that this leads us to inaccurately assess the nature of the threats we aim to counter. In a classic 1997 case a teenager in the U.S. disabled “vital services” to a Worcester, MA air traffic control tower for 6 hours. Telephone service was disrupted as was a “circuit which enables aircraft to send an electric signal to activate the runway lights on approach.”
The “TRADOC G2 Handbook No 1 02 – Cyber Operations and Cyber Terrorism” uses this example in an attempt to illustrate the potential of cyber-terrorism. But left out of the document and analysis is the reason this attack succeeded and how it could be defended.
How did this happen?
[T]he loop carrier systems operated by the telephone company were accessible from a personal computer’s modem. This accessibility was maintained so that telephone company technicians could change and repair the service provided to customers by these loop carrier systems quickly and efficiently from remote computers.
Bell Atlantic left access to a “critical” system wide open. Instead of being reprimanded, they were congratulated:
Our critical infrastructure is safer because of Bell Atlantic’s intolerance of the intrusions it discovered into its network.
Focusing on “what if it was cyberterrorism” often leads us to ignore the source of the vulnerability in the first place. Attention is placed on the hypothetical rather than the real threat. And the recommended responses become disproportionate to the threat.
This, of course, doesn’t mean that there are not serious security concerns with the FAA and air traffic control. A recent presentation at Defcon explored the vulnerabilities of the air traffic control system and even the U.S. government has acknowledged such issues. A report by the Department of Transportation’s Inspector General documents a variety of attacks against and vulnerabilities in the FAA’s air traffic control system.
Vulnerabilities were found during an audit by KPMG in various web-applications that would have allowed attackers to access the data stored on those computers, and that as a result “internal FAA users (emphasis added) (employees, contractors, industry partners, etc.) could gain unauthorized access to ATC systems.” Successful attacks have also taken place. In 2006 the FAA shutdown a “portion of its ATC systems in Alaska” due to a “viral attack” and in 2008 FAA computers, again in Alaska, were compromised and 40,000 username and passwords were stolen. In 2009 a “an FAA public-facing Web application computer” was compromised leading to the theft of “PII on 48,000 current and former FAA employees.”
So how did the Washington Post report this?
Tom Kellermann, a vice president at Core Security Technologies, a cybersecurity company, likened the threats cited by the report to the television show “24” in which terrorists hack into and commandeer the FAA’s air-traffic control system to crash planes. “The integrity of the data on which ground control is relying can be manipulated, much as seen in ’24,'” he said.
But what the report actually found was:
(1) Web applications were not adequately configured to prevent unauthorized access and (2) Web application software with known vulnerabilities was not corrected in a timely manner by installing readily available security software patches released to the public by software vendors.
War, Childress argues, is “exceptional activity that can be justified only under exceptional circumstances and, even then, should be fought within appropriate moral limits.” He suggests that when we use the imagery of war to illuminate policy debates we “we often forget the moral reality of war”:
Among other lapses, we forget important moral limits in real war—both limited objectives and limited means. In short, we forget the just-war tradition, with its moral conditions for resorting to and waging war. We are tempted by seedy realism, with its doctrine that might makes right, or we are tempted by an equally dangerous mentality of crusade or holy war, with its doctrine that right makes might of any kind acceptable. In either case, we neglect such constraints as right intention, discrimination, and proportionality, which protect the humanity of all parties in war.
Instead of focusing on securing networks (boring) the emphasis moves to counter attack (sexy).
In response to the recent DDOS attacks aimed at several South Korean and U.S. government websites Rep. Peter Hoekstra (R-Mich) suggested that there should be retaliation against North Korea even though most experts believe that there is no connection between North Korea and the DDOS attacks. This line of thought is actually fairly well developed. In “Carpet bombing in cyberspace” Col. Charles Williamson argued that:
America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic.
Luckily, this is generally seen as a bad idea. A recent NY Times article investigates some of the restrains on the use of cyber attacks due to the collateral damage they produce as well as the unintended consequences.