Cyber war alarmism: don't panic!

The BBC recently published two articles (to coincide with a radio documentary) pushing the theme of the dangers inherent in the cyber realm. The first, by Katia Moskvitch, lists the five ‘biggest threats’ in an interview with the Chief Executive of the Russian anti-virus firm Kaspersky Lab, Eugene Kaspersky.  

The second article, by Michael Gallagher, looks at intentional government-sponsored cyber-meddling and how this may define the “blitzkrieg of the future.”
These two articles are classic cases of cyber alarmism (hyping the threat and constantly playing on worst-case scenarios), use the metaphorical meaning of the word ‘war’ to death, and miss the most important characteristic of activities in cyberspace: the difficulty of attribution.

I wish to clear up some of the points made and language used – public debate and government policies are increasingly confused, and conflate many different phenomena in the cyber realm under such terms as ‘cyber war’.

According to Kaspersky, the Stuxnet virus which sabotaged Iranian uranium enrichment centrifuges in 2010 is “exactly” what cyber warfare will be about in future. “Entire nations could be plunged into darkness if cyber-criminals decided to target power plants. And there is nothing – nothing – anyone could do about it.”
Kaspersky has conflated many different phenomena together into one vague doom-saying statement. Putting aside the discussion over cyber ‘war’ for later, the kinds of offensive operations in cyberspace can vary greatly from just inserting a clever virus. Stuxnet is one kind of cyber sabotage, designed to attack very specific equipment without affecting (after infecting) every computer system it touches.

Distributed Denial of Service (DDoS) activities are another kind, which are well known due to extensive media coverage and examples of them on Estonian and Georgian websites in 2007 and 2008 respectively. Subtler offensive operations can be to use the enemy’s information infrastructure to produce certain results (for example, by turning the heating up in the Wall Street Stock Exchange so that the computers fail to function and disrupt normal trading). Stuxnet is not the be-all and end-all of offensive cyber operations. These are a few, not all, possibilities within what is known in the field as ‘strategic information warfare’.
It is particularly odd that Kaspersky claims that no-one could do anything about cyber-sabotage (as that is what disrupting/disabling infrastructure is, short of a physical military offensive). Protecting computer systems is Kaspersky’s business. Is his entire industry impotent and taking anti-virus subscription money for nothing?

I do not think so. The global computer anti-virus industry is incredibly robust, in both financial and capability terms. Governments more often than not depend on companies like Symantec, and others, to provide the latest intelligence on new virus forms and patterns, as their anti-virus software is constantly being tested by hackers and coders across the globe. Iran’s Stuxnet incident proves this point – Iran effectively crowd-sourced solutions to Stuxnet, and international antivirus companies were eager to deal with it as it had infected tens of thousands of computers globally.

Computer viruses only work where there are weaknesses – once a virus is out, work begins immediately by the private anti-virus industry (and government agencies if they are targeted) to create patches to provide immunity. Therefore, an incident like Stuxnet may not be repeated, at least by using the same software method.

And if claims over its complexity are to be believed, it may take some time to develop another virus to achieve similar results. Developing ‘immunities’ to computer viruses is something that is often overlooked and leads to cyber alarmism – this is exactly what happens in Gallagher’s article:

"The attack vectors and exploits used by Stuxnet - they can be copied and re-used reliably against completely different targets. Until a year ago no one was aware of such an aggressive and sophisticated threat. With Stuxnet that has changed. It is on the table. The technology is out there on the internet."

The Stuxnet virus is out there – but so is the anti-virus software. Also, the vulnerability of energy grids are only assumed in most media (and academic) accounts. If it was so inherently difficult and complex to create a virus such as Stuxnet, which only disrupted, and didn’t stop, the Iranian nuclear enrichment efforts, wouldn’t crippling a complex energy grid be more of a challenge?

Kaspersky believes that social media can be used for all sorts of organisational purposes. He believes that some organisers in the Arab Spring were based outside of the countries involved. He may be right, he may not be. Either way, it is irrelevant to understanding ‘threats’ from cyberspace.

Crime in cyberspace is indeed a problem; I do not dispute that. However, there is yet an element of alarmism with Moskvitch: “No computer is safe from viruses. Every day, cyber criminals are infecting thousands of machines around the world.” But the world continues to function.

This is a valid concern by Kaspersky – any prolific users of the internet struggle to avoid handing over information to companies on the internet. Recent UK government attempts to allow Government Communications Headquarters (GCHQ) to access private telecommunications information is a case in point.

However, as with all information, it is usually a two-way street. The proliferation of information and connectedness has made it much harder for governments to control information in the hands of the citizens – cracks in the Great Firewall of China are old news.
Another thing that is old news is the fear of an erosion of privacy. Bureaucratic capabilities from the nineteenth century in the UK could reach a new level of information about citizens. Concerns about the government (mis)using this kind of data is not new.
Furthermore, if one is concerned about a police state, one needn’t have the internet to construct one. The answer, as usual, lies in politics – not technology. Removing personal data on the internet, or any government bureaucracy, does not make the government less likely to be autocratic.

The second article, by Michael Gallagher, mentions DDoS attacks, industrial sabotage, and the future connectedness of everyday devices to the internet.
For him, DDoS attacks and industrial sabotage come under the terms of ‘cyber war’, and the US military and its allies have ‘cyber warriors’ to perform cyber ‘attacks’. The connectedness of everyday devices in future serves to dramatise the point Gallagher tries to make about how dastardly an enemy would be if s/he, with envious eyes, could turn our refrigerators against us.

Cyber ‘war’ will not happen – but cyber espionage, subversion and sabotage may not have much of a future either. Understanding the limits of using the cyber realm from the point of view of governments trying to control and actual war hopefully puts a wet blanket on cyber alarmists.

We’d sooner need Bruce Willis to save us from a meteorite impact than a crippling nationwide cyber sabotage.