making Rumsfeld look like a techie by comparison

If there’s one flavor of reporting I find more irritating than innumerate science “journalism”, it’s got to be the cybersecurity beat. This morning NPR was the offender.

I should admit up front that I automatically assume that anyone employing the prefix “cyber” is an idiot, and this unfortunately means that I’m inclined toward skepticism even when listening to actual experts in the field. But this NPR piece is symptomatic of a undeniably idiotic tendency to lump together every governmental system that takes electricity, then assume that summarizing the first twenty minutes of Transformers and asking “WHAT IF?!” qualifies you as some sort of digital Cassandra.

The piece starts out by discussing Russian vandals’ successful efforts to screw with the Georgian government’s website — something that can be plausibly done by a disaffected teenager — then jumps rapidly to “monkey[ing] with GPS” which involves, you know, satellites, or at least skill at building, concealing and fortifying radio transmitters; and, if anything other than a braindead denial of service, would also require the discovery of a novel attack on the system’s design. These things are much harder than checking to see if the recently-launched website of a small ex-Soviet country is running slightly outdated software that someone else has written an exploit for.

Of course, the U.S. military is planning its own cyberattacks. Pentagon cyberwarriors have detailed plans to take down power, telecommunication and transportation systems just about anywhere.

There is just one problem: What if the other side strikes first? In cyberwar scenarios, pre-emptive attacks are favored, and effective retaliation can be difficult.

“We have extremely good cyberoffensive capabilities and almost nothing in the way of cyberdefense,” Clarke says.

WHAT DOES THIS MEAN? Disrupting the operation of a website is very different from disrupting the operation of the internet, which is very different from interfering with military communication systems, which is very different from interfering with military battlefield communication systems, which is very different from being susceptible to the interception of digital communications. But all of these things are just jammed together, mindlessly.

What kinds of electronic attack are possible? To what extent are our defense systems susceptible to them — in particular, are those systems at all tangled up with the internet? If not, what economic consequences could plausibly be inflicted on our country by disruption of the internet, and how do they compare to the historical example of, say, a blockade? If an online attack originates from overseas, what countermeasures are available? And do we have a protocol in place with the major backbone operators to implement them?

None of these questions are asked or answered. Blah blah blah cyber. That’s it, over and over. This is a multi-part series, so perhaps future installments will resolve this problem. But so far NPR’s approach is just to quote a bunch of people in the cyberwar pontification business making ominous intonations about our need to take cyberwar more seriously (i.e. spend more money on people like themselves).

Then there’s this:

For a country whose economy operates largely in cyberspace and whose military pioneered Net-centric warfare, this is a serious failing.

This author pretty clearly has no idea what Net-centric warfare is supposed to mean — it’s just used a nice lexical break from those relentless “cyber”s. Here, have a CRS report. Yeesh.

9 Responses to “making Rumsfeld look like a techie by comparison”

  1. Emily

    I think the better analogy is “the first twenty minutes of Live Free or Die Hard.”

  2. Dear Journalists: There Is No Cyberwar

    [...] on around the country, anywhere there are kids and spray paint. Thankfully, Tom Lee has written a scathing critique of dumb journalistic coverage of this whole “cyberwar” crap: The piece starts out by discussing Russian [...]

  3. Dear Journalists: There Is No Cyberwar | It's... just a dot

    [...] on around the country, anywhere there are kids and spray paint. Thankfully, Tom Lee has written a scathing critique of dumb journalistic coverage of this whole "cyberwar" crap: The piece starts out by discussing Russian vandals' successful [...]

  4. Eliza Hile

    This post is going into my bookmarks.

  5. Annoyed

    Mayhaps if you did your research you would know what types of attacks are possible? Why bother dismissing it, and asking questions of the experts that you obviously haven’t gone out to look for yourself, which doesn’t make you look smart, just makes you look grumpy?

    Anyways, do some research on SCADA attacks, specifically look into Idaho National Labs work, as well as the work of IOActive (see their black hat talk). Some time ago, Brazil had their SCADA networks taken down by hackers (http://hardware.slashdot.org/story/09/11/11/1426256/How-Vulnerable-Is-emOurem-Power-Grid?from=rss) begging the question about ours, but in reality, there was a thirteen hour brownout on the eastern seaboard some years ago, supposedly caused by SCADA hackers (although I have no link at this time).

    Look, I get it, I hate the FUD, too. Obviously NPR is not the source to go to for security research and news and this Clarke guy who thinks the NSA has good offensive skills sounds like an absolute douche (they probably run Nessus and call it a day), but end of the day, doesn’t mean you can blow off the risk.

    Or do, I don’t care, the Internet is sheep and wolves… you’re one, or you’re the other, no gray area.

  6. larry seltzer

    Annoyed has a point, but even the SCADA stuff is full of conjecture and a mindset that says you have to worry about it because you can’t prove it can’t be done.

    And he’s right that Clarke is a total douche, but Clarke was on the NSA. He’s the one who told George Bush a few months before 9/11 that Bin Laden was determined to attack the US, but gave no information you could do anything with. He got a lot of airtime during the 9/11 commission hearings and wrote a book or two on it.

  7. Tom

    You know, even your own link acknowledges that the Brazilian SCADA hack wasn’t a SCADA hack. But that’s nitpicking. I agree that these systems will get more and more wired, and securing them should be a priority But frankly, this is not that tall of an order: we’re talking about network segments that are not on the public internet. Secure the facilities, add some firewalls to make mitigating a DoS/DoC possible, and pipe your hilariously insecure legacy protocol over a tunnel or something. The Idaho lab does just this sort of work, and, surprise surprise, IOActive makes a living selling these services.

    So look, I’m not arguing that networks don’t need to be secured. What I am saying is that “cyberwar” is a useless way of talking about these problems. Imagine if a reporter wrote a story about our national military readiness, but didn’t mention any of the service branches, any weapon systems, any potential adversaries, or the relative feasibility of any of the threat scenarios under discussion (but oh, are they discussed — they’re terrifying!). Instead, he only talks about “offense” and “defense”, and how some people warn that we don’t have enough of them.

    And I have to say, your “sheep and wolves” line sounds like the type of thing a 14 year-old script kiddie would say after reading Neuromancer & Nietzsche. This vision of a sinister undernetwork where awesome cyberwizards do awesome cyberbattle — so awesome that shit starts blowing up in the real world (awesomely)! — is a juvenile romanticization of danger that’s simultaneously silly, dangerous and seemingly pervasive enough to drive much of the thinking about electronic threats to our society.

    It’s idiotic. Enough cyber. Let’s talk about specific systems. You want to secure SCADA systems? Fine, let’s talk about securing SCADA. Flailing our arms and screaming and having a grand cyber-freakout — as that NPR piece, and virtually all “cyberwarfare” discussions seem intent on doing — is useless.

  8. Annoyed

    Your characterization of my “sheep and wolves” comment as the fantasy of a 14 year-old script kiddie would say after reading Neuromancer & Nietzsche is hilarious, but it doesn’t reduce the point, it is the way it is and the amount of systems getting compromised simply proves that. Personally, I can’t stand Nietzsche’s work, or the postmodernists & existentialists work thereafter.

    I think you belittle the point of security networks and systems… look, flat out, it’s 2010, we’ve been TRYING to secure our networks for how long now? How many companies are still getting hacked? Just a year ago I did a SCADA pentest for a company and found multiple external paths to that network, so yeah, they don’t get it, it’s as simple as that.

    I don’t necessarily agree that cyberwar is a useless way of talking about these problems. It’s only FUD if it’s definitely FUD, and I don’t think the concept of cyberwar is as far fetched as you’d like to make it (although I also hate the word cyber). Going forward, let’s consider it as the concept of “total war”, ie, meeting the enemy on any front that gains you advantage, as in, why would China attack us with planes when they’d clearly lose?

    Raising awareness isn’t useless if it’s focused on achieving a resolution to a problem.

  9. Media indifference – The myth of a free press « Radioactive Gavin is Out of Print

    [...] NPR is making Rumsfeld look like a techie by comparison [...]

Leave a Reply