I think you belittle the point of security networks and systems… look, flat out, it’s 2010, we’ve been TRYING to secure our networks for how long now? How many companies are still getting hacked? Just a year ago I did a SCADA pentest for a company and found multiple external paths to that network, so yeah, they don’t get it, it’s as simple as that.

I don’t necessarily agree that cyberwar is a useless way of talking about these problems. It’s only FUD if it’s definitely FUD, and I don’t think the concept of cyberwar is as far fetched as you’d like to make it (although I also hate the word cyber). Going forward, let’s consider it as the concept of “total war”, ie, meeting the enemy on any front that gains you advantage, as in, why would China attack us with planes when they’d clearly lose?

Raising awareness isn’t useless if it’s focused on achieving a resolution to a problem.

So look, I’m not arguing that networks don’t need to be secured. What I am saying is that “cyberwar” is a useless way of talking about these problems. Imagine if a reporter wrote a story about our national military readiness, but didn’t mention any of the service branches, any weapon systems, any potential adversaries, or the relative feasibility of any of the threat scenarios under discussion (but oh, are they discussed — they’re terrifying!). Instead, he only talks about “offense” and “defense”, and how some people warn that we don’t have enough of them.

And I have to say, your “sheep and wolves” line sounds like the type of thing a 14 year-old script kiddie would say after reading Neuromancer & Nietzsche. This vision of a sinister undernetwork where awesome cyberwizards do awesome cyberbattle — so awesome that shit starts blowing up in the real world (awesomely)! — is a juvenile romanticization of danger that’s simultaneously silly, dangerous and seemingly pervasive enough to drive much of the thinking about electronic threats to our society.

It’s idiotic. Enough cyber. Let’s talk about specific systems. You want to secure SCADA systems? Fine, let’s talk about securing SCADA. Flailing our arms and screaming and having a grand cyber-freakout — as that NPR piece, and virtually all “cyberwarfare” discussions seem intent on doing — is useless.

And he’s right that Clarke is a total douche, but Clarke was on the NSA. He’s the one who told George Bush a few months before 9/11 that Bin Laden was determined to attack the US, but gave no information you could do anything with. He got a lot of airtime during the 9/11 commission hearings and wrote a book or two on it.

Anyways, do some research on SCADA attacks, specifically look into Idaho National Labs work, as well as the work of IOActive (see their black hat talk). Some time ago, Brazil had their SCADA networks taken down by hackers (http://hardware.slashdot.org/story/09/11/11/1426256/How-Vulnerable-Is-emOurem-Power-Grid?from=rss) begging the question about ours, but in reality, there was a thirteen hour brownout on the eastern seaboard some years ago, supposedly caused by SCADA hackers (although I have no link at this time).

Look, I get it, I hate the FUD, too. Obviously NPR is not the source to go to for security research and news and this Clarke guy who thinks the NSA has good offensive skills sounds like an absolute douche (they probably run Nessus and call it a day), but end of the day, doesn’t mean you can blow off the risk.

Or do, I don’t care, the Internet is sheep and wolves… you’re one, or you’re the other, no gray area.