June 03, 2011

Declaration of Cyberwar - emerging hype cycle or growing nightmare?

Just when you thought it couldn't get any worse for infosec, there's more bad news on the horizon.

WASHINGTON—The Pentagon has concluded that computer sabotage coming from another country can constitute an act of war, a finding that for the first time opens the door for the U.S. to respond using traditional military force. ....

In part, the Pentagon intends its plan as a warning to potential adversaries of the consequences of attacking the U.S. in this way. "If you shut down our power grid, maybe we will put a missile down one of your smokestacks," said a military official.

Recent attacks on the Pentagon's own systems—as well as the sabotaging of Iran's nuclear program via the Stuxnet computer worm—have given new urgency to U.S. efforts to develop a more formalized approach to cyber attacks. A key moment occurred in 2008, when at least one U.S. military computer system was penetrated. This weekend Lockheed Martin, a major military contractor, acknowledged that it had been the victim of an infiltration, while playing down its impact.

Cyberwarfare is becoming more than just another talking point for the US Military, it's becoming a plank in government policy.

How significant is this? Well here's a data point. Lieutenant-General David Hurley has just been appointed as the new Chief of the Australian Defence Force. In a TV interview that night, he stated that one of the top four priorities for his term is cyberwarfare [1]. He called each of the other three as gamechangers (to which I concur) but did not elaborate on his one-word declaration of cyberwar.

What does that mean, other than a scurrilous lead for Australia's infosecarrazi press to follow up on? *Cyberwarfare is now top drawer stuff*. While us infosec types are scrabbling around trying to figure out what all the fuss is about (theories including:

  • media hype
  • excuse for new divisions,
  • just new lingo for what was once known as EW or Electronic Warfare,
  • a more cost-effective way to extend foreign policy, where cost is equated to dead diggers on TV,
  • interference in civilian affairs,
  • landgrab for the new Big Brother state,
  • domestic battle with the NSA, DSD, GCHQ and friends,
  • etc etc, inter alia...)

the military has put it on the agenda. On the *top of the agenda* of a force of 58,000 permanent warmakers, now with new improved government sanction to go out and bomb some electrons.

If the normally sensible Australians have bought into cyberwarfare, that means typically that the Americans are long gone down that path, and the British and Canadians have their walking shoes on as well. NATO won't be far behind, and NZ will join after their routine decade of protest.

The future of information security may well travel down a government / compliance path as we're squeezed between the 363kg gorilla of cyberwarfare on the one side, and the general incompetence of vendors on the other side. This will see all the vendors drawn over to cyberwar side, and an inevitable loss of innovative work on in the private sector. Not that we saw a lot, but there was always hope.

The end result will be more wrong threat models leading to more best practices and ultimately more compliance directed out of a military/political agenda. The compliance cycle that we saw stifling the American anti-phishing efforts will be the beginning, not the end, it will become the sad norm, not the upsetting exception.

Curiously however, there may be new common sense over on the other side of the Pacific. Lt Gen Hurley's opposite number in USA has also just been appointed as the new Chair of the Joint Chiefs of Staff:

[General Martin] Dempsey is “deeply skeptical” of technology being able to alter the basic nature of combat. He wrote recently in the introduction to the Army’s main operating concept, “We operate where our enemies, indigenous populations, culture, politics, and religion intersect and where the fog and friction of war persists.” In the end, it comes down to boots on the ground performing their jobs under competent command leadership.

His critics claim he doesn’t think as much as he should about future warfare and that he is too narrowly focused on the wars in Iraq and Afghanistan. ...

If anything's clear, the entry of the war machine into civilian cybersecurity affairs is likely to be bad news. Business and trade is far too delicate a thing to clobber with the heavy, blunt weapon of state responses. Maybe we need an old soldier to remind the futurists that war is actually a brutal thing?

No matter what the futurists have said over the last several centuries, it is always the grunts on the ground who are called upon to go in and make the job real. And it is always the people who bear the brunt of desk-flying futurists.

[1] Of the other three top priorities, one is the new fighter plane, the JSF or F35, which is Australia's largest defence purchase ever (ditto USA!). Another is the incorporation of the two new mini-carrier or logistical lift ships, which signals that Australia is going for integrated force projection, somewhat like Gen. Douglas MacArthur's island hopping in the Pacific campaign. In short, Australia is now building capacity to engage in the odd island invasion or two.

The third priority was equally big, but I don't recall it because I was too busy picking my jaw off the ground from hearing him slide that single neoligism into the middle of his conservative and comprehensive priorities.

Posted by iang at June 3, 2011 07:30 AM | TrackBack

"Civilization, in fact, grows more and more maudlin and hysterical; especially under democracy it tends to degenerate into a mere combat of crazes; the whole aim of practical politics is to keep the populace alarmed (and hence clamorous to be led to safety) by an endless series of hobgoblins, most of them imaginary." -- H.L. Mencken, 1918

Posted by: Hasan at June 3, 2011 12:26 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.