How The Defense Department And NSA Is Hyping Cyberwar To Better Spy On You
from the not-cool dept
We've discussed multiple times the massive unsubstantiated hype around the concept of "cyberwar", which mostly has been led by former government officials who are seriously cashing in on the hype. Yet, every time we mention this, we get people insisting that we just don't know the "real story" and the "threat" is really big. But we keep waiting for some evidence to support that theory.Seymour Hersh, over at the New Yorker, who tends to be the most connected reporter around when it comes to getting the inside scoop on what's happening in the US military, has a (typically) long and worth reading analysis of the whole "cyberwar" concept that effectively agrees with exactly what we've been saying all along: it's totally hyped up beyond reality, in an effort to build the reputations of a few people and to cash in on a trend. People on all sides of the issue all seemed to point out to Hersh that "cyberwar" is blowing things out of proportion. There's plenty of espionage going on, but that's quite different (and a lot less sexy when it comes to trying to make money).
But what's even scarier than the people seeking to get money is the way the Defense Department has been using this to try to basically take control of the whole "cyber defense" aspect. Back in August, we discussed how there was this ongoing fight between the Defense Department (military) and Homeland Security (civilian) to manage the "cyber" threats, with the Defense Department basically using its experience in being incompetent to argue that it knows better.
And, as you look at the details, the Defense Department isn't just looking at "cyber defense," it keeps on making the argument that part of "cyber defense" is also "securing" private networks and usage. Jerry Brito, over at the Tech Liberation Front, just had a post questioning whether or not the military should have a role in civilian cybersecurity, and Hersh's long article gives plenty of reasons why it absolutely should not.
Multiple people note that one of the best ways to make various networks and systems more secure from espionage attacks is to increase (or even mandate) widespread encryption. That would certainly make things more difficult for espionage. But the NSA (part of the Defense Department) doesn't want that because that makes it much harder to spy on people. In fact, the very same NSA has been pushing the feds to put in place a mandatory backdoor to any encryption so that it can keep on spying.
But, of course, any such backdoor can (and absolutely will) be used by those trying to spy from elsewhere as well. So when you put the NSA in charge of "cyber security," it seems to focus on using that mandate to actually improve its ability to spy on everyone (including on domestic soil), rather than actually doing stuff related to actual "cyber security." We've had various pieces of similar stories over the past few months, but Hersh does a great job pulling it all together in a way that makes it pretty clear that this whole thing is a huge boondoggle for most of the players. The ex-gov't officials screaming "cyberwar" are making tons of cash, while the Defense Department and the NSA are using all that hype to gain more control over the internet and the ability to spy on people -- but not necessarily to make anyone more secure.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, cyberwar, defense department, nsa, privacy, security
Reader Comments
Subscribe: RSS
View by: Time | Thread
Dear God...
[ link to this | view in chronology ]
Re: Dear God...
[ link to this | view in chronology ]
Re: Re: Dear God...
[ link to this | view in chronology ]
Re: Dear God...
[ link to this | view in chronology ]
Re: Re: Dear God...
Actually, I kind of am, indirectly. The book is about the first ever true all-digital consciousness created by a defense contractor as the prototype for the future digital "soldier". Did a ton of research on Digital Philosophy Theory and the like for it....
[ link to this | view in chronology ]
Re: Re: Re: Dear God...
[ link to this | view in chronology ]
Re: Dear God...
[ link to this | view in chronology ]
What evidence do you have to support your theory? How are they making their "tons of cash?"
I'm all for privacy, but it seems to me that we would all be better served if people would suggest a better solution to address any potential cyber threats, rather than simply bash the government's efforts to actually do something about it...
[ link to this | view in chronology ]
Re:
http://www.reuters.com/article/idUSTRE64O6V720100526?feedType=RSS&feedName=technology News&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A reuters%2FtechnologyNews %28News %2F US %2F Technology%29 --
"Growing concern about cyber attacks is fueling a market valued at around $30 billion a year, prompting new investments by BAE and other defense companies that are keen to offset an expected flattening in spending on more traditional weapons."
In other words, they've learned from their pharma friends. When profits from one threat begin to wan because that threat is no longer seen as a threat, manufacture another threat, with govt. or NGO help, and sell something for THAT....
http://www.wired.com/dangerroom/2010/05/cyberwar-cassandras-get-400-million-in-conflict- cash/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A wired%2Findex %28Wired%3A Index 3 %28Top Stories 2%29%29 --
"Back in February, for instance, former National Security Agency director and Booz Allen Hamilton executive vice president Mike McConnell declared that “the United States is fighting a cyber-war today, and we are losing.”"
That same article details that Booz Allen, subsequent to those comments by an ex-govt. official, signed $400 million worth of "digital defense" contracts to add to it's already staggering $2.7 billion bank of govt. work.
....is that enough, or do you need more?
[ link to this | view in chronology ]
Re: Re:
The Great Firewall of China is about as secure as the pay walls around News Corp properties.
Still, as you point out there's a LOT of money to be made chasing your own tail, it seems.
Interesting, isn't it, that the British Government wants to drydock virtually all of the Royal Navy, park and store most RAF jets and still, somehow, support what few troops three are in Afganistan but are going to spend a small country's GDP and cyber warefare.
And still the US NSA dreams of setting up a "secure" domain in cyberspace. Lemme know when they get that done or better yet let me know when you see pigs flying south for the winter of when the Cubs win the World Series.
:-)
[ link to this | view in chronology ]
Re: Re: Re:
....damn you.
[ link to this | view in chronology ]
Re: Re:
But I still maintain that it would still be more productive if folks crafted solutions. The debate over who should oversee the defense of the networks aside, the external threat to US government systems is real. Adversaries are constantly seeking to exfiltrate data to foreign servers. And the Russian attack on Georgian infrastructure--how would you classify that?
Bottom line: What would you recommend the United States do about it?
[ link to this | view in chronology ]
Re: Re: Re:
International espionage. Watch a Bond film. This stuff ain't THAT new....
"Bottom line: What would you recommend the United States do about it?"
Take the physical security precautions that they can, do some level-headed basic computer security precautions where necessary. None of that costs $30 billion. And fear mongering makes me unimpressed.
My suggestion? To be just as effective, give ME the $30 billion dollars, I'll dress up like a flamboyantly gay Apache Medicine Man, get myself a Harry Potter wand, and shake it at every govt. computer in America while shouting "Ooga Booga, Ooga Booga!"
Actually, because I'm a patriot, and because I like dressing up like gay versions of indigenous peoples, I'll do it for $20 billion....
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
.....I win.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
"because I'm a patriot..."
Patriot, indeed.
[ link to this | view in chronology ]
Re: Re: Re:
The problem is that these solutions do not make billions in profits for consultants and contractors. They thus have every reason to scrupulously avoid them, and to instead undertake hideously-expensive and not-quite-ineffective alternatives. (Which "not quite"? Because if they work too well, then no more gravy train. But if they work too badly, not more gravy train either. The trick is to walk the fine line and thus ensure next year's revenue.)
I strongly recommend reading Marcus Ranum's essays/rants, which are some of the most insightful things written about security in the last 40 years. In particular, "The Six Dumbest Ideas in Computer Security", "The Anatomy of Security Disasters", and "Stupid about Software" are good places to start.
If you read those and grasp them fully, then one of things that you will realize is that attacking the IT security problem as it currently stands is NOT a matter of "doing something": it's a matter of ceasing to do quite a few things that are known failures.
But that's not sexy and doesn't make headlines and doesn't sell books and doesn't make billions and doesn't look good on a PowerPoint and oh, yeah, is far beyond the feeble comprehension of nearly every management critter on the planet. So it won't happen.
Nope, instead there will be initiatives and plans and reviews and standards and yadda yadda yadda for the foreseeable future. And the cash register will ring -- and if not enough, well, then some additional "cyberwar" fear mongering should do the trick.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Yeah, and there are WMDs in Iraq ....
"Bottom line: What would you recommend the United States do about it?"
Stop using MS Windows and use Linux ...
Hold companies responsible for poor software design ...
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
...and his suit does not match ... and that's bothering me a lot right now. This is corporate america now, bud, at least turn on the light while you are getting dressed.
[ link to this | view in chronology ]
Re:
There was never an cyber attack that resulted in loss of life was there, can you cite one?
[ link to this | view in chronology ]
Re:
But privacy is security in a very real sense. You want solutions? Ok.... I'll give it a stab
1. Encrypt everything
2. Use intelligent multi-layered defenses based around Intrusion Detection and Intrusion Prevention throughout key points of the network
3. Make sure these are algorythmic/holistic in nature rather than signature based to better stop zero-day exploits
4. Make sure that you have a security plan that covers every device that may connect to your services be it mobile phone memory stick, laptop or smart washing machine.
4. Make sure everything is logged and audited, including changes to logging and auditing processes
5. Make sure the physical security of access to your resources is considered and likelwise monitored.
6. And this one's really really important.... Make sure you consider the human element. Training and education to reduce social engineering attacks and plain stupidity.
and of course 7. Don't let anyone governmental or otherwise deliberately put a hole in those defenses no matter what excuse they have
Follow all that and you still won't stop every attack, but I guarantee you you'll be a damn sight better off that letting the goverment "handle" it.
"Cyber war" could be done technically with lax security on many networks, but making it worse by centralising the vulnerability is hardly the answer. The things you'd be worried about being taken down aren't in government hands so educationa and encouragement of security improvement in a distributed way is what reduces the "threat", not hyperbole and posturing by politicians.
[ link to this | view in chronology ]
Re: Re:
Pretty sure I meant Heuristic there.........
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Yeah... it's not like I invented it solely for the purposes of answering a post :-)
As I said it's number 6 that's the kicker..... the number of people who claim "security is someone else's department - nothing to do with me." is scary.
That's probably why it's so tempting to let believe the Government can sort it out.
Cut to: Larson Farside cartoon.... party full of sheep, dog at door. Caption, hostess sheep saying "Oh Vernon the party's a disaster, no-one knows whether to sit, stand, eat, drink... Oh thank God! Here comes the border collie"
response: Further Larson cartoon... field full of sheep, 1 standing on hind legs front legs raised, a look of revelation, caption "Wait! We don't have to be sheep!"
[ link to this | view in chronology ]
Not just including domestic
I would say that it's not just "including domestic spying", rather focused primarily on domestic soil.
Foreign gov'ts and corps will simply not use flawed encryption tech, and develop their own sans "NSA ENTER HERE EVERYONE ELSE GO AWAY" backdoor.
Hence, this opens domestic networks to everyone, including the NSA, but will have zero effect on foreign surveillance.
[ link to this | view in chronology ]
Re: Not just including domestic
[ link to this | view in chronology ]
Re: Re: Not just including domestic
TLS and SSL, the standard communication encryption protocols, use RSA, an open-source encryption algorithm. So we have that part solved at least.
Also more standardized encryption would likely be used by legitimate businesses globally when communicating outside their networks, like banks to clients.
Any bank that doesn't already use secure communication should be completely avoided.
[ link to this | view in chronology ]
Re: Re: Not just including domestic
The only entities who will knowingly use encryption with a backdoor are entities who have no choice.
The only entities the US Gov't can force the choice on are entities that exist within the US.
Hence, if the US mandates this, it will have an effect on domestic surveillance, but none on foreign. Drug cartels south of the border, for example, will use encryption without a backdoor.
[ link to this | view in chronology ]
It's impossible for them to achieve the totalitarian control they're trying for. The best they can do is push people to start using VPNs, which would result in them getting even less intel.
Of course, they're not going to sober up anytime soon. As such, let's look forward to watching over the coming months as they grasp at the shadow and lose the substance.
[ link to this | view in chronology ]
Againg with the "there really is NO PROBLEM". trust me.. im Mike.. :)
"Sure, they are wrong, but I cant provide anything that shows Im right".
It least these groups are trying to work out who and how to work on this cyber security threat. Mike you just claim it does not exist !!.
And if you think cyber security issues do not exist you are the LAST person who is qualified to comment on said security.
You are in denial..
NSA and HS are saying "there is a problem, it is clear, so what can we do about it to try to mitigate that problem'.
Mike says "You're stupid and waisting money, there is no problem, your chasing shadows".
And ofcourse Mike has so much more skills, expertise and technical knowledge of these issues than the NSA or Homeland security.
Ofcourse to Mike, there is no legions of script kiddes and wouldbe hackers, botnets dont exist, and the .gov and .mil domains are not attacked hundreds of thousands of times a day.. There are no hacker convention, and hacking "WELL IT REALLY IS NOT A PROBLEM".
Great mike, way to boost you 'reputation' as someone informated.
[ link to this | view in chronology ]
Re: Againg with the "there really is NO PROBLEM". trust me.. im Mike.. :)
I read it as "Oh look. Government is hyping up a threat that's been there for years and decided suddenly to appear to 'Do Something About It', except that the actual aim seems to be something that can't possibly help and in fact will hinder the stated aim. But oddly the approach manages raise lots of cash, fear, and give much more domestic control. Don't you think that's a bit dodgy?"
Of course that would make the other interpretation pretty much a non-sequitur of a post so it'll probably turn out that I'm in DeNile too.... that's fine - I fancy Africa this time of year.
[ link to this | view in chronology ]
Re: Againg with the "there really is NO PROBLEM". trust me.. im Mike.. :)
[ link to this | view in chronology ]
Facetious fortune cookie
[ link to this | view in chronology ]
Re: Facetious fortune cookie
Facetious indeed :-) Except in this case even that tired old platitude that you are correct will probably be trotted out isn't applicable.
Even if I were dumb enough to accept it as a valid reason for violating privacy, in this case we're not just talking about privacy the government. I think I can 100% guarantee with no fear of being wrong that if a "backdoor" is engineered into every system "for the NSA", the NSA won't be the only ones walking through it. I may have "done no wrong" but what about the million other people you just let into my network? Do I have anything to fear from them?
[ link to this | view in chronology ]
Oh Look it gets better the CIA is fighting the CyberWar too
HaHaHaHaHaHahahahahahaa.......
Ok I'm done now.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The internal threats seem to be even more real, but I'd be more concerned about the threats to the companies actually running infrastructure including on behalf of the government if I were you. And by threat I mean basic open holes in security for undirected malicious code, rather than worry so much about a specific targeted "cyber war attack".
Never attribute to malice that which can easily be explained by stupidity.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]