The Worst Article You Might Ever Read About 'Cybersecurity'
from the this-one's-special dept
There has been a lot of discussion lately about "cybersecurity" "cyberwar" "cyberattacks" and all sorts of related subjects which really really (really!) could do without the outdated and undeniably lame "cyber-" prefix. This is, in large part, due to the return of CISPA along with the White House's cybersecurity executive order. Of course, the unfortunate part is that we're still dealing in a massive amount of hype about the "threats" these initiatives are trying to face. They're always couched in vague and scary terms, like something out of a movie. There are rarely any specifics, and the few times there are, there is no indication how things like CISPA would actually help. The formula is straightforward: fear + handwaving = "we must have a law!"However, I think we may now have come across what I believe may top the list of the worst articles ever written about cybersecurity. If it's not at the top, it's close. It is by lawyer Michael Volkov, and kicks off with a title that shows us that Volkov is fully on board with new laws and ramping up the FUD: The Storm Has Arrived: Cybersecurity, Risks And Response. As with many of these types of articles, I went searching for the evidence of these risks, but came away, instead, scratching my head, wondering if Volkov actually understands this subject at all, with his confused thinking culminating in an amazing paragraph so full of wrong that almost makes me wonder if the whole thing is a parody.
The piece starts off, though, by playing up those supposed "risks," discussing how companies face "economic devastation" due to the "theft of valuable trade secrets." Here's an exercise: name one such company that has been so devastated. We'll wait. Then he talks about how these hacks could lead to "disclosure of consumer and employee information." Of course, he seems to be mixing and matching the types of hacks he's talking about. The "trade secret" stuff is generally corporate espionage, whereas the leaking of data tends to just be more general malicious hacking. Very different issues that probably require very different responses. But they're lumped together here.
So we've got an ill-defined problem, but have no fear, because the answer is here: Congress!
At the core of the problem is Congress’ failure to act. For years now, Congress has tried to enact meaningful cybersecurity legislation.Any analysis of whether or not the attempts at "meaningful cybersecurity legislation" would have any impact at all on the kinds of attacks discussed in the first paragraph? Why, no. Because that would be useful. But that's okay, because Congress needs to act!
The risks are too large and the consequences of failing to act can result in serious economic consequences.Again, can someone point to any evidence of cybersecurity issues having "serious economic consequences" to date? Yes, it's possible they might in the future, but let's put these things in perspective.
And then we get to this. I warn you ahead of time: reading the following paragraph may cause certain knowledgeable brains to experience something akin to spasms.
Recent cyber-attacks have illustrated the ability of terrorist groups and foreign governments to cause havoc on the Internet. The United States Sentencing Commission’s website was destroyed when activists attacked the site to protect the federal prosecution of Bart Swartz which eventually led to Mr. Swartz committing suicide. For years, the Chinese government has launched massive daily attacks against our government and private industry which are aimed at disrupting government operations, stealing trade secrets and undermining economic activity.Let's break this down. Bit by awful bit.
Recent cyber-attacks have illustrated the ability of terrorist groups and foreign governments to cause havoc on the Internet.Where and how? So far, the only example of any government causing any sort of "havoc" appears to have been the US with Israel with their attacks on Iran via Stuxnet, Flame and possibly some other very targeted malware attacks. What "terrorist groups" or "foreign governments" have actually caused any actual "havoc on the Internet"? The answer is none. It's certainly not what comes next:
The United States Sentencing Commission’s website was destroyed when activists attacked the site to protect the federal prosecution of Bart Swartz which eventually led to Mr. Swartz committing suicide.Yeah. Okay. (1) The United States Sentencing Commission's website was temporarily hacked (and later taken down). It was not "destroyed" in any sense of the word. (2) Activists are neither the "terrorists" nor "foreign governments" we were promised in the preceding sentence. (3) Taking down the site briefly did not cause "havoc." (4) BART Swartz??!??!? (5) The hack was to protest the federal prosecution of Aaron Swartz, not to "protect" it. (6) While many of Swartz's friends and families do say that the prosecution likely led to his suicide, no one can say for sure. (7) Nothing about the hack by Anonymous had anything to do with "cybersecurity" nor would CISPA have protected the Commission's website (better programming might have). Basically, this sentence is just about as wrong as it could possibly be, and has nothing to do with what the article is about, other than drumming up fears about "cybersecurity."
For years, the Chinese government has launched massive daily attacks against our government and private industry which are aimed at disrupting government operations, stealing trade secrets and undermining economic activity.There's been plenty of talk about these Chinese hacks, which definitely do appear to be happening. But, what economic activity has been undermined? So far, the hacks may have been a nuisance, but it's unclear that they've done any real damage. It is also unclear how CISPA helps stop such hacks, other than making Congress feel like it's "done something."
Are there issues with online security that need to be taken seriously? Yes, absolutely. Do we need legislation to deal with those problems? That's debatable, and we're still waiting for some evidence not just of scary sounding threats, but that this kind of legislation will actually help. Unfortunately, this article keeps us waiting. But, it did make us laugh. Unintentionally (we think).
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: aaron swartz, cispa, congress, cybersecurity, exaggeration, michael volkov
Reader Comments
Subscribe: RSS
View by: Time | Thread
Aaron Simpson?
[ link to this | view in chronology ]
Re: Aaron Simpson?
It's Aaron, not Bart, ay carumba, what a hack I am!
[ link to this | view in chronology ]
Re: Aaron Simpson?
[ link to this | view in chronology ]
Can't help but wonder
[ link to this | view in chronology ]
Re: Can't help but wonder
The guy is even stupid enough to use the disclaimer:
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Which makes your "consulting services"-theory pretty much confirmed...
[ link to this | view in chronology ]
Re: Can't help but wonder
Prior to launching his own law firm, Mr. Volkov was a a partner at LeClairRyan (2012-2013); Mayer Brown (2010-2012), Dickinson Wright (2008-2010); Deputy Assistant Attorney General in the Department of Justice (2008); Chief Counsel, Subcommittee on Crime, Terrorism and Homeland Security, House Judiciary Committee (2005-2008); and Counsel, Senate Judiciary Committee (2003-2005); Assistant US Attorney, United States Attorney's Office for the District of Columbia (1989-2005); and a Trial Attorney, Antitrust Division, United States Department of Justice (1985-1989).
So rooting for more power is right up his alley.
[ link to this | view in chronology ]
/gag
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Is he going to be telling us next that if it weren't for cyberattacks, the planes wouldn't have fallen out of the sky over Pearl Harbor?
[ link to this | view in chronology ]
Gee... This piece verges on ADEQUATE.
[ link to this | view in chronology ]
what it most definitely will do is give Congress (or some member) the excuse to put yet another bill on the table of another reason why we must have CISPA! given that the guy is a lawyer, i hope when he goes into court he has researched the case fully. his poor defendant could end up in the shit when there was previously no shit to be in!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Typos and stuff
[ link to this | view in chronology ]
Re: Typos and stuff
[ link to this | view in chronology ]
Re: Re: Typos and stuff
[ link to this | view in chronology ]
Re: Re: Re: Typos and stuff
[ link to this | view in chronology ]
Re: Re: Typos and stuff
There have ben a number of long running denial of service attacks on mostly US banking sites originated by Iranian groups, which are thought to be funded by the Iranian government. Now, I don't automatically associate Iranian with terrorist, but it is easy for many people to ignore the distinction. And they're pretty standard DDoS attacks, nothing particularly out of the ordinary.
Of course, the point about CISPA stands - there's no need for it even in those cases.
[ link to this | view in chronology ]
Re: Typos and stuff
[ link to this | view in chronology ]
Re: Re: Typos and stuff
Maybe I'm giving him too much credit...
[ link to this | view in chronology ]
Re: Re: Re: Typos and stuff
And don't you know that that is what asteroids do - DESTROY THINGS... apparently even in cyberspace. :)
[ link to this | view in chronology ]
Re: Re: Re: Re: Typos and stuff
But then maybe I'm totally wrong and giving him too much credit for rationality and subtlety. It's entirely possible he's just talking total bollocks throughout.
[ link to this | view in chronology ]
Yippeekayay
Sounds like someone got drunk and mistook Die Hard 4.0 for the evening news
[ link to this | view in chronology ]
Re: Yippeekayay
[ link to this | view in chronology ]
Another Law that will What
[ link to this | view in chronology ]
The unanswered, unspoken question is what is really being attempted here. What self protectionism special interest (group?) is going on behind the scenes produces such wild, and certainly, unneeded proposed legislation. It is at least possible that this is just another way to legalize what has already been (being?) done.
The executive order definitely seems more rubber-stamping by the current administration. Its kind of irresponsible in the light of current politicians ability to create constitutionally viable law especially in the area of privacy.
Misspelling Aaron Swart's name is almost comedic. Did anyone writing the article care about an activist anyway. Relating activists to terrorists the demonetization of a whole class of Americans. Would that be declaring class warfare in writing? If they would hire some of them to program their websites I'd bet their vulnerability to China hacks would be much less.
I said what I needed to about privacy in this recent post: http://www.techdirt.com/articles/20130226/14360422120/supreme-court-effectively-says-theres-no-way-t o-challenge-warrantless-wiretapping.shtml#c681 which was one of my more difficult essays. It takes a bit to write my (wordy) posts and its at the end. The only error I made was not removing Carter as an exception.
The current US batch of politicians seem to have entered a no privacy zone. I hope the voters issue a stiff parking ticket.
The consequences of collecting private intel on the lifestyles of average citizens is summed up on this post: http://www.techdirt.com/articles/20130225/18022322104/north-carolina-newspaper-with-no-backbone-apol ogizes-its-request-public-records.shtml#c1019 (don't be a bully!)
am glad I wrote those posts so this post can be so short. haha
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Despite some education I find the gaps to be huge especially in the areas of monopolies and top down media business models and the effects on shared culture areas. I am of course hoping to get some commentary/feedback involving this. Its a wonderful intellectual exercise full of discovery.
I put a bit of effort into the logic behind the topic each post is about. They can be a bit wordy and the time that takes usually means they are near last and comments are sparse. Argue with me. Tell me I'm wrong. But. Please explain how so I can elaborate as it seems each paragraph and sentence of my posts can be a whole essay in themselves. I'm kind of eager for it.
Thanks for commenting.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
If this were something besides misdirection for more draconian laws to allow more invasion of privacy, it would seem that addressing where the points of weakness are, would be the solution. Those solutions that work pretty much always address the root cause, not the hand waving, vaporous, symptoms.
[ link to this | view in chronology ]
Re:
2. It's a lot easier (and cheaper) to scream for draconian laws than it is to do a major overhaul of those sorts of software systems.
3. Email was never intended to be secure in the first place. There is a reason why the protocol is called the SIMPLE Mail Transfer Protocol. You don't send cash through the USPS for a reason and the sooner people learn that you don't send sensitive information through email, the better. Besides any change in the standard would require every email server on the planet to simultaneously adopt the new standard which is a feat that is next to impossible to accomplish.
[ link to this | view in chronology ]
Anyone with a server knows this is nothing new
Anyone who has a server gets probed on a regular basis. They come from everywhere (including the US). I don't know why China is being singled out (other than they're a convenient bogeyman).
Just for fun sometime, everyone should have to put up an old server with an old un-patched OS without any firewall or NAT. Within a day, your login prompts will generally be swapped out with some gotcha message. These attacks generally come from script kiddie thrill seekers, not malicious communists trying to destroy the Internet.
And it doesn't take much precautions to keep fairly safe on the Intertubes.
Mosquitoes are a good analogy. Mosquitoes do cause billions of dollars of damage in the world (real dollars, not hype dollars). And I often get some mosquitos outside my windows. But I'm not giving the cops the keys to my place because of the problem. First of all, I don't need the invasion of my domain, secondly I don't see the cops being able to do much more than I can. So what's the point?
[ link to this | view in chronology ]
Re: Anyone with a server knows this is nothing new
[ link to this | view in chronology ]
Re: Re: Anyone with a server knows this is nothing new
Fortunately, this stuff isn't really that hard to deal with.
[ link to this | view in chronology ]
At the core of the problem is Congress’ failure to act
I think there is some soft of bias in this piece.
[ link to this | view in chronology ]
Failure to act? Not!
[ link to this | view in chronology ]
I'm surprised
[ link to this | view in chronology ]
Re: I'm surprised
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I don't even
[ link to this | view in chronology ]
Re: I don't even
Sends whatever else he has to say straight into the crapper, he can't even get a name right.
[ link to this | view in chronology ]
Probably illegaly and want to cover their asses.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Fixed one mistake, left the rest.
[ link to this | view in chronology ]
Re: Fixed one mistake, left the rest.
On a more serious note my brain skipped a few electric pulses while reading all that bullshittery.
[ link to this | view in chronology ]
Re: Fixed one mistake, left the rest.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Anyone can conjure up hypothetical scenarios of doom and gloom playing out in the future; that doesn't make them true or inevitable. From what I gather, some people's job in government is solely to drum up fear and panic over manufactured what-if scenarios, then attempt to shift responsibility to Congress to act or be held accountable for the 'consequences' of doing nothing to prevent it. Yes, somehow, it's government's job to be future-proof against all manner of crime. Invariably the idea is to give themselves more extraordinary powers. They're so predictable, they may as well be a broken record.
[ link to this | view in chronology ]
To "Volkov"
Definition: To so thoroughly misunderstand a topic as to undermine your argument at the same time as you display your own massive ignorance and stupidity. Example: "protect the federal prosecution of Bart Swartz"
[ link to this | view in chronology ]
cyber security threat?
[ link to this | view in chronology ]