The consensus is in. Stuxnet, the malicious software that inflicted physical damage on Iran’s nuclear program, is cyber war. But China’s attacks on Google a year ago and the whole WikiLeaks thing are not. WikiLeaks, in fact, is more like piracy.
This consensus has been emerging during the RSA Conference on information security being held this week in San Francisco, and especially during today’s panel “Cyber war, Cyber security, and the Challenges Ahead”.
Some delegates had been telling security specialist James Lewis that they saw WikiLeaks as an attack on the United States. “WikiLeaks is ‘the first battle in the first cyber war’,” he said. “All that strikes me as nonsense.”
Bruce Schneier, widely respected as a guru of information security, and whose blog is a must-read, agrees.
“The State Department I think has finally learnt what the music and video industry learned 10 years ago, that it’s really easy to share digital files on the internet. Welcome to the internet!” Schneier said. “You might have relied on the difficulty of moving big stacks of paper, or records, or movies for your security before, but you can’t any more.”
Schneier thinks we might be seeing the emergence of a new business model in secrecy. “The old model isn’t working. You can’t have a system with a hundred thousand million people having access to it and expect it to be secure, just like you can’t give a CD to a million fans and expect them not to copy it,” he said.
For the past 25 years, information security has primarily concentrated on perimeter security, on preventing the bad guys getting in. That’s what network firewalls do. That approach has been wrong, according to Mike McConnell, a former director of the US National Security Agency and Director of National Intelligence to George W Bush.
“We increasingly have to have people start to spend their time and energy on the fact that you could lose the thing that’s most dear to you from someone that’s on the inside that has legitimate access,” McConnell said. Which is precisely what Bradley Manning is accused of in relation to WikiLeaks.
The consensus is also that Stuxnet represents a phase shift in information warfare, and there’s more to come.
As US Deputy Secretary of Defence William Lynn told the conference yesterday, the attacks they had seen until this point had only caused disruption. They were relatively unsophisticated, short in duration and narrow in scope. The ability to cause physical damage “marks a strategic shift in the cyber threat”.
“When you look at the cyber tools that are available, it is clear that this capability already exists. It is possible to imagine attacks on military networks or critical infrastructure like our transportation system and energy sector that could cause severe economic damage, physical destruction, or even loss of life,” Lynn said.
Bob Dix, a critical infrastructure protection specialist from Juniper Networks, put it more bluntly. “We need to understand the capabilities in this cyber realm can kill people, and folks need to understand that capability is here today.”
*Stilgherrian is attending the RSA Conference in San Francisco as a guest of Microsoft.
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.