It's no surprise that following the various hacks, cracks, and online intrusions which have been dominating headlines, there’s been a loud, rallying cry from governments and corporations for increased investment in something called "cybersecurity." It’s a term that has already been used to brand two pieces of controversial legislation in the US, an ill-defined catch-all for the nuanced problems of a tech-rich, hyper-networked world.
Perhaps more importantly, cybersecurity also lacks meaningful numbers to represent those threats, and that has made the jobs of software security vendors — those who stand to profit from these newfound fears — a whole lot easier.
Earlier this month, public interest group ProPublica revealed that heavily-cited estimates on cybercrime costs had been fabricated or generously extrapolated from reports dating back to 2009. The reports, coming from Symantec and McAfee respectively, had supposedly estimated that American businesses lose $250 billion to cybercrime annually, and placed the global cost at $1 trillion.
But as ProPublica discovered after talking with key contributors to the reports, the latter statistic is absent from the papers entirely, and the former remains, mysteriously, unsourced. One contributor, Eugene Spafford of Purdue University, said he was "really kind of a appalled" when the $1 trillion figure started showing up in news reports. Ross Anderson, a contributing consultant from Cambridge University commented similarly, saying that "the intellectual quality of [the figure] is below abysmal."
FUD remains the most effective tool in a security vendor’s sales kit
Watching this misinformation penetrate the highest levels of governments has highlighted the need for a pragmatic approach to information security. But even without bogus figures ricocheting around the political echo chamber, FUD (Fear, Uncertainty, and Doubt) remains the most effective tool in a security vendor's sales kit.
In one sense, FUD gets its power from the fact that cyber threats like Stuxnet, the US-Israeli attack virus found damaging centrifuges in Iran's nuclear facility, make for such engaging stories. From website breaches to government-sponsored malware attacks to Mat Honan's cautionary tale about a digital life destroyed by hackers, it's clear that computer security has become a hugely compelling topic which taps into the deep fears of the countless corporations, governments, and individuals it threatens.
Bill Brennar at CSO's Salted Hash blog notes that he frequently observes discrepancies in how independent security researchers view cyber threats versus how they are reported by vendors and journalists, writing that in his experience, "when the PR approach is loud an hyperbolic, the same kind of news coverage follows, especially if it's from the more mainstream press."
Brennar posts a choice email from one such unscrupulous vendor regarding the Flame malware to illustrate how practical cyber defense strategies are obscured by PR noise:
It reads like an Avenger comic book or the next Bond film. Bigger than Stuxnet! Highly sophisticated! Predominantly used in data theft and cyber espionage! The widespread proliferation of malware infected systems and the toolkits hackers need to complete their latest espionage is indeed insidious.
(the vendor) is a recognized leader in providing solutions to defend against Advanced Persistent Threats (APTs). In order to address Flame, Deep Content Inspection (DCI) is a new approach to data inspection that incorporates thorough analysis that must be employed into the network. I wanted to connect you with (the vendor's CEO) as a resource to discuss the cause and effects of this malware. What is your availability to discuss the significance of Flame and how it could be avoided?
The surplus of industry-driven sensationalism comes at a critical time, when many seem to finally agree that the past decade’s national security apparatus is producing diminishing returns. A recent survey (and a prime example of FUD) conducted by Unisys found that Americans are now more worried about cyber threats than Homeland Security issues related to terrorism. And since cybersecurity is already in the long-term interests of governments, investors have also been betting on cyber defense companies like Unisys and McAfee much in the same way that they did for their real-world counterparts after 9/11.
"It's really hard to say where we are in terms of security or lack thereof with pinpoint accuracy."
For governments, the big sell is in the defense of "critical infrastructure," the systems that control things like water and power grids. In the US, much of that now stems (ironically enough) from the government's fear of retaliation after its own usage of sophisticated cyber weapons like Stuxnet and Flame. Developing strategies to combat those threats, however, is tricky, because when it comes to "cybersecurity," it’s not always possible to have actionable data sets.
"It's really hard to say where we are in terms of security or lack thereof with pinpoint accuracy," says Kenneth Geers, a cyber analyst for the Naval Criminal Investigative Service (NCIS). "In a national security context, it's difficult to put a dollar value on everything."
While Geers maintains that these threats are not to be taken lightly, he also questions whether it would be prudent for governments to start jumping the gun.
"I think it's pretty clear that [damage to critical infrastructure] is a real risk," Geers told The Verge over the phone last week. "But I don't know how much we should be worried about it until we see a greater demonstration or proof-of-concept in the real world."
Some analysts shy away from the term "cyber warfare," but Geers embraces it as a suitable, if somewhat clunky metaphor for what’s to come. His recent talk at Def Con explored cyber defense through the lens of Sun Tzu's world-famous tactical bible, Art of War.
"Even though these systems are vulnerable, we might see some kind of arms control in the future."
Still, scenarios involving countries "shutting off each others lights," he says, require so much work and involve so much collateral damage that governments might just agree to keep them off-limits. "I think even though these systems are vulnerable, we might see some kind of arms control in the future," he says. "In other words, it might be the G20 getting together and saying 'look, financial sector, critical infrastructure...these are areas we are not gonna touch.'"
Members of Congress, however, aren’t taking any chances. In the Senate and the House, new legislation is aiming to bolster cyber defenses by implementing smarter operational standards for government agencies. But in the process, they’re also running afoul of privacy laws by allowing governments and businesses to share private data on individuals without liability, as long as "cybersecurity" is invoked in the exchange.
Therein lies the problem with cybersecurity's malleable definition, which author and activist Cory Doctorow says citizens would do well to monitor as the term propagates through various branches of government.
"The 'tell' here is that no one will tell you what cybersecurity is."
"I think that the 'tell' here is that no one will tell you what cybersecurity is," he told us in the blistering Las Vegas heat outside of Def Con. "Your 'cyber' can't be made more secure by adding 'cyber security' to it."
Doctorow agrees that computer networks as they are now definitely present significant risks, "But a government cybersecurity initiative doesn't make any sense. A government initiative, for example, to ensure that mobile devices don't leak information to unauthorized parties — that would be really useful. But to say we're going to make mobile devices more secure doesn't mean anything."
He describes two separate definitions of a secure network: a truly secure network where private data can be kept private, and another that is made "secure" by allowing governments to access and monitor everything on it.
"If you're the NSA and you believe it's proportionate and valid and legal to put a beam splitter on AT&T's backbone and slurp up all of the traffic, then for you a secure mobile network is one in which every click, every signal, every handshake, every everything is transmitted to the mothership so that everyone can be 'more secure,'" he said.
Geers agrees that governments should be cautious in how they invoke cybersecurity. "I don't think the threat has risen to a level where we need to take any kind of draconian measures," he says, citing a need to protect privacy and civil rights. "But it would be good to start thinking now about how to put national level expertise in the hands of cyber defenders if they're providing infrastructure such as water or electricity to local communities."
"I would like to see a legitimate discussion about cybersecurity — I don't think we're getting that."
Interestingly, privacy isn’t the reason that both of those cybersecurity bills, CISPA and the Cybersecurity Act of 2012, are now being delayed until next year. Rather, it’s due to concerns from the US Chamber of Commerce and others over the economic burdens that companies will face in complying with the new standards.
"From my perspective, my phone's a lot more secure when it's not leaking information to the NSA or some other entity," asserts Doctorow. "So I would like to see legitimate cybersecurity and a legitimate discussion about cybersecurity — I don't think we're getting that."