"Cybersecurity" is a con; why are we funding it?
http://www.theregister.co.uk/2010/10/14/cyber_budget/
I've been mostly refraining from commenting on politics, but I can't let this go by. It's outrageous that the government is even considering spending this kind of money on a boondoggle, rather than, say, the actual shooting war that is being fought with insufficient helicopters, or university education, or something else that might deliver valuable tangible results.
Why am I calling it a boondoggle? Well, first of all there's the poor performance of government IT projects in general[1]. Add in the fact that it's a defence IT project[2], that it will be conducted in secrecy, that it has vague aims that are difficult to verify, that defeat can always be blamed on external actors, and things are already looking bad.
Then there's some consideration of what it might actually do were it to deliver on its stated aims. I'll grant that spending some time, effort and expertise on hardening UK government computer systems is worthwhile. However the article is talking about largely funding active retaliatory attacks. This is a very different kettle of fish. The main problem is that "cyberwarfare" is not symmetrical and not centralised; it's a lot more like biological warfare than the Battle of Britain. You chuck something out and hope the wind doesn't blow in the wrong direction and that everyone's up to date on their antidotes.
Let's have an illustrative example. Leaving aside the reality that most attacks are from what's best called the computer-facilitated fraud industry (dodgy viagra, porn sites, fake antivirus, click fraud, phishing of valuable account details, credit card fraud), let's grant an actual cyber-attack. Let's say there is a Stuxnet-style attack on a power station which succeeds in offlining some Windows-based industrial control system. You send in your elite cyber-forensics team to establish what's happened.
Time passes.
They determine, a few days later, that the infection spread onto the internal network over a reused USB stick from an infected internet-facing machine. That machine was infected when an employee followed an infected link from a popular social networking website. Inspection determines that the link was not previously detected to be malicious as it only serves malware to IP addresses belonging to the electricity company. The malware was hosted on a compromised machine in the Korean school system and the infected link was posted from an internet cafe in Kiev.
You have a "cyber-retaliatory" capability. Against whom do you retaliate? Isn't it a bit late for that?
Let's grant the most possible favourable scenario: suppose there is a DDOS attack on direct.gov.uk. Your team of dedicated cyber-warriors stop playing Starcraft[3] and swing into action. Do they:
A) Pick up the phone to a few ISPs and get them to start blackholing traffic
B) Identify DDOS-like traffic at your router and block it
C) Try to counter-hack every machine that connects to direct.gov.uk
D) Try to identify the botnet control master and DDOS it yourself with your own botnet
C) is extremely difficult, it requires that you have some sort of effective IP-targetable remote exploit that goes through firewalls and is not already patched. It also runs the risk of misidentification & collateral damage, risk of being identified as an attacker and blocked by ISPs, and of course it leaks your exploit to the world.
D) presumes firstly that you can find the master(s) in a reasonable amount of time, and secondly that you can carry out your own DDOS. That would imply the UK department of cyberwarfare would go around actively exploiting machines of bystanders around the world in order to build up a suitable botnet. That sort of thing has huge potential for embarrasing disasters. Especially when Chinese hackers take over your control channel and steal your botnet.
In the real world you do A) and B). But that's just systems administration, not sexed-up cyberwarfare. The whole cyberwarfare concept is a marketing plan dreamt up by people who think films are a representation of reality and imagine something between global lasertag and duelling progress bars. "Star Wars" for the 21st century.
[1] http://www.parliament.uk/documents/post/pr200.pdf
[2] Helicopters AND software: http://www.computing.co.uk/computing/news/2237829/chinook-software-blunder
[3] kekeke
I've been mostly refraining from commenting on politics, but I can't let this go by. It's outrageous that the government is even considering spending this kind of money on a boondoggle, rather than, say, the actual shooting war that is being fought with insufficient helicopters, or university education, or something else that might deliver valuable tangible results.
Why am I calling it a boondoggle? Well, first of all there's the poor performance of government IT projects in general[1]. Add in the fact that it's a defence IT project[2], that it will be conducted in secrecy, that it has vague aims that are difficult to verify, that defeat can always be blamed on external actors, and things are already looking bad.
Then there's some consideration of what it might actually do were it to deliver on its stated aims. I'll grant that spending some time, effort and expertise on hardening UK government computer systems is worthwhile. However the article is talking about largely funding active retaliatory attacks. This is a very different kettle of fish. The main problem is that "cyberwarfare" is not symmetrical and not centralised; it's a lot more like biological warfare than the Battle of Britain. You chuck something out and hope the wind doesn't blow in the wrong direction and that everyone's up to date on their antidotes.
Let's have an illustrative example. Leaving aside the reality that most attacks are from what's best called the computer-facilitated fraud industry (dodgy viagra, porn sites, fake antivirus, click fraud, phishing of valuable account details, credit card fraud), let's grant an actual cyber-attack. Let's say there is a Stuxnet-style attack on a power station which succeeds in offlining some Windows-based industrial control system. You send in your elite cyber-forensics team to establish what's happened.
Time passes.
They determine, a few days later, that the infection spread onto the internal network over a reused USB stick from an infected internet-facing machine. That machine was infected when an employee followed an infected link from a popular social networking website. Inspection determines that the link was not previously detected to be malicious as it only serves malware to IP addresses belonging to the electricity company. The malware was hosted on a compromised machine in the Korean school system and the infected link was posted from an internet cafe in Kiev.
You have a "cyber-retaliatory" capability. Against whom do you retaliate? Isn't it a bit late for that?
Let's grant the most possible favourable scenario: suppose there is a DDOS attack on direct.gov.uk. Your team of dedicated cyber-warriors stop playing Starcraft[3] and swing into action. Do they:
A) Pick up the phone to a few ISPs and get them to start blackholing traffic
B) Identify DDOS-like traffic at your router and block it
C) Try to counter-hack every machine that connects to direct.gov.uk
D) Try to identify the botnet control master and DDOS it yourself with your own botnet
C) is extremely difficult, it requires that you have some sort of effective IP-targetable remote exploit that goes through firewalls and is not already patched. It also runs the risk of misidentification & collateral damage, risk of being identified as an attacker and blocked by ISPs, and of course it leaks your exploit to the world.
D) presumes firstly that you can find the master(s) in a reasonable amount of time, and secondly that you can carry out your own DDOS. That would imply the UK department of cyberwarfare would go around actively exploiting machines of bystanders around the world in order to build up a suitable botnet. That sort of thing has huge potential for embarrasing disasters. Especially when Chinese hackers take over your control channel and steal your botnet.
In the real world you do A) and B). But that's just systems administration, not sexed-up cyberwarfare. The whole cyberwarfare concept is a marketing plan dreamt up by people who think films are a representation of reality and imagine something between global lasertag and duelling progress bars. "Star Wars" for the 21st century.
[1] http://www.parliament.uk/documents/post/pr200.pdf
[2] Helicopters AND software: http://www.computing.co.uk/computing/news/2237829/chinook-software-blunder
[3] kekeke