Has The Threat of Cyberwar Been Grossly Exaggerated?

Friday, October 08, 2010

Danny Lieberman


Bruce Schneier writes that The Threat of Cyberwar Has Been Grossly Exaggerated.

Not unpredictably – the essay yielded a lively discussion,  I agree with Bruce – especially because of all the hype around Stuxnet.

On one hand – the locals in Israel more or less know, or guess who worked on the project and on the other hand – there are clumsy attempts at disinformation – Shai Blitzbau is trying to claim that it is not military code, but didn’t do his homework regarding WinCC ( a Siemens Windows application for industrial command and control, not a special version of Windows for SCADA systems as Blitzbau wrote).

Software Requirements

WinCC V6.2 is released for the following operating systems:

Windows XP Professional Service Pack 2 (client / single-user station)

  • Windows 2000 Professional Service Pack 4 (client / single-user station)
  • Windows Server 2003 Service Pack 1 (client / single-user station / server)
  • Windows Server 2003 R2 (client / single-user station / server)

Microsoft SQL Server 2005 SP1 is used as the database and is supplied with WinCC Version 6.2. The SQL Server system administrator password can be assigned by the user and supports adherence to company password conventions.

While Blitzbau is probably trying to link-bait some headlines with contrarian opinion – 500MB of well written code by a large multi-disciplinary team looks and smells like cyberwar no matter what languages the developers speak and use.

Nonetheless – cyberwar is over-hyped.

I found it significant that Schneier’s article and the resulting discussion thread – skimmed over the obvious:  namely that:

In real war (as defined by soldiers of one state fighting soldiers of another state) or real terror (as defined by bad people who kill civilians) – real people get killed.

As an Israeli – I find the American fixation on cyber-terror and cyberwar somewhat amusing.

Although I understand that it is fundamentally a way of generating more business for the Raytheons of this world – the American fixation on cyberwar and cyber-terror goes beyond the DoD and Pentagon turf wars.

For many Americans, cyberwar must seem like a safe way of vicariously participating in some kind of a cool war effort without having to pay the physical and emotional price of dealing with losing friends and families to real world terrorists or soldiers.

Perhaps – if I might speculate – it is possible that the President Obama has not declared war on Afghanistan because it runs contrary to his liberal weltanschaung of “lets solve conflicts by talking to everyone since everyone are created equal”.

Cyberwar and cyber-terror are proofs of the inequality of life and the inequality of war.

While the DHS, NSA, FBI, CIA would have difficulty producing a single example of a real person being murdered by a piece of targeted malware – any Israeli you meet – including yours truly, has close friends or family who were killed by real wars and real terrorist.

Cross-posted from Israeli Software

Possibly Related Articles:
Security Awareness
Cyberwar Stuxnet
Post Rating I Like this!
Jamie Adams Another great article. And as an American, I agree with you 100%. I try to avoid getting sucked into the quagmire of politics but I, too, find the labels the U.S. government (or media) chooses amusing. Not to trivialize anyone's information security effort... but labels like that just have good marketing appeal ... kind of sexy for the American public. Thank you for the great post.
Erika M I agree that the terms have now become buzz words and 'tools' to make $$. I do think, however, that we must be ever vigilant. We do live in a world where there are bad people. Maybe not the commercialized boogey man per se, but there are malicious forces and they do actively try to tear others down. Sometimes I think various interests try to annoy us with the overuse of these terms merely to desensitize us to the very real threats.
Danny Lieberman Erika,

Of course we must be vigilant, but there are two messages in the article:

a. You have to get the basics right - note the Siemens guideline: "system administrator password can be assigned by the user and supports adherence to company password conventions" which they themselves do not follow in their field implementations. If they had - then Stuxnet would not have been able to exploit the default password vulnerability in WinCC

b. Security theater is one thing. Security lobbies hyping cyber-war and cyber-terror in order to garner Federal funding, paid for by your tax dollars is another. Unfortunately - the US agenda on fighting terror is more oriented towards security theater and politics than addressing the root causes starting with drying up the funding.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.