Cyber War Mass Hysteria Is Hindering Security

jhernik writes "International cyber threat initiatives are in danger of becoming overblown, the US government's security chief told the RSA Conference in San Francisco. 'Cyber war is a terrible metaphor,' said the US government's cybersecurity czar Howard Schmidt. 'Don't make it something it's not.' Internet attacks from hackers, spies and terrorist groups deserves serious attention, he said, but this should not be 'to the extent of mass hysteria.'"

Hes right but...

[Anonymous Coward]

How is this any different from The War on Drugs, The War on ChildPorn, The War on Terror??

One way...

American businesses lose money if there is mass hysteria & people use the internet less.
There was no downside to the mass hysteria on The Wars on Things except for the truth
being lost in the FUD.

Re:Hes right but...

[Anne_Nonymous]

What we need right about now is a War on War, man!

[flashes a peace sign, rolls a doobie, doesn't trim pubic hair]

Re:Hes right but...

[HeckRuler]

There was no downside to the mass hysteria on The Wars on Things

Buuwha!? I'm sorry, have you been under a rock or something?
The mass hysteria over the war on drugs made the USA have one of the highest incarcerations per captia in the world.
The mass hysteria over the war on childporn has given oppressive assholes the shoehorn to wantonly take over 85,000 websites. By accident.
The mass hysteria over the war on terror has made flying a sexually abusive experience, and let Bush invade two nations, and arguably lead to hundreds of thousands of deaths.

But oh hey, CORPUSA didn't lose their profit margins, so it must not be all that bad.

Re:

[amRadioHed]

And don't forget the damage that the "wars" have done to civil rights.

Re:

[HeckRuler]

Uh, yeah, but my last two examples ARE examples of damaged civil rights.
Freedom of movement has been damaged due to TSA's porno scanners and body searches. I can still generally go anywhere I want, so it's not like I've lost the right, but they're sure making it uncomfortable.
Due process has been damaged when the system can mistakenly take over 85,000 sites. I mean, I know a judge signed off on it, and that's the due process here, but apparently either the judge or the person writing the warrant didn't s

Re:

[internettoughguy]

I dunno if smoking weed can really be considered a civil right though.

Civil rights are just a political construct anyway, one half of which concerns equality before the law. Which simply means that: treating everyone equally under the law.

Now you could claim that prohibition of "smoking weed" is not an infringement of this legal equality provided that it is equally prohibited for everyone. But then you could say the same thing about the prohibition of anal sex, which would have the side effect of effectively banning gay sexual relations. The other half of civil rights is the

Don't you mean...

[BlackLungPop]

"Cyberhysteria"?

Re:

[Gordonjcp]

No, I think you mean "cyberhysteriahysteria"

Re:

[Nadaka]

Hysteria about cyberhysteria expressed on the internet is cybercyberhysteriahysteria

Re:

[gstoddart]

No, I think you mean "cyberhysteriahysteria"

Come on, that's so lame ... it should be Cyber-Hysteria^2. Way cooler and hip for the kids.

Re:

[netsharc]

Hysteria 2.0! Because "2.0" is the new "Cyber-"!

Re:

[mshadel]

Since "cyberspace" is both the cause of the hysteria and the means to spread it we should call it "metahysteria".

Re:

[gstoddart]

Hysteria 2.0! Because "2.0" is the new "Cyber-"!

OK, fair.

How about e-Hysteria 2.0 then? Possibly i-Hysteria 2.0, but that might be trademarked already.

Re:

[Gordonjcp]

You could have i-Hysteria 2.4TDi - it's a bit slower off the line but it's just about as fast and costs about half as much to run.

Re:

[gstoddart]

You could have i-Hysteria 2.4TDi - it's a bit slower off the line but it's just about as fast and costs about half as much to run.

Wow, you managed to pull a car analogy out of this thread. Awesome, dude! ;-)

Re:

[The Archon V2.0]

Information superhysteria?

Re:

[Zediker]

So do we clear that up with a Cybperhysteriaectomy? *shudders*

cyber cyber everywhere

[Ancantus]

Quote from TFA

” Cyber war is a terrible metaphor,” said the US government’s cybersecurity czar Howard Schmidt.

It seems like 'Cyber War' is a terrible metaphor, but 'cybersecurity czar' is perfectly acceptable for eWeek

Re:

[decipher_saint]

When war with the cyborgs comes (and it will) what we will call it?

Re:

[Ancantus]

When war with the cyborgs comes (and it will) what we will call it?

Watson's Gentleman's Dispute

Re:cyber cyber everywhere

[decipher_saint]

Watson's Gentleman's Dispute

The only defense is a clone army of Alex Trebeks armed with one word answers.

I shall hide in the American city of Toronto!

Re:

[Destoo]

Watson's Gentleman's Dispute

Can't wait for that app to hit the iTunes store.

Re:

[Jakester2K]

War.

What?

[kevinNCSU]

The US Government thinks Cyber war is a stupid term now too?! Quick, everyone switch positions!! ;)

Re:

[Narnie]

Of course you can't expect the government to get this right, so it will likely be an Eee-War or an I-War.

Course I would also expect interweb-war, interpipes-war or even intertubes-war.

Re:

[517714]

The US Government thinks Cyber war is a stupid term now too?!

It must mean we really are at war!

No, he's not.

[winkydink]

You can take the internet down with a small botnet (yes 250k zombies is small). http://www.zdnet.com/blog/networking/how-to-crash-the-internet/680 [zdnet.com]

So, when it happens it's just a bad day, right?

Re:

[0123456]

You can take the internet down with a small botnet (yes 250k zombies is small). http://www.zdnet.com/blog/networking/how-to-crash-the-internet/680 [zdnet.com]

You presumably missed the mass debunking of that claim a few days ago?

Re:

[winkydink]

I must have. I saw some disagreement a few days ago, but no mass debunking. Protection requires 10% of ISP's to adopt a routing policy change. Let me know when that's done, ok?

That's easy.

[khasim]

Protection requires 10% of ISP's to adopt a routing policy change. Let me know when that's done, ok?

It would be done within 24 hours of such an attack actually succeeding. More likely within an hour.

That's the core problem with all of these "disaster" scenarios.

They depend 100% on all-of-the-interested-parties doing nothing at all to resolve or mitigate the problem(s) during / after an attack.

There are lots of idiots out there who would not be able to fix their systems. But there are also a lot of smart people who know how to fix the problem but just haven't gotten management to buy off on it yet. That will change when there is a real problem.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[PPH]

Using the term 'war' has some interesting legal implications for presidential powers. Congress and in some cases the courts, can be bypassed once a 'war' has been declared.

Re:

[Paracelcus]

This is the REAL reason for all this unmitigated BULLSHIT, it's all about the unreviewed, uncontrolled accumulation of POWER & MONEY in fewer and fewer hands. The manipulation of the gullible, the poorly educated, unsophisticated, apathetic Americans to manufacture consent of the people to their own enslavement!

Mod parent up. It's about the money.

[khasim]

First off, this "war" has yet to result in a single death of an otherwise healthy adult at home. So calling it a "war" is incorrect.

Secondly, from TFA:

Lynn claimed that spy agencies have gained accessed to weapons system designs and other military plans, source codes and intellectual property from businesses and universities.

Exactly as spies have done for the last 2,000+ years.

Schneierâ(TM)s fear is that we are on the verge of an IT arms race. âoeWe havenâ(TM)t seen offensive cyber weapons companies, but they are coming,â he said. âoeBig defence contractors are working on this â" you know they would be dumb not to.â

I'm going to disagree with Bruce on this one. At least until he further defines "offensive cyber weapons". Again, not a single, healthy adult has been killed at home because of any "cyber attack" by someone using a "cyber weapon".

The real problem is that so few organizations pay attention to basic security practices. Just look at HBGary.

 

Sheez man, get with the plot.

[EasyTarget]

Wait for this guy to be told to STFU; If you don't have mass hysteria how can you have a mass clampdown?

Re:Sheez man, get with the plot.

[camperdave]

Mass hysteria doesn't work in cyberspace. Mass hysteria only works on unwashed masses, not on a hacker culture with a long history of circumventing barriers, especially artificially imposed barriers. In cyberspace, everyone can hear you scream, so you have to be subtle. A deep packet inspection here, a closed port there. If you go off darking fiber willy-nilly, you'll awaken the wrath of the hackers on their home turf. You won't know what hit you.

Re:

[anegg]

I think the hysteria to be on guard against here is that of US policy making officials. We have lots of defense contractors who have been hyping "cyber" for a couple of years now. (That's right - they don't even call it cyberwar, or cybersecurity. Just "cyber." Ooooooo - shivers down my spine.)

When the policy wonks go off half-cocked, and the policy enforcers (CyberCommand, etc.) rush to salute and do their job, we will have wrongly focused substantial attention, and substantial $$$s, on chasing the w

Cyberwar tends to be a misnomer

[mlts]

An intrusion attempt is an intrusion attempt, be it by a dedicated tiger team doing a pen test, some guy living in Elbonia testing his skillz, an enemy country with their intel arm probing for weaknesses, a criminal organization looking for organizations with their fly open to use as staging points for botnet C&C servers.

An attack is an attack, and an exploit check is an exploit check. Who is doing it matters less than handling it, be it someone checking if the ssh daemon is buggy, or someone calling the front desk pretending to be the CEO and demanding a password.

Ideally, people need to not focus on *who* is doing the attacks as the primary concern, but the attacks themselves.

Since there is no good definition of a cyberwar, if one defines it as a country's military or intel forces attacking another site to find a way in, it can be said that there are plenty of cyberwars going on around the globe with almost every country going against everyone else.

Re:

[BlackLungPop]

Good point. I move we change the prevailing term to: "GLOBAL CYBERMELEE" !!!

Re:

[Narnie]

Good point. I move we change the prevailing term to: "GLOBAL CYBERMELEE DEATHMATCH" !!!

There, FTFY

Re:

[An ominous Cow art]

Needs more "XXXTREME".

Rock On University of Phoenix

[Frosty Piss]

Since Howard Schmidt is a University of Phoenix graduate, I trust everything this guy says.

Schneier and McConnell yesterday

[adenied]

I was there for the Schneier / McConnell / Chertoff panel yesterday, mostly for the lulz and got some. Perhaps the best part was when Mike McConnell (former Director NSA and Director of National Intelligence) told Bruce Schneier that he was as big a supporter of privacy as anyone else, even him. The look on Schneier's face was priceless.

Think of the chiiiiiiiildren!

[Drakkenmensch]

But but but... without mass hysteria, how are we going to divert economic assistance to the poor into funding government initiative aimed at revoking civil liberties?!?

Mass Hysteria?

[TheRealMindChild]

Mass hysteria is dogs and cats, LIVING TOGETHER!

I'm quite surprised...

[nickserv]

...to hear a government official basically saying "calm down already." No need to worry though Mr. Schmidt, the tech community can generally think for itself when determining cyber threats and the merits of related initiatives. We're certainly not waiting for the government to tell us how, when or why to secure our systems. You get your information from us, not the other way around. "Mass hysteria" is reserved for those who give up their rights (TSA, Patriot Act, repeal of the Posse Comitatus Act, etc...)

Re:

[chemicaldave]

I would only expect the government to become more sane when it comes to technology as time progresses. I'm currently a grad student studying computer/information security & policy, and as a child of the digital age. I can say with confidence, that most of my peers (even the ones with government funded scholarships) are pretty level headed when it comes to "cyberwar" nonsense. There's really nothing to get up in arms about.

I think you'll find that most people who had to grow up through the Bush administr

Stuxnet

[QuincyDurant]

The Stuxnet attack seems to have worked as well as or better than an airstrike. Call it what you will, it was something pretty damn close to a an act of war.

We should abolish those ignorant politicians!

[sageres]

This goes to show you that people with a limited understanding of computer network technology should not make, set or comment on the computer security public policy. That's how we wind up with guys being dragged away by Secret Service and after being five years in jail and finally released are not even allowed to use a phone, because a bunch of idiots on the hill who think that Internet is a collection of "tubes" and network security amounts to the video-game 3d-flight from the popular hacker movies.. these

Again... capability based security can fix this...

[ka9dgx]

If we took even a fraction of the "cyber" defense spending that's being spent everywhere (on firewalls, virus scanners, spam filters, etc), and put it into a practical, usable, cabsec (capability based security) system we could FIX this problem.

Capability based security is simple in concept.... provide a program, and a list of capabilities (such as read-access to a config file, read-write access to a sandbox directory, read/write access to the internet) to the operating system. The operating system then enforces security so that NO MATTER WHAT, the program can't access any other files or devices.

If each of the system services is properly configured, and the user is provided with the tools that make it trivial to sandbox an application, then they can run code without ever having to trust it. This makes virus-scanning obsolete.

This is a default deny strategy, the opposite of what we have in place now. If it's not explicitly permitted, it CAN'T happen.

Re:

[jeff4747]

The operating system then enforces security so that NO MATTER WHAT

This is where your plan falls completely apart.

The way you come up with good defense is not to only figure out how it should be done. When in that mindset, we only think about how stuff should work and we easily gloss over the vulnerable parts - we're only thinking about the correct path through the system.

In addition, you need to not consider the difficulty in breaking your design. Because there's somebody out there with the knowledge and

Re:

[ka9dgx]

A trusted, proven microkernel is the only part of a system that one should have to worry about.

The way we currently do it is to trust huge swaths of code with the integrity of everything. That will never work.

Re:

[jeff4747]

Because that microkernel runs on magic pixie dust, not hardware with it's own vulnerabilities.

Re:

[ka9dgx]

It's not perfect, and there is no pixie dust, just different underlying design choices.

Having a micro-kernel which is mathematically proven to do what it says is a big step forward.

Having ONLY the micro-kernel run in protected mode, and be the only thing you MUST trust reduces the attack surface by multiple orders of magnitude/

Limiting explicitly the capabilities of a given task makes side channel attacks involving things outside those capabilities impossible. For example, a disk driver doesn't ever have to

Re:

[jeff4747]

Limiting explicitly the capabilities of a given task makes side channel attacks involving things outside those capabilities impossible. For example, a disk driver doesn't ever have to get access to the network, does it?

Why do I need to go through the operating system to access the Internet?

Sure, it's the most convenient way. But the NIC doesn't care if there's an operating system.

It's not a perfect system

Then perhaps you shouldn't suggest it as the perfect system?

Re:

[ka9dgx]

Thanks for sticking with this thread, I think its important to work out a way to express this better so more people can grok cabsec.

Capability based security isn't perfect. Would it be fair to say it's a better system?

The purpose of an operating system is to fairly and securely share the resources of the computer. If the programs running get direct access to hardware without the ability of the OS to manage it, the OS isn't really doing its job... it's more of a program loader (think MS-DOS). Thus the OS sho

Re:

[cdrguru]

Yes, but who administers such a thing?

The problem is that by putting computers in the hands of people that by definition cannot administer a complex system we have to have systems that do not need any administration. Combining this with the ability of the user to add software to the configuration is a disaster for security - the user has no clue what the software they are adding might be doing.

There are two possible solutions to this, neither of which is anyone moving towards. The first is the "App Store"

Re:

[ka9dgx]

I think administration would be fairly simple for such a system. Instead of "installing" programs, which then entwine themselves into the OS, you would simply drop them into a folder. When you wanted to use them, one reasonable default would be that they could only operate in their own folder.

The idea of trusting code to do what it says on the Tin is the big problem here... not the user. If the user has a system that makes everything inherently sandboxed off from everything else, they have a very good shot

Re:

[Fulcrum of Evil]

So if I want to download a file for one app, then use it with another, I have to download it again? If you make it easy to change the defaults for convenience, that's what will happen. If you make it annoying (like with win7), people use something else.

Re:

[ka9dgx]

No, you wouldn't have to download it again, you just give one access (as required to do the job) to the other. I think all of this could be done in a very open, transparent, consistent, and friendly way.

Re:

[Chowderbags]

And then grandma still downloads the "awesome screensaver" and clicks whatever warning popups come up telling her that the screensaver will do horrible things because "she wants to see the cute kittens". You can't use technology to fix stupidity.

Re:

[ka9dgx]

You're right... you can't fix stupid.

A different analogy might help here.

The current default permissive systems are equivalent to handing over your wallet to the cashier at the checkout counter, and hoping they will only take the right amount of money, and not use your info to sell your house before you get home. When you run a program, it can do anything you can do.

Granny is a lot smarter than you give her credit for, she knows not to hand her purse to the checkout person at the store. She only hands over

This country is headed for a disaster....

[RevWaldo]

- This country is headed for a disaster of cyberpunk proportions.
- What do you mean, "cyberpunk"?
- What he means is Neuromancer, Mr. President, real Philip K. Dick type stuff.
- Exactly.
- Satellites falling down from the skies! Neurotransmitters boiling!
- Forty-eight hours of darkness! Gray goo, anarchocapitalism...
- Zippies rising from the grave!
- Linguistic hacking, AIs and ghosts merging together... mass hysteria!
- All right, all right! I get the point!


.

Chickens come home to roos?

[Phizzle]

First the goobernment overblows the term Cyber war to get more funding, and now they want to tone it down? Does that mean they finally got enough of our money or did they find some other controllable threat to append the word "war" to, to maintain the profitable hysteria? Cause 9/11 changed everything, Brian! 9/11 changed EVERYTHING!

Mass Hysteria???

[ZombieBraintrust]

I don't think there is any Mass Hysteria. The masses don't care about this.