As we have recently mentioned on our blog, October is National Cyber Security Awareness Month. And I’m sure we will post more to raise awareness of the risks you personally face, the risks to the institutions you do business with, and to the government itself.
Today, though, I want you to start to broaden your outlook on this issue. While you are getting acquainted with new threats like nation-state funded attacks, cyber-terrorism, and hactivism, I’d also ask you to look at some of the things our legislatures have been proposing in the name of cybersecurity. This includes early efforts to protect critical industry sectors our energy grid or banking systems against cyberattack, and requirements that we move beyond passwords when we access Web sites where we perform transactions or access personal data. As all these initiatives come with costs, none have universal support. But some cybersecurity proposals have generated more controversy than others, including: like the SOPA and PIPA bills that coddled the media industry by conflating digital piracy with cybersecurity and whose proposed remedies would have create a regime of censorship, or the federal development and control of a so-called “Internet Kill Switch“.
There will continue to be a lot going on here legislatively, and anything that changes the government’s role in the Internet will affect you as well. So let’s make also do our job as responsible, informed citizens. Let’s make October National Cybersecurity Policy Awareness Month. Let’s get educated, and involved.
New reports tying the Stuxnet worm to the US government has many people asking questions. What exactly is a cyberattack? Does conducting a cyberattack have the same implications as a physical military attack? Is the US waging an undeclared war on Iran in the same way that a bombing of its nuclear facilities would have done? Is this the new face of warfare and defense?
And now there’s the recent discovery of the Flame virus. We seem to be entering an era where military and diplomatic goals are increasingly embracing the Internet and cyber tools as a vehicle with which to achieve.
One of the big challenges in understanding all this is the lack of agreed upon definitions and principles. We may refer to this attack as cyber-sabotage, while Iran may refer to it as cyber-war or even cyber-terrorism. The Flame virus would be best categorized as cyber-espionage. Without terminology that is clear and agreed upon, the classification of this action is left to be determined by the rhetoric of politicians driven by their own political goals.
There are far more disconcerting implications and considerations if the US is to conduct state-sponsored initiatives in cyberspace.
- Collateral damage: these viruses could ‘get loose’ and inflict unintended damage. We saw this with Stuxnet in 2010, as it hit more than its intended Iranian targets because of a “programming error” (by the way: it was a “programming error” that caused all the damage arising from the Morris Worm as well, for those who remember that little event in computer history)
- Re-purposing and reuse: With cyber-attacks, the targeted opponents will have access to the code that was used. This is like handing the enemy the schematics for every weapon you use against them. With the code, an opponent can replicate the malware and modify it to their own needs. The only additional ‘raw material’ being programmer talent.
- Deniability: Military personnel are clearly identifiable, and armaments all have traceable points of origin. Not so with cyberattacks. We’ve already seen this in the US, where we think past attacks came from China or North Korea, but we can’t be sure. As the US starts to employ such tools, we increase our own ability to deny our actions; war becomes a clandestine affair, which is often at odds with our democratic principles.
Paradoxically, the proponents of building up US cybersecurity defenses will suffer a setback with the US now admitting its role in Stuxnet. These proponents – many of whom are in the military or defense contractor business – had taken up Stuxnet as their cause celebre and chief argument for extending the reach of DHS, NSA, and other federal authorities into our businesses and personal lives. But the government and the cybersecurity industry can’t go clamoring for more funding to defend against a boogeyman of their own creation.
In a few days, the world will ring in the New Year with renewed hope for a bright future. Predictions are being made about what 2012 will bring, and unfortunately instead of focusing on the positive, many of them are bleak. One that stands out is the prediction that the world will cease to exist on December 21, 2012 (according to the Mayan Long Calendar.) Thankfully, that one has been debunked – but we’ll see…
Here at AVAST, we are confident that we’ll have another great year protecting millions of happy internet surfers from all the nasties out there, but here are some educated predictions about what CyberThreats 2012 has in store for us, and how you can stay protected. Read more…