|
Cybercrime
'much bigger than al Qaeda'
Does that mean that we are at war with cyberterrorists?
6/8/2012 3:16:00 PM by Antone Gonsalves |
|
It is unlikely that Americans will ever again see commercial
jets crashing into skyscrapers, piloted by terrorists. ButDepartment of Homeland Security (DHS) Secretary Janet Napolitano
believes that malicious computer code generated by groups like al Qaeda are
just as big a threat to the security and stability of the nation.
Does that mean that we are at war with cyberterrorists?
Napolitano doesn't go that far -- she uses the term "cybercrime,"
as do a number of cybersecurity experts.
Still, the damage worldwide is headed toward a half-trillion
dollars a year. Napolitano, in a speech May 30 to business leaders and
government officials, said that besides "al Qaeda and al Qaeda-related
groups," cybercrime is, "the greatest threat and actual activity
that we have seen aimed at the west and at the United States. Unfortunately,
it is a growth arena."
"Our cybersecurity as a country is inextricably linked to
our economic capability," she said. "The systems we use are interdependent,
interconnected and critical to daily life in the United States.
Communication, travel, powering our homes, running our banking systems --
these are all interconnected systems."
Napolitano cited a study by Symantec's Norton that estimated
the cost of cybercrime worldwide at $388 billion -- more than the global
market for heroin, cocaine and marijuana combined, and said, "I think
those are conservative numbers, based on the things that come into DHS."
But the U.S. is not just on the defensive. Napolitano's speech
came just two days before The
New York Times, citing anonymous sources in the Obama administration,
reported that the
president had secretly ordered the use of the Stuxnet worm to attack the
computers that run Iran's main nuclear enrichment facilities. The
Times reported that this was in collaboration with Israel, and was the
continuation of a program code-named Olympic Games, started under President
George W. Bush. The attack is estimated to have set back the Iranian nuclear
program by as much as two years.
Attacking another nation-state's potential military capability
may sound like an act of war to some. Joel Harding, a former military
intelligence officer and now a communication and public diplomacy information
operations expert and consultant, wrote in a blog post shortly after The
Times' story, "It's official. The United States of America was the first
to use an atomic bomb against an enemy and now the United States is the first
to have acknowledged using a cyber weapon against another country. We are now
certified bad guys to the rest of the world."
"To whoever leaked the information from the Obama
administration, for whatever purpose, you have now doomed the United States
to a terrible legacy forever," he wrote.
David Jeffers, writing for PCWorld,
called malware such as Flame "the Internet equivalent of biological
warfare."
But Harding told CSO he does not think this means the U.S. has
started a cyberwar. "There will never be a pure cyberwar in my
opinion," he said. "There will be operations in cyberspace but they
will always be in support of other actions. By itself warfare in cyberspace
cannot conquer an enemy. The effects will normally be temporary and probably
not physical in nature."
Still, he said the admission taints the U.S. in the eyes of
the rest of the world. "It is a challenge to maintain a high moral
position if we are the first to acknowledge the use of such a weapon,"
he said.
Other security experts also say that "war" is the
wrong term. Bruce Schneier, chief security technology officer at BT and an
author, said that "throughout history, the definition of a 'major war'
has involved casualties in the hundreds of thousands. That means dead
people."
Marc Zwillinger, of the Washington, D.C. law firm ZwillGen and
a specialist in cyber conflict calls them "cyberattacks," and said
he doubts the U.S. was the first nation to use them. "Our government,
government contractors, and ISPs have been pummeled for years," he said.
Whatever the semantics, there is unanimous agreement that the
attacks are doing enormous damage.
"Cybercrime is a really big deal," Schneier said.
"Much bigger than al Qaeda, which has basically been a fairy scare story
since 9/11."
Zwillinger said: "It's something to take very seriously.
It's not that hard to undermine our economy and cause lasting effects. How
long was the Facebook trading glitch that is being blamed for a lot of
uncertainty and panic in the trading of one stock?"
"United States corporations lose billions of dollars in
research to cybercrime and espionage every year," Harding said.
"Now imagine these efforts [aimed at] national security products. Not
only do we lose intellectual property and de facto our investment dollars,
but we may have a national security problem."
Another problem with cyberweapons, as a number of articles
have pointed out since the discovery of the Flame virus in the Middle East
(an espionage tool mainly targeting Iran) and the revelations about Stuxnet,
is that they can boomerang, unlike bullets or bombs. Richard Lardner reports
for The Associated Press that "a cyberweapon that spreads across the
Internet may circle back accidentally to infect computers it was never
supposed to target. It's one of the unusual challenges facing the programmers
who build such weapons, and presidents who must decide when to launch
them." [See also: U.S. companies, government not likely burned by Flame]
Finally, whether it is cybercrime, cyberattacks or cyberwar,
the U.S. seems woefully unprepared for it at some levels. The Washington
Post's Robert O'Harrow wrote earlier this week of stunning vulnerabilities
U.S. infrastructure. He profiled programmer John Matherly, now 28, who as a
teen developed a search engine he called Shodan, and by 2009 discovered
"an astonishing fact: Uncounted numbers of industrial control computers,
the systems that automate such things as water plants and power grids, were
linked in, and in some cases they were wide open to exploitation by even
moderately talented hackers."
"Over the past two years, Shodan has gathered data on
nearly 100 million devices, recording their exact locations and the software
systems that run them. 'Expose online devices,' the Web site says. 'Webcams.
Routers. Power Plants. iPhones. Wind Turbines. Refrigerators. VoIP
Phones,'" O'Harrow wrote.
The story also told of a 22-year-old hacker from somewhere
overseas who was able to hack a Siemens S7 controller and gain control of a
water plant serving 16,000 people in South Houston.
Harding said he doesn't know the status of most critical
infrastructure. But he said he's "certain that many, if not most are not
fully updated, do not have adequate monitoring or protections, have
inadequate contingency plans and are unnecessarily exposed to the Internet,
and are therefore vulnerable."
"It is too expensive to unhook completely from the
Internet, but that decision must be accompanied by diligent efforts to
mitigate any vulnerabilities," he said.
Zwillinger said, however, that most nation-states will likely
limit their attacks because they still fear the military might of the U.S.
"While our critical infrastructure is vulnerable, would-be attackers are
hesitant to launch a full scale attack knowing that the U.S. would respond,
'using all instruments of national power,'" Zwillnger said, citing a
line from Securing Cyberspace for the 44th Presidency, a report by the Center
for Strategic and International Studies.
|