Few go so far as to suggest that governments’ dark warnings of the cyber threat are directly linked to and provoked by the cyber legislation proposals (such as the failed Cybersecurity Act in the US and the Communications Bill in the UK); but many hint at it. “That is a connection you can easily make in your head, but one that is difficult to prove in practice,” old-school hacker and graduate of L0pht Heavy Industries, Space Rogue, told Infosecurity earlier this year.
But now experts are getting closer to voicing that opinion. One long-term critic of exaggerated vocabulary is Bruce Schneier, who two years ago took part in a debate arguing that the cyber war threat has been grossly exaggerated. A new report in CSO online says he has not changed his opinion. “Schneier has said for years, and said again this week, that cyberattack threats are ‘being grossly exaggerated for a reason’ and its ‘about money and power. There is an enormous amount of money in government contracts, and the real money is in scaring people,’ he said.”
The problem is that the cyber threat is real; the danger is that in overplaying it, government will be ignored. “The Cybersecurity threat is very real,” Tal Be’ery, Imperva’s web security research team leader told Infosecurity. “If you don’t believe it, you should ask the Iranian government about the damage that the Stuxnet malware inflicted to their centrifuges at the Natanz Fuel Enrichment Plant.”
He is particularly concerned about the Western world’s reliance on computerized systems to control its critical infrastructure. An attack on these requires little money, just knowledge and expertise. And such attacks, “unlike physical resources such as missiles and bombs, are very hard to track or restrain by treaties and regulations.”
Like Schneier in the US, Professor Ross Anderson of the Cambridge University Computer Laboratory is equally critical in the UK. While the infrastructure may be vulnerable, “I don't believe that GCHQ could do anything particularly useful about vulnerabilities in industrial control systems,” he told Infosecurity. “In the USA, where NIST has tried, their efforts have been counterproductive.”
Anderson goes further to hint at a cosy relationship between government and parts of the security industry. If it isn’t about legislation, it’s about Schneier’s aforementioned ‘money and power.’ “The huge overestimates of the costs of cybercrime that we've seen from Detica and the anti-virus vendors,” said Anderson, “are simply part of their marketing push to government, and governments bless them as they help intelligence agencies get more from their treasuries.”
Tal Be'ery agrees to an extent. “There’s a risk of using the media hype to get an unnecessary funding for irrelevant projects and counteractions. Therefore, we should keep an eye on the government’s suggested solutions.” The difficulty faced by the likes of Leon Panetta is to accurately describe the threat without becoming the Peter who cried Wolf once too often. “Even if some of the solutions prove to be irrelevant or exaggerated, that does not mean that the threat itself is irrelevant or exaggerated,” adds Be’ery.