Danger from Cyberthreats Wildly Overstated, Experts Say

There’s “irrefutable evidence” that cyberattacks are a national security threat, said Yoran, now CEO of network- monitoring company NetWitness. He pointed to a breach of contractor computers holding information on the design of the U.S. Joint Strike Fighter, a matter also being investigated by the House Oversight Committee (WID April 23 p5). But that information was unclassified and couldn’t be used to take over the plane in flight, said Kevin Poulsen, senior editor at Wired News. Yoran said such a breach could become “much more significant” as planes increasingly use “general purpose,” interconnected computer systems. A next-generation Boeing jet’s control and entertainment systems were found to be using the same network, and “I have a high degree of confidence that other flaws don’t exist,” he said sarcastically.

“This is how you get all sorts of very ridiculous security measures, because we're imagining things that aren’t true,” said Bruce Schneier, chief security technology officer for BT and a popular author. Despite media hype today, such threats are likely in the next two decades when vastly more information is available online and critical infrastructure relies more heavily on the Internet, he said. There’s a definitional problem between “attack” and “exploitation,” two distinct types of incident that the media always “conflates,” said Herb Lin, chief scientist at the National Research Council’s Computer Science and Telecommunication Board. “We don’t consider spies in the United States to be an attack on the United States,” so officials “on the inside” find it helpful to publicly describe under-the-radar intrusions as “attacks,” he said.

Even if governments can settle on the laws of war in cyberspace -- such as the application of the Universal Declaration of Human Rights -- the anonymity of cyberattacks make it difficult to definitively end cyberwars, Lin said. Referring to the fictional country in the Dilbert comic strip, Lin said: “How is Elbonia going to know that we've stopped attacking them in cyberspace?” The shooting down of a U.S. plane in China in 2001 led to a war between “patriotic hackers” in each country, he said. The only person identified in alleged Russian cyberattacks on Estonia was a disaffected Russian immigrant in Estonia, which “makes it a little bit of a scary world,” Schneier said. Chinese hackers seem to be “working in the national interest, not on the national payroll, but with the tacit approval to pass on whatever they find” to the government.

Asked to weigh in on Obama’s remark Friday that “a few keystrokes” could cause terror on the same level as suicide bombers, Schneier quipped: “Are you allowed to use macros?” Though the speech generally was good, “I actually winced when he said that,” raising the specter of as-yet theoretical “cyberterrorism.” If an associate of Osama bin Laden suggested a cyberattack against U.S. communications infrastructure, bin Laden “would slap the guy,” Schneier said. The kind of attack likely to create real terror -- the cyberversion of the sniper that plagued the Washington region for a few weeks in 2002 -- can’t be stopped by government efforts, Lin said.

Though a terrorist himself couldn’t create such damage so easily, “imagine coopting other people’s work in a way that can be very, very damaging,” such as breaking into a military command-and-control system, Lin said. “I don’t have very much confidence in the way software is created.” Yoran said cyberterrorism is unlikely in the “near future” because it doesn’t have the same impact as “the blood and the guts” of physical terrorist attacks. But experts shouldn’t play down the “significant impact on the world economy” that could arise from bad actors’ access to a “limited number of points,” he said.

Obama also was faulted for his example of thousands of military computers infected by malware last year, requiring troops and personnel to give up their thumb drives. Poulsen said the vulnerability came from Windows’ auto-run feature, which can be easily turned off or disabled by holding the “shift” key. “Do you believe that turning off auto-run would solve the cybersecurity problems of the United States?” Lin answered sharply. Yoran noted an exploit that can get around the disabled auto-run feature. Attackers have “the patience, the time, the expertise to still get in the systems that matter most.”

All agreed President George W. Bush’s legacy of classification had made it difficult to evaluate policy options -- “counterproductive,” in Yoran’s words. The government is refusing a Wired News FOIA request for documents on malware recently reported to be sitting on parts of the electric grid, and grid owners have expressed bafflement at the claim, Poulsen said. It could amount to nothing more than the Storm worm sitting on an office computer at a utility, he said.

Government proposals to fix security so far amount to “big money for Northrop Grumman,” said Chris Soghoian, a student fellow at Harvard University’s Berkman Center, meaning lavish defense contracts. A more concrete way to stop malware from spreading across the government is for federal Web sites to block requests from users of outdated, buggy browsers, he said. “All of the things the government could do would be largely useless against the kind of threats that would impact national security,” Yoran countered. Funds would be well spent on more R&D that addresses the core problem of computers -- “non-determinism,” he said.