Wednesday, July 7, 2010

Yes, Virginia, There is Cyberwar


I have been in security for 8 years.  Some of my friends say there is no such thing as cyberwar.  My manager says, "If you see it on the VRT Blog then it's so"  Please tell me the truth; is there cyberwar?

Virginia O'Hanlon.
115 West Ninety-Fifth Street.


Your friends are wrong.  They have been affected by the skepticism of a skeptical age.  They do not believe except what they see.  They think that nothing can be which is not comprehensible by their minds.  All minds, Virginia, are closed.

Yes, Virginia, there is cyberwar.  It exists as certainly as espionage, defacing and cybercrime exist, and you know that they abound and are a threat.  Alas!  Whenever there is a means for man to do ill to  his fellow man, that capability will be developed.

Not believe in Cyberwar!  You might as well not believe in enemies!  You might get your manager to hire people to watch all the inbound connections every day to catch the enemy, but even if they did not see them, what would that prove?  When they are at their best, nobody sees the enemy.  The most real and dangerous thing in the world are those that no one can see.  Did you ever see a keystroke logger on your system?  Probably not, but that's no proof that it is not there.  Nobody can conceive or imagine all the threats that are unseen and unseeable in the world.

Cyberwar is many things, Virginia, and sometimes we need to connect the dots to understand what is possible.  Have we ever been denied electricity by a foreign power?  No (we think).  But we know that networks can be penetrated, servers can be compromised and we even know that generators can be destroyed simply by instructions from control servers.  We also know that there are those who would seek to harm us.  So yes, Virginia, there is cyberwar.

But Virginia, an understanding that something is possible is not a license to let that thing dictate your life.  We need to recognize the threat, however unlikely, that cyberwar presents.  But not so that we can panic, cry and beg our leaders to give themselves more power.  Instead we need to understand the threat so we can improve our defenses and ensure that, if it were to occur, we would have a plan in place to deal with it.

We are right to look with skepticism when our leaders show us a problem and then present a solution that empowers them further.  We must never (again) allow our fear to weaken us to the point that we transfer all responsibility to our government.  A people without responsibility are a people without freedom.  Instead we must ensure that we all do our part, because if it comes to pass that a substantial cyber-attack does occur, we will all be responsible for helping to mitigate it.  But we must also hold our leaders in check; we must hold them accountable and ensure that they are prepared.  Yes, Virginia, it is a difficult balance, but it is one we must strike.

No cyberwar!  God, were that that was true.  It exists, and most likely will exist for as long as we are online.  A thousand years from now, Virginia, nay ten times ten thousand years from now, cyberwar will continue to be a threat.  But it is not a threat without checks and it is not an excuse for weakness and panic.


  1. Ironic that Schneier wrote this for CNN that was posted today.

    I think he is right. War is harsh language. It breeds fear and leads to quick actions without oversight which could ultimately be worse than the attacks themselves.

  2. Schneier makes good points..but he always makes at least *some* good points. Here's the thing: aspects of "cyberwar" are occurring on a regular basis and there is plenty of open source documentation available with proper research.

    I realize that governments in general do things that are against common sense and that some governments are more prone than others. However, does anyone *really* think the US government and defense industrial base would put so much money and effort into something that isn't at least happening in some way, shape, or form? Really?

    Cheers to VRT for stepping up with an opinion; as an expert in the area (with visibility into current activities) it means a lot.

  3. Along with the Schneier post, the following posts from Bejtlich are also interesting on "cyberwar":

    I agree with Scotty that "war" is a very harsh word with dangerous consequences from a policy stand point.

  4. "CyberWar" is certainly a carefully chosen word, but that boat has sailed. In the public discussion, cyberwar is the term in play. Arguing that "CyberWar" doesn't exist because I don't like that word is not a politically successful strategy.

    If it helps, read it as "cyber-attack that targets infrastructure to disrupt economic, public service or military operations". But when you talk to your congressmen, know that you need to say "Cyberwar".

    You know, like APT :(

  5. "But we know that networks can be penetrated, servers can be compromised and we even know that generators can be destroyed simply by instructions from control servers. "

    Hmmm, I know there are ponies. I know there are rainbows. I know there are mammals with horns.


  6. I stay away from semantics debates. Geeks love them though! You nailed it here. Very gutsy and kudos for telling it like it is, especially since the VRT team is in the front lines of battle.


  7. @Nigel: OK, I'm going to guess that you know that networks can be penetrated and servers perhaps you have an issue with the whole "generator" thing? If so, I'd recommend that you use whatever your favorite search engine is and look for "aurora generator test video".

    If I misinterpreted your post then my apologies.

  8. Mr. Schneier has a skill grown from being genuily interested and passionate with what he speaks about. A skill which seems to have gone amiss with more and more security 'experts'. Mostly since they've grown closer and closer to governemental institutions is my distant impression. It is a naturally grown ethic that grows both insight and oversight. Not just technical and statistical probabilities but also human and humain considerations. The latter being the great statistcal and tactical unkown.

    But of course, it makes one much more respected when you can scream war and terror. And actually say you have something going that could make a difference.

    'cmon, the general tone of this article is almost hilariously absurd, not only to laymen.

    Half of what an enemy actually is is in your own imagination. This whole industry is running on blackbox thinking supplemented with coffeetable ignorance. There are no concise, resource-rich reports available to the many grunts of Information Security. Just statistical blabla and hype for both good and bad.

    In my experience Companies really don't care to much about security. But also actually don't care for security as much as Security Experts would like them too. Or governements ?

    This level of debate is becomming polarized because of the usual suspects. Regretably i'd say. IT for a while did seem to be undiscovered country, it has since become urbanised rapidly. And now it is becomming more and more governed, with it bringing in the enemies as well.

  9. @J.L. Just in case some of this is cultural, (I notice you are from Belgium) and you said "the general tone of this article is almost hilariously absurd", I wanted to point out the format of the article (the tone) was because I chose to use a well-known newspaper column about Santa Claus:

    Beyond that, I'm not certain that I follow your argument. If you have any specific questions, please let me know.


Post a Comment

Note: Only a member of this blog may post a comment.