Saturday, May 25, 2013

Destroying freedom in order to save it

Only a little while ago, ASIC gave the keys of a backhoe to an institutional Baldrick, whose cunning plan cut the metaphorical cable of 1,200 Websites.

It was a denial-of-service attack that would probably earn a script kiddie some jail time, but meanwhile, the “cyberwar” doom-army would still have governments curtail the Internet.

What stirred me is this piece of drivel in The Australian.

Written by Centre for Independent Studies director, ex-banker, company director and thriller author John M Green, it purports to lay out the horrifying future of cyber-warfare.

From the headline on, it makes for a great episode of “spot the bollocks”.

“The cyber-enemy we're not seeing” – Bollocks. Define “cyber-enemy”. Define “we”. Define “seeing”.

“Today, a lone cyber-terrorist can launch global havoc from anywhere, a bedroom, a beach, even a carpark, provided they have phone signal.” – Bollocks.

To “launch global havoc” would at least require someone with access to vulnerability and malware markets, money to pay for botnets, other peoples' knowledge and skills, and so on. 

Also, it has nothing to do with Green's purported thesis about the insider threat.

“Spanish police arrested a Dutchman they claim launched the biggest cyber-attack in history. From where? His mobile-equipped campervan.” – Bollocks.

The “biggest ever” tag was PR from CloudFlare (“we defeated the biggest attack!” style claims), and that bit of spin is being repeated by the police because it improves their case.

Because Green's only qualification in this space is to write a thriller about it – which he's currently promoting, hardly a coincidence in the context of the article – he bolsters his position with this quote from ASIO boss David Irvine:

“A single malicious algorithm could switch off our lights, stop all planes flying, disrupt whole countries' financial networks, or shutdown their electricity grids”.

Bollocks, bollocks, bollocks. Mr Irvine is ring-fencing his budget – and it's odd to see a CIS director playing along with “protect my spending” while it's willing to slash and burn everything actually useful the government does.

I won't unpick everything that Mr Irvine said, but here's some points.

First, electricity – the grids that are nearly national, all connected not by the Internet, but by private fibre owned by every electricity authority in the country. There is no single, unwatched, unmanaged Internet off-switch for the electricity grid: even if an attacker found his way from (say) TransGrid's Web page to a control room, the control room is manned.

So: someone issues a shut-down instruction for the grid, and nobody in any control room notices, or if they do, they yell “It's a cyber-attack! Forget the hospitals, run for your lives!”


Or the “planes will stop flying” argument (its orgin being Richard Clarke, who always has a book to sell).

Do you think Airservices Australia connects the Mount Boyce radar station to the Sydney control towers via the Internet? As in “Darn, we can't see QF 11 heavy any more, some kid in Toongabbie must be Torrenting Game of Thrones”?

Though he wasn't, he could have been reading a thriller about this, one like mine, The Trusted. Fiction can be fluff, an entertainment, but it can also be an amber light, in this case flashing how woefully underprepared we are.

The Australian is running this because mister Green has a book promo happening.

Take Matthew Trevor Flannery, a support technician at a Sydney cybersecurity consulting firm, who police arrested last month for allegedly defacing a local council website, and who reportedly claimed he was leader of global hacker movement LulzSec.” – Bollocks.

Note that Flannery's “insider status” was separate from the crime he's accused of committing (the entirely global-hacker-worthy act of vandalising Narrabri Shire Council), and that his acclaimed status with LulzSec is already looking threadbare.

Note also that you need no special skills to copy secret files and carry them out of a building on a USB key, or e-mail them to yourself. That's not about “cyber attacks”, it's about trust and access to information.

Then there's this closing book promo:

It's hardly mere fiction to imagine a handful of environmentalists out of all the millions, so disgusted by global inaction that they plan their own direct action: to save the planet by destroying its pillaging economic system using the best tools available, cyber terror. Positioning themselves carefully and quietly, as the Cambridge Five did so successfully. Working among us, looking like us, trying to be us. Until they're ready to strike and destroy our way of life, by turning technology against itself, and us.”

(Actually, it was "mere fiction" - another book promo for Green).

Note that he leaps gleefully back from his warnings about insiders to “global cyber terror” (terror? Bollocks) wrought by activists.

What I find frightening is this: that so many people are willing to encourage not security, safety or knowledge, but dependent ignorance.

That dependent ignorance includes, in no particular order: 

* Governments working to criminalise the way technology works (really – stepping through URLs instead of clicking on links routinely gets described as “hacking” even though it's how HTML works)

* Police exaggerating minor incidents into major attacks

* Companies exaggerating the scale and cost of Internet security breaches

* Arrests and convictions over trivial social media jokes

The end-game of this is less freedom of speech, more snooping, more censorship, license-to-blog, and an Internet presided over by a scowling inquisitor, scourge in hand, waiting to ask the extraordinary question.


Update: I've been accused of ignoring Stuxnet, which damaged nuclear centrifuges in Iran in 2010, and therefore I'm wrong.

Stuxnet rather reinforces my point, I believe, for the following reasons:

1. It targeted a particular target (Siemens controllers in Iranian centrifuges)

2. It's believed to have been delivered to the centrifuges on USB memory keys rather than over the Internet

Taking down a country's entire electricity grid is a far more complex task than that attempted by Stuxnet.

No comments: