Only a little while ago, ASIC gave the
keys of a backhoe to an institutional Baldrick, whose cunning plan
cut the metaphorical cable of 1,200 Websites.
It was a denial-of-service attack that
would probably earn a script kiddie some jail time, but meanwhile,
the “cyberwar” doom-army would still have governments curtail the
Internet.
What stirred me is this piece of drivel
in The Australian.
Written by Centre for Independent
Studies director, ex-banker, company director and thriller author
John M Green, it purports to lay out the horrifying future of
cyber-warfare.
From the headline on, it makes for a
great episode of “spot the bollocks”.
“The cyber-enemy we're not seeing”
– Bollocks. Define “cyber-enemy”. Define “we”. Define
“seeing”.
“Today, a lone cyber-terrorist can
launch global havoc from anywhere, a bedroom, a beach, even a
carpark, provided they have phone signal.” – Bollocks.
To “launch global havoc” would at
least require someone with access to vulnerability and malware
markets, money to pay for botnets, other peoples' knowledge and
skills, and so on.
Also, it has nothing to do with Green's purported thesis about the insider threat.
“Spanish police
arrested a Dutchman they claim launched the biggest cyber-attack in
history. From where? His mobile-equipped campervan.” – Bollocks.
The “biggest
ever” tag was PR from CloudFlare (“we defeated the biggest
attack!” style claims), and that bit of spin is being repeated by
the police because it improves their case.
Because Green's
only qualification in this space is to write a thriller about it –
which he's currently promoting, hardly a coincidence in the context
of the article – he bolsters his position with this quote from ASIO
boss David Irvine:
“A single
malicious algorithm could switch off our lights, stop all planes
flying, disrupt whole countries' financial networks, or shutdown
their electricity grids”.
Bollocks,
bollocks, bollocks. Mr Irvine is ring-fencing his budget – and it's
odd to see a CIS director playing along with “protect my spending”
while it's willing to slash and burn everything actually useful
the government does.
I
won't unpick everything that Mr Irvine said, but here's some points.
First,
electricity – the grids that are nearly national, all connected not
by the Internet, but by private
fibre owned by every electricity authority in the country. There is
no single, unwatched, unmanaged Internet off-switch for the
electricity grid: even if an attacker found his way from (say)
TransGrid's Web page to a control room, the control room is manned.
So:
someone issues a shut-down instruction for the grid, and nobody in
any control room notices, or if they do, they yell “It's a
cyber-attack! Forget the hospitals, run for your lives!”
Pfui.
Or
the “planes will stop flying” argument (its orgin being Richard
Clarke, who always has
a book to sell).
Do
you think Airservices Australia connects the Mount Boyce radar
station to the Sydney control towers via the Internet? As in “Darn,
we can't see QF 11 heavy any more, some kid in Toongabbie must be
Torrenting Game of Thrones”?
“Though
he wasn't, he could have been reading a thriller about this, one like
mine, The Trusted.
Fiction can be fluff, an entertainment, but it can also be an amber
light, in this case flashing how woefully underprepared we are.”
The Australian
is running this because mister Green has a book promo happening.
“Take
Matthew Trevor Flannery, a support technician at a Sydney
cybersecurity consulting firm, who police arrested last month for
allegedly defacing a local council website, and who reportedly
claimed he was leader of global hacker movement LulzSec.” –
Bollocks.
Note
that Flannery's “insider status” was separate
from the crime he's accused of committing (the entirely
global-hacker-worthy act of vandalising Narrabri Shire Council), and that his acclaimed status with LulzSec is already looking threadbare.
Note
also that you need no special skills to copy secret files and carry
them out of a building on a USB key, or e-mail them to yourself.
That's not about “cyber attacks”, it's about trust and access to
information.
Then
there's this closing book promo:
“It's
hardly mere fiction to imagine a handful of environmentalists out of
all the millions, so disgusted by global inaction that they plan
their own direct action: to save the planet by destroying its
pillaging economic system using the best tools available, cyber
terror. Positioning themselves carefully and quietly, as the
Cambridge Five did so successfully. Working among us, looking like
us, trying to be us. Until they're ready to strike and destroy our
way of life, by turning technology against itself, and us.”
(Actually, it was "mere fiction" - another book promo for Green).
Note that he leaps gleefully back from his warnings about insiders to “global cyber terror” (terror? Bollocks) wrought by activists.
Note that he leaps gleefully back from his warnings about insiders to “global cyber terror” (terror? Bollocks) wrought by activists.
What
I find frightening is this: that so many people are willing to
encourage not security, safety or knowledge, but dependent ignorance.
That
dependent ignorance includes, in no particular order:
The
end-game of this is less freedom of speech, more snooping, more
censorship, license-to-blog, and an Internet presided over by a
scowling inquisitor, scourge in hand, waiting to ask the
extraordinary question.
* Governments
working to criminalise the way technology works (really – stepping
through URLs instead of clicking on links routinely gets described as
“hacking” even though it's how
HTML works)
* Police
exaggerating minor incidents into major attacks
* Companies
exaggerating the scale and cost of Internet security breaches
* Arrests
and convictions over trivial social media jokes
Bollocks.
Update: I've been accused of ignoring Stuxnet, which damaged nuclear centrifuges in Iran in 2010, and therefore I'm wrong.
Stuxnet rather reinforces my point, I believe, for the following reasons:
1. It targeted a particular target (Siemens controllers in Iranian centrifuges)
2. It's believed to have been delivered to the centrifuges on USB memory keys rather than over the Internet
Taking down a country's entire electricity grid is a far more complex task than that attempted by Stuxnet.
Update: I've been accused of ignoring Stuxnet, which damaged nuclear centrifuges in Iran in 2010, and therefore I'm wrong.
Stuxnet rather reinforces my point, I believe, for the following reasons:
1. It targeted a particular target (Siemens controllers in Iranian centrifuges)
2. It's believed to have been delivered to the centrifuges on USB memory keys rather than over the Internet
Taking down a country's entire electricity grid is a far more complex task than that attempted by Stuxnet.
No comments:
Post a Comment