Sharon Nelson thinks a certain amount of Fear, Uncertainty and Doubt (FUD) is a good thing.
Nelson, an attorney and president of the information security, digital forensics and IT consulting firmÃ'Â Sensei Enterprises, knows she is taking something of a contrarian view. Most objective experts in the information security world view FUD as essentially part of a sales pitch: Scare the IT manager enough and they'll buy your security product.
They also tend to dismiss it as exaggeration in the analysis of recent revelations that the U.S. was behind not only the Stuxnet worm used to attack the Iranian nuclear program, but also the Flame espionage malware.
[Bill Brenner in Salted Hash:Ã'Â Flame: The importance vs. the hype]
Most security experts agree that cyberattacks are a major, costly problem, both for industry and government. But they say it is going overboard to call it a war. As Bruce Schneier, chief security technology officer at BT and author told CSOÃ'Â last week, "Throughout history, the definition of a 'major war' has involved casualties in the hundreds of thousands. That means dead people."
But Nelson doesn't shy away from the term "cyberwarfare" or from FUD. On Sensei's Ride The Lightning blog, she contends, "The line between cyberwarfare and the real thing is a fine one -- one our enemies may not appreciate."
Nelson told CSO: "You can accomplish some of the same kinds of things in a cyberattack that you can in a conventional war -- you can take out water plants, transportation systems, communications."
She said it is silly to argue, as some have, that the U.S. won't be the target of a major attack because other nation's still fear U.S. military power. "A lot of folks are prone to retaliate against the U.S.," Nelson said. "The Iranians are obviously furious with us. And there are lunatics, madmen and terrorists in the world -- what do they care about our military capability?"
So, what is the value of FUD fit in all that? If people are fearful and uncertain, what will that accomplish, other than a possible overreaction from panic?
Nelson said she does not advocate sowing panic. But she believes FUD -- especially doubt -- "may make people question things."
"You have to second guess," Nelson said. "None of us believes that what we hear on TV is reality any more than reality show. If [people are concerned], then more questions will be asked, more investigations will be done."
She noted the vulnerabilities of U.S. systems, both private and public. "It wouldn't take a hell of a lot to do damage. Our SCADA (supervisory control and data acquisition) systems have been penetrated before."
And she cited a report last week in Business Insider, citing current and former intelligence sources, that said China has a "covert capability to remotely access communications technology sold to the United States and other Western countries and could 'disable a country's telecommunications infrastructure before a military engagement.'"
"We spent billions buying telecom equipment from them, and they can pull the plug anytime they want," Nelson said.
In her blog post, she argued: "I doubt that we know a fraction of what is really going on and I doubt if the politicians or military will tell us the truth. They never have before -- why now?"
Nelson said her biggest concern is that nobody yet understands the long-term consequences of cyber conflict. "When the atomic bomb was was developed, only a few people saw the long-term consequences. This is really no different. We don't have a handle on it," she said.
The revelations about Stuxnet and Flame have left the U.S. "with a target on [its] forehead," she said. "It's realistic to think that the U.S. and China are going to go head-to-head at some point. The battleground will be in the electronic world, and I'm concerned that we may not be able to win -- the Chinese are very, very good."
She wrote in her blog post: "We have a pretty good system for protecting us from lunatics setting off nuclear weapons -- I fear our oversight of cyberwarfare is not nearly as sophisticated."
Read more about data protection in CSOonline's Data Protection section.