Security experts push back at 'Cyber Pearl Harbor' warning

The nation's top national security leaders have convinced President Obama and much of the leadership in Congress that the U.S. is at risk of a "Cyber Pearl Harbor" or "Digital 9/11" if it does not take drastic measures to improve both defensive and offensive cybersecurity capabilities against hostile nation states.

But the leaders, Defense (DoD) Secretary Leon Panetta and Homeland Security (DHS) Secretary Janet Napolitano have not, however, convinced every expert in the cybersecurity community, and there is now some increasingly vocal push-back from some of them.

Critics argue argue that not only is the threat of a catastrophic cyberattack greatly exaggerated, but that the best way to guard against the multiple risks they agree exist is not with better firewalls or offensive strikes against potential attacks, but to "build security in" to the control systems that run the nation's critical infrastructure.

Bruce Schneier, author, Chief Technology Security Officer at BT and frequently described as a security "guru," has not backed off of his contention made at a debate two years ago that the cyber war threat "has been greatly exaggerated." He said that while a major attack would be disruptive, it would not even be close to an existential threat to the U.S.

"This [damage] is at the margins," he said, adding that even using the term "war" is just a, "neat way of phrasing it to get people's attention. The threats and vulnerabilities are real, but they are not war threats."

[See also:Ã'Â Following Sandy, DHS seeks security 'Cyber Reserve']

Gary McGraw, CTO of Cigital, recently argued that while existing control systems are "riddled with security vulnerabilities" since they are outdated and were not designed with security in mind, trying to protect them with a preemptive attack against a perceived threat would be both dangerous and fruitless.

McGraw, who has been preaching the "build-security-in" mantra for years, is highly skeptical of claims that government is now much better at "attribution" -- knowing exactly who launched an attack.

"If they have solved it, they need to tell us hard-core security people how they did it, because we don't really believe them," he said, noting that a major retaliation against a party that didn't launch an attack could be more catastrophic than the initial attack. "Proactive defense," by eliminating the vulnerabilities in the control systems, is a much better approach, McCgraw argues.

Besides the attribution problem, McGraw wrote that cyber-offense capabilities of an adversary are unlikely to be knocked out by an attack. Quoting estimates from Ralph Langner, the security consultant credited with cracking the Stuxnet malware, he said that while it takes $90 billion to develop a nuclear submarine fleet, a cyberweapons program aimed at hardened military targets would cost more like $1 billion. And a single-use attack against critical infrastructureÃ'Â might cost as little as $5 million, he said.Ã'Â

Creating such "cyber-rocks," he said, is cheap. "Buying a cyber-rock is even cheaper since zero-day attacks exist on the open market for sale to the highest bidder."

So, it makes no sense to, "unleash the cyber-rocks from inside of our glass houses since everyone can or will have cyber-rocks," he wrote.

Besides Schneier and McGraw, Jacob Olcott, principal at Good Harbor Consulting and past counsel and lead negotiator on comprehensive cybersecurity legislation to Sen. Jay Rockefeller (D-WVa.), pointed to a paper he authored in May that "suggests that owners and operators of critical infrastructure can achieve long-term cost savings and significantly reduce cyber risk by adopting secure development."

Why isn't that concept more persuasive to national security leaders in Washington?

Schneier has said for years, and said again this week, that cyberattack threats are "being grossly exaggerated for a reason" and "about money and power."

"There is an enormous amount of money in government contracts, and the real money is in scaring people," he said.

McGraw said that military leaders "are interested in offensive stuff because they think like the war fighters they are." In his paper, he contends that offense is sexier than defense.

"One of the problems to overcome is that exploits are sexy and engineering is, well, not so sexy," he wrote. "I've experienced this first hand with my own books. The black hat 'bad-guy' books, such as 'Exploiting Software' outsell the white hat 'good-guy' books like 'Software Security' by a ratio of 3:1."

But Joel Harding, a retired military intelligence officer and information operations expert, said it may also be because not everybody in the security community agrees with the anti-offense view. "There is a giant chorus of cybersecurity experts clamoring for attention. It's a cacophony of opinions," he said. But he disagrees that defense alone is enough to defeat or even block an attacker.

"By its very nature, a zero-day exploit uses a vulnerability otherwise not defended against," he said. "Until we have artificial intelligence that predicts the nature and type of future attacks and offers ways to block them, a defense is at risk." But he does agree that attribution remains imperfect.

Olcott said the good news is that his and other voices are being heard in government. He points to a "Build Security In" page on the DHS website that advocates for building secure software, and even includes a citation of Schneier.

But Schneier said as long as "war" is the operative description, the hyperbole will continue and the response will be less effective. "When you use a war metaphor, a certain type of solution presents itself," he said, "while a police metaphor brings a different type of solution."

"Right now the dialogue dominated by the DoD and the spooks," McGraw said. "If you think about security as your hands, security engineering finger might be your right pinky -- it's big enough to be a finger, but not a huge part of cybersecurity."

"What we really need to do is revisit security engineering," he said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsData Protection | MalwareBTcyber Pearl Harborlegalsoftwaredata protectioncybercrime

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts