2012: the Year of Cyberwar that wasn't
- — 21 December, 2012 15:40
It was going to be the year of cyberwar, we were told on the eve of 2012. We've seen plenty of scary news stories since about dangerous nation-state actors, usually without naming them. But I reckon we've now got the focus wrong.
That's not to say there weren't real and significant incidents involving nation-state actors. We do need to pay attention. But we seem to be giving less attention than we should to the everyday but massively-growing organised criminal activity.
Now it's easy to see why the cyberwar stuff got the media coverage. We already know the protagonists in this drama. Western nations good, China and Iran bad, Russia somewhere in the middle these days. It's Cold War 2.0, and we've all seen the movie.
So when we learned mid-year that the Flame worm had been running loose in data networks in the Middle East, possibly for years, without being detected and the Jolly Russian's firm wheeled out a malware analyst who told us breathlessly that Flame was 20 times the size of Stuxnet -- well, even commercial TV knew how to play it.
But surely Flame is just one of many digital espionage tools, an evolution in technology even if the news coverage was revolutionary.
The most significant event in my eyes came in August: the attack against Saudi Aramco, Saudi Arabia's oil company, that wiped the master boot records of 30,000 computers. SANS Institute director of research Alan Paller used this, as well as Stuxnet, to argue that cyberwar is already happening.
"This is real damage. That's the same kind of problem you'd have if you hit it with a bomb. Not literally, but close enough, in terms of the amount of rebuilding you have to do," Paller told a meeting of security professionals in Sydney in October.
Saudi Aramco faced a major rebuilding job, as presumably did Iran after Stuxnet's efforts. But it's borderline to call this cyberwar, or any other kind of war. Espionage, in the case of Flame. Sabotage, in the case of Stuxnet and Saudi Aramco. But it ain't war until someone gets hurt.
Dr Thomas Rid, reader in war studies at King's College London and author of the book "Cyber War Will Not Take Place", would agree.
"There has never been a casualty, there's never been significant damage that would compare with a conventional act of war. Because of that lack of physical impact so far, I think the term 'cyberwar' has still somewhat of a metaphorical quality. It's more like the War on Obesity or the War on Drugs," Rid told me in April.
The only new thing about all this is that it's now happening online. Specific techniques may be changing, but nation states have been doing secret weird stuff to each other, well, forever.
But talk of war, whether real or metaphorical, loosens government pursestrings. The military-industrial complex is well connected, and its process for maintaining its multi-billion-dollar budgets is well rehearsed. I think it's safe to assume we're just watching the latest episode.
Meanwhile crime is moving online. While the true scale of cybercrime is uncertain, crimes are happening right here, right now. Surely we need to deal with this clear and present danger first, while still maintaining a watching brief on the supposed cybergeddon?
My thoughts were echoed by Paul Ducklin, Asia Pacific head of technology for Sophos, on a certain podcast this week.
"We need to stop using terms like cyberwar and cyberterrorism and concentrate on using the term cyber-criminality," Ducklin said.
"It's almost as if that [criminal] has become a word that doesn't matter. 'Oh, that's just the common or garden everyday stuff.' Well, these guys are taking millions, tens of millions, hundreds of millions of dollars, fifty bucks at a time. I call that pretty draining on the economy, and I think that's where we need to be focusing our collective efforts."
The Romanian gang busted last month by the Australian Federal Police is a prime example.
"They only were able to abuse 30,000 cards, apparently, before they got busted. But they were able to pillage about a thousand dollars on average from each one. That's one cybergang doing one bit of cybercrookery getting away with $30 million if you don't mind," Ducklin said.
Maybe the Romanian operation was disproportionately large. Certainly cybercrime is being over-hyped in some quarters. But the crime is real, it's growing in scale, and the bad guys are getting smarter.
Maybe it's time for the men and women in blue to get just some of the resources that might otherwise be going to fight the cyberwar.
Of course the distinction between cyberwar and cybercrime makes little practical difference to information security workers outside the military. Defending the network is the job, no matter what the attackers' motives. How well have we been doing there? I'll turn to that question on Monday.