Friday, June 26, 2009

Evgeny Morozov on Cyber Myths

Evgeny Morozov of the Open Society Institute has an interesting essay in the Boston Review about myths in cyberspace. Specifically, he addresses the scaremongering and vague threat information that is used to get access to funding, fame or power.

He points out many official statements that exaggerate the threat from cyber terrorism and cyber war and asks the question: is there any evidence to back up these claims? No, at least not in the public realm. He also makes a point that the threat from the net information is produced by intelligence/defence organizations and information security companies that benefit from the increased funding. I think he is right in the sense that there are very few facts available, so we are left with hypotheses and conjecture. Honestly, I am partly to blame, as I have presented similar worst case scenarios in numerous conferences, in order to raise awareness of the topic.

He also touches the foggy quagmire that is the international legal definition of cyber warfare and what, if anything can and should be done if one breaks out. I think we will not have a clear answer on this in the near future, but at least the topic is also addressed by professionals.

In terms of how useful cyber attacks are for the military, Morozov refers the opinion that superpowers do not need cyber power, as they have more conventional means to crush the enemy. While that may be true, the question of attribution once again comes up - who will the superpower nuke, if they cannot identify the source of the cyber attack?

On the other hand, his conclusion that we should focus more on the threats from cyber crime and cyber-espionage is correct. However, it is not correct because cyber war is improbable, but because the tools used in cyber war will be very similar to the ones used in crime and espionage. The same piece of malware can be used to steal your personal data, collect intelligence on your organization or to disrupt your networks in preparation for a war. Thus, better defense against crimeware will also mean better defense in war.

A comment on Estonia

Unfortunately, Morozov uses unclear wording that may suggest that Estonia was off-line for nearly a month in 2007. It would be more correct to say that Estonia was under attack for about three weeks in 2007, but only a few critical on-line services (like banks) were affected for clients inside Estonia. One of the options, a white-list based "island Estonia" defence meant that the vast majority of the attacks could be easily blocked while maintaining service to the vast majority of the clients. As a result, clients of the two biggest banks in Estonia saw only a 45-90 minute interruption of service at the start of the attacks and that only affected the web interface of the banks. What is worrying, however, that these were critical "civilian" targets in a political conflict.

Sure, non-critical services (public government websites and news sites, for example) did suffer longer service outages due to cyber attacks (mostly simple DDoS), but in my opinion this was not a big issue for the state as a whole. The biggest effect would be potential information blockade, as local news sites or press sites are off-line, but that can easily be remedied by using other means of communication to push the message out (remember, e-mail works, phones work, faxes work, radio and TV are still on air, and even the postman makes his rounds). I personally had no problems communicating with friends and colleagues abroad throughout the period.

No comments:

Post a Comment