On April 27 the New York Times published a blog in the 'Your Money' section (The PlayStation Breach: Why You Should Remain Calm, by Ann Carrns). What follows is my response. You can find the New York Times blog and my response at http://community.nytimes.com/comments/bucks.blogs.nytimes.com/2011/04/27/the-playstation-breach-why-you-should-remain-calm/?permid=20#comment20.
The 'don't worry be happy' message of Ms. Carrns absolutely misstates what the Sony PlayStation data breach represents. Given the state of cyber crime today, this data theft was the act of sophisticated cyber criminals motivated by greed, not bragging rights. And the magnitude of the breach -- and the fact that these types of thefts are becoming increasingly routine -- illustrates too that our current approach to 'securing' the Internet is not working. (My recent book, Creeping Failure: How We Broke the Internet and What We Can Do to Fix It (McClelland and Stewart, 2010) discusses both these observations in detail, what follows is the Cliff notes version).
First, while over a decade ago it was not uncommon for the proverbial teenage hacker to break into a computer system for the bragging rights those days are gone. Cyber crime and the associated cyber underworld are now big business, with multinational cartels like the Russian Business Network (its real name) competing for the top grads from computer science at top Eastern European universities. By all accounts cyber crime can be very lucrative, and it is a percentage game based on returns from small percentages of very large numbers. If 77 million accounts are stolen, then some of those cards are not going to be cancelled in time. Under US law the credit card holders liability is limited, but someone will end up with the bill, or, stated differently, the cyber underworld will reap a gain. If one does the math, it turns out that a vanishingly small number of credit cards have to remain 'hot' for an attack like that against Sony PlayStation to be very very profitable for the cyber criminal. And credit card numbers are not the only personal data that Sony's files contain -- all of which can be monetized by a sophisticated criminals using florishing cyber black markets.
This transmogrification of the 'lone hacker' into a sophisticated cyber underworld is one of the most obvious seismic shifts making the Internet increasingly unsafe. I have no idea where Ms Carrns hears that 'hackers in this type of situation are often looking for notoriety' but that statement runs counter to everything I know of what motivates data breaches today.
Second, the Sony data breach is just the latest example of the insecurity of cyber systems. Stuxnet illustrated that a computer worm can disable the physical operations of a sophisticated nuclear plant. WikiLeaks illustrated that amazingly large amounts of sensitive US Government data can be stolen by a single individual. And so on.
I like to think of the Internet today as being the cyber equivalent to the London that Charles Dickens described. The London of 1840's was, like today's Internet, an incredibly vibrant environment, a phenomenal city of unimagined proportions driven and created by new technologies. It was also unsafe, filled with garbage, and lacking any police, uniform law enforcement, or effective government. In other words. just like today's Internet.
The Sony data breach is just the latest criminal escapade illustrating what happens in the cyber equivalent of Dickens' London.
After 1840 London invested in creating and building the institutional infrastructures and public incentives that we take for granted in today's First World cities -- sewers, police departments, public health, some form of unified and effective government.
The message of the Sony PlayStation theft is that we need to do the same for today's Internet.
I'm very critical of the sloppy way in which many of the discussions about 'cyber war' have presented the issue.
Read the report Cyber war and Cyber Power: Issues for NATO Doctrine that I wrote for the NATO Defence College at
http://www.ndc.nato.int/download/downloads.php?icode=230
I hope the following will help clarify the discussion; :
1) For the US and Canada, their allies, and NATO, cyber war as the focus of concern is a misnomer; the real or potential use of cyber power by nations or terrorist groups should be the principle focus. Cyber war is just one outcome of the exercise of cyber power betwee nations.
To draw an analogy from naval thinking, since the writings of Alfred Mahan, sea power rather than naval war has been the preferred strategic frame of reference for the projection of state power on the oceans. Like 'naval war', cyber war conjures up legal, policy, military, and diplomatic considerations that inappropriately narrow the scope of relevant issues. Cyber space is better thought of as a new theater for states to exercise cyber power and not just to conduct cyber war.
In nuanced ways perhaps not yet seen, cyber power can involve both the projection of state power as well as the creative use of active defenses, all in concert with other military, diplomatic, information and economic tools. The projection of cyber power with both offensive and defensive elements must be a component of national and NATO security doctrine for the future.
2)In large-scale warfare it doesn't make much sense to launch disruptive cyber attacks without any 'kinetic' (bombs and bullets) accompaniment. In other words, I totally disagree with the scare-mongers who predict a full scale cyber war waged only with computers. Disruptive cyber attacks can destroy important data and disrupt communications, and perhaps seriously affect physical operations like transportation and the management of large scale networks like electric power. But even now major electric blackouts or communications systems failures are not unknown, and yet advanced countries manage to carry on. While the impact of cyber attacks may be hard to gauge in advance -- a consideration of concern to the attacker every bit as much as to those attacked -- the effect of disruptive cyber attack is to throw sand in the gears.
The November 2010 issue of Scientific American recommends reading Creeping Failure.
Click on http://www.scientificamerican.com/article.cfm?id=recommended-nov-10
From the book's cover:
The Internet is often called a superhighway, but it may be more analogous to a city: an immense tangle of streets, highways, and interchanges, lined with homes and businesses, playgrounds and theatres. We may not physically live in this city, but most of us spend a lot of time there, and even pay rent and fees to hold property in it.
But the Internet is not a city of the 21st century. Jeffrey Hunker, an internationally known expert in cyber-security and counter-terrorism policy, argues that the Internet of today is, in many ways, equivalent to the burgeoning cities of the early Industrial Revolution: teeming with energy but also with new and previously unimagined dangers, and lacking the technical and political infrastructures to deal with these problems. In a world where change of our own making has led to unexpected consequences, why have we failed, at our own peril, to address these consequences?
Drawing on his own experience as a top expert in information security, Hunker sets out to answer this critical question in Creeping Failure. Hunker takes a close look a the "creeping failures" that have kept us in a state of cyber insecurity: how and why they happened, and most crucially, how they can be fixed. And he arrives at some stunning conclusions about the dramatic measures that we will need to accomplish this.
This groundbreaking book is an essential first step towards understanding the Internet in a larger context as we try to build a safer Internet "city." But it also raises issues that are relevant far outside the online realm: for example, how can we work together to create not just new policy, but new kinds of policy? Creeping Failure calls for nothing less than a basic rethinking of the Internet -- and of how we can solve problems together.
