Writing Worth Reading
Writing Worth Reading
What is the most useful catch-all term for the sometimes ill-defined and often ill-understood issues we will be discussing today?
I think it has to go under the rubric of cyber security. This is, unsurprisingly, a very young area of study. The very interconnectedness of the web creates problems for cyber security, because the various types of malfeasance on the web are interconnected in ways which are not obvious but very important.
There are three basic types of malfeasance online. The first pillar is cyber crime, the most obvious of which is mass credit card fraud – credit card details stolen digitally. But cyber crime goes up to much higher endings than that, in which larger sums of money are stolen and much more sophisticated hacking work is required.
The second pillar is cyber industrial espionage, which is a good third of the bad stuff on the web but about which you will read virtually nothing. This is espionage perpetrated by firms who are trying to find out what their competitors’ latest design is or what their figures are. The reason why no one ever hears about it is that the companies which are victims of it – which is basically every company in the world – don’t like to advertise it, because it can have an immediate impact on their share price. They’re even reluctant to tell the police or any state authorities, although you are beginning to see legislation being introduced compelling companies to report cyber industrial espionage.
And the third pillar is cyber warfare, which is the state to state stuff. By cyber warfare we don’t mean conventional warfare enhanced by robotics or computers. We don’t mean battlefield robots. We don’t mean drones being driven over the Pakistan-Afghanistan border by a computer in Nevada. We do, however, mean someone managing to hack into the Pentagon systems controlling those drones, and sending them to fly over Moscow instead of north-western Peshawar. You have defensive cyber warfare – protecting your network systems – and offensive cyber warfare, which is penetrating the network systems of actual and potential opponents and then using that penetration to your advantage. In the horror scenarios, you turn off the air-traffic control system or the electricity system, and the sky falls on our heads.
So those are the three pillars. They’re usually controlled and managed by identifiable people. Cyber criminals and law enforcement in the first case; private sector and big security corporations in the second; and the military and cyber commands in the third. But then you have two sets of actors who migrate between these three areas. One is the hackers themselves – you need very specialised knowledge in order to do advanced hacking on the sort of scale that would make a significant impact – and the other is intelligence agents.
Intelligence agents have to go backwards and forwards to see what is going on. For example, if Google is attacked by addresses in China, then the NSA [US National Security Agency] will want to know whether that is Baidu [a Chinese internet company] or the PLA [the Chinese army] organising that. So you have three defined areas, but they are tangled up in an impenetrable ball. Even if you’re an advanced hacker or intelligence agent, migrating between these three areas is like playing seven-dimensional chess, and you’re never sure who you’re actually talking to.
Is it helpful to think of cyber war in the terms of conventional war, only in a different domain? Or you’ve called it a “cold war of the web”.
There is a fundamental difference between warfare in cyberspace and conventional warfare. The cold war aspect is more on the espionage end of cyber warfare. Let us look at the cold war itself. The US and its allies were able to count the Russian warheads, they knew the delivery systems, their capabilities, distance and range, and they knew exactly where they were. And the Russians knew exactly the same about the Americans, the French and the British. That made deterrence a real possibility. If you can come to an agreement that you won’t have first use, and you both share information about where your missiles are and what they can do, it means that the possibility of deterrence – even if it doesn’t work – is there.
The problem with cyber is that your assets are not the weapons that you control. Your assets are the vulnerabilities of your actual and potential enemies. In order to know your enemies’ vulnerabilities you have to find out where they are, and once you have got hold of them you cannot afford to let go. That means that long before we get to anything that might be identified as actual conflict, cyber warfare requires each side to establish themselves within the network systems of their potential opponents. And so deterrence is a very difficult thing to organise, because nobody wants to or can admit to penetrating the vulnerabilities of their opponents’ systems. The importance of espionage within the framework of cyber war is absolutely immense. The Americans talk a lot about Chinese offensive capability, but let us not forget that the United States has the most advanced offensive cyber capability in the world, and it uses it – it just doesn’t advertise the fact.
China has complained of being hit by thousands of cyber attacks from the US.
It is absolutely axiomatic that that is going on. If the United States were not probing the network systems of China, then it would be a dereliction of duty. Everyone has to be doing this, everyone is doing this, and even if they say that they’re not doing this, they are.
Who are the main players in this cold war?
The US is out there as number one, followed by China and Russia, very closely followed by Israel, which punches way above its weight. Then you have France, Britain and Germany coming up, and India and Brazil as well. So with the exception of Israel, it’s a relatively predictable hierarchy in terms of their offensive and defensive capabilities.
Let’s talk about your first selection, Cyber War by Richard A Clarke and Robert Knake.
There is an element in this book of getting caught up in “cybergeddon”, as I like to call it. They get obsessed by the idea that everything is going to collapse, that there is going to be some major attack – the digital Pearl Harbor that Bill Clinton first mentioned. It’s perfectly true that in the past 12 months we have seen an acceleration of offensive capabilities that is clearly aimed at the destruction of industrial infrastructural processes. The emergence of the Stuxnet virus showed that in particular. But a book like Cyber War, while not complete fantasy, overstates the case. It runs the risk of saying that everything is completely hopeless and there’s nothing we can do about it.
What’s good about it is that it is the articulation of the nightmare scenario that if we just sit back, and if we don’t pour huge amounts of resources into cyber defensive and offensive capability, then an effective cyber attack will be able to bring a society as networked as the United States down to a stone age level in about 10 days. There are lots of dramatic scenarios. Because Dick Clarke served successive presidents as a terrorism expert, he is very good at detailing what it’s like in the situation room when a cyber attack gets going. So it’s racily written, and it outlines what will happen if we don’t take measures to defend ourselves very quickly.
I don’t subscribe, however, to its assumption that we live in an entirely anarchic world, in which everyone is interested in bringing down everyone else. In particular, Dick Clarke alludes to the threat from China. But I think everyone who sees the Chinese-American relationship as a hostile one tends to forget that the two countries are entirely dependent on each other in economic terms. If the Chinese were to bring down the Americans, they would find very quickly that bankruptcy and much worse fates await them. And vice versa – the US is completely dependent on China. So there’s an absence of political perspective in the book. Nonetheless, it is a very good detection of just how serious the threat might be, if things were to deteriorate politically. And it is easy to read as well.
Misha Glenny is a British journalist who specialises in southeastern Europe and global organised crime. In McMafia, he wrote that international organised crime could account for 20% of the world's GDP. His latest book, Dark Market, is about cyber crime
Huge feature investigating a decade of cyber attacks against Lockheed Martin, Google, RSA and others. China top suspect. “There are only two types of companies—those that know they’ve been compromised, and those that don’t know"
Fascinating on rise of cyber weapons that can attack moving cars, water supplies, banking systems, even nuclear plants. As former CIA director admits: “We are able to do things which we have not yet decided are wise to do”
"Wow. Absolutely brilliant", says Tom Standage, of this long feature about the computer virus designed to sabotage nuclear facilities in Iran. It was a great coding feat, but it probably got discovered before it did its job
US ignores "its primary responsibility to protect its own citizens when they are targeted for harm by a foreign government". Because Chinese hackers are everywhere. Probing corporations, government, even power grids
Veteran hacker explains him/herself. "I am not trying to be a martyr. I'm not some cape-wearing hero, nor am I some supervillain trying to bring down the good guys. I'm just doing what I know how to do, and that is counter abuse"
