Friend of the blog Patrick sends this article discussing a national exercise called "Cyber Shock" which postulated the effect of a cyber-attack on the United States. He commented about the parallel that the participants made with the WMD threat.
In a post-event discussion moderated by CNN’s Wolf Blitzer, the participants broke out of their roles to discuss the lessons learned during the exercise. Former Secretary of Homeland Security Michael Chertoff, who chaired the simulated National Security Council, said cyber-terrorism “ought to be treated as a threat of sufficient seriousness that we give it the priority attention we’ve given weapons of mass destruction.” Cyber-terrorism is “more complicated by the fact that it involves every individual. Anybody who has a smart phone, who downloads an app or gets on their PC is engaged in this process.”
“A useful aspect of something like this simulation is it helps people visualize what is realistic and possible in some circumstances. The smart thing is to prepare now, to do the legislation now, to do the bipartisan work now, to do the intelligence work now, the foreign policy work,” said John McLaughlin, playing the role of Director of National Intelligence. “These are all very complicated things and we need to get started on them.”
I find it somewhat amusing that Chertoff suggests we ought to treat cyber-terrorism as seriously as we do WMD terrorism. DHS's record on preparing for WMD terrorism is really not that good. Since we don't really pay that much attention to WMDs other than counting the number of nukes that we own and that others own and how to use arms control to limit those numbers, I'm kind of hoping that we would pay more attention to cyber-security issues than WMD terrorism. Tim Stevens at Kings of War comments as to the cybersecurity-as-national-security drama that the Beltway pundits play this issue up as.
The results of the simulation – that the US is unprepared for a major sci-fi cyber scenario – were never in doubt. If such a televised exercise were carried out in the UK it would be interpreted as a very political attempt to exert pressure on the administration and critiqued on that basis, as would its War of the Worlds tone, replete with Wolf Blitzer moderating the action from the White House National Security Council control room. I don’t think non-US viewers can see the program online from CNN but YouTube is your friend, and it can also be seen in full here. Oddly, it was accompanied by a banner saying, “This Program Is A Simulated Exercise”. Surely, that should be “This Program Is About A Simulated Exercise”?
All this is to say that cybersecurity as an element of national security and a subject of political concern seem to be playing out very differently in the US and its main European ally. Whereas the UK is cautious in projecting concern into the public domain, some elements of the US hierarchy seem very determined to make this a public issue of the highest priority. The discourse is different, and is being mediated in starkly contrasting manner.
Fellow blogger George Smith has tracked the sensationalism over cyber-attacks for some time. The terms "cybersecurity" and "combating WMD" are routinely abused and exaggerated to suit people's agendas and political platforms. They're complex issues, and ought to be seriously addressed, but because real national security issues have the stage - like dealing with the Middle East, developing new nuclear weapons, addressing Chinese military expansion, little things - these people overplay the threat to get some attention. It's pretty pathetic, but it's the circus that is the military-industrial-political complex.
UPDATE: Also see George Smith's latest post addressing this "Cyber Shock" story.
The only thing that's needed to prevent cyber-attacks is more robust computing systems. On another note, I wonder how long it will be before strike anywhere matches are considered WMD's.
Posted by: AndroidBoy | 24 February 2010 at 10:24 AM
The real worry about cyberwar is the complete lack of knowledge we possess about our own capabilities and defenses. In many ways a cyberwar between two nations is analogous to a boxing match between two blind figthers: neither knows what their opponent's capabilities are until it's too late and fight is well underway. When you add in the possibility of non-state actors and criminals to the mix, strategic and tactical defense becomes a nightmare. The best anyone can realistically do is to secure their own networks and systems and have backup plans for the failure of any external dependencies.
The reality is while the tools for such attacks are widely available and impossible to police, there is little desire to perform such large scale attacks. Hostile nations don't want to reveal their capabilities by attacking and won't do so unless really necessary. The greatest threat from cyberattacks today is from passive information collection, as seen in the recent attacks against Google and others.
Posted by: Leper | 24 February 2010 at 06:38 PM
The BEST part is it'll happen in March b/c of the NCAA madness that month from all the idiots with smartphones downloading an app to track their brackets. Then that virus will infect all their other contacts and get everyone, so then you won't be able to use your cell phone. God forbid. Then somehow it'll jump, b/c of course you'll need to sync your phone with your PC to track your brackets and it'll get to the internet that way, and then the land lines are next and then no one will be able to call anyone. Jesus. I hate it when my phone rings now, this attack would be great. I can't believe no one actually thinks to put out a message saying open your phone and remove your battery and do a hard reset. Dumbassess...
Posted by: NVH | 24 February 2010 at 10:03 PM