

The Threat of Cyberwar Has Been Grossly Exaggerated - yan
http://www.schneier.com/blog/archives/2010/07/the_threat_of_c.html

======
powrtoch
What I would really like is a "What you can do to help calm the hysteria"
post. If you understand what cybercrime attacks really are, you know that it's
ludicrous to suggest that we're "losing a war". But most people don't, and
those people are susceptible to this warmongering.

I can explain to my friends why a bunch of teenagers pinging my website too
many times is not comparable to a ground invasion of Pennsylvania. But even
though this might make them skeptical of the hysteria, it doesn't empower them
enough to fight against it. If Washington really is heading towards trying to
control the web, what exactly should we, those who know better than to go
along with this, be doing to combat it?

Somehow writing letters to my congressman just doesn't feel like really
getting things done.

~~~
sp332
Congress is using their current power to get more power. It's supposed to be
up to the executive branch (using veto etc.) and the legislative branch
(declaring a law unconstitutional etc.) to hold them back. But really, the
branches have an agreement to mutually increase their power instead of acting
in the best interests of the people they "serve." As far as I can see, there
isn't anyone left who's powerful enough to stand up to them.

~~~
tbrownaw
_legislative branch (declaring a law unconstitutional etc.)_

That would be the Judicial branch, the legislative branch is Congress.

~~~
sp332
d'oh

------
djb_hackernews
Try living in DC and listening to the radio. Its bad enough all of the ad
spots are targeted at government employees but the amount of FUD is
incredible.

It's leaked in to academic recruitment as well, I believe it's the University
of Maryland is advertising enrollment for some cyber security program they
run.

------
slapshot
Large-scale targeted cybercrime can cause chaos even without a "Die
Hard"-style "fire sale" that relies on bringing down infrastructure.

If random military families had their identities stolen, their bank accounts
drained, and their homes flooded with harassing calls (at best) or SWATing
attacks (at worst), you can bet that morale would suffer in the field. That's
a level of cyber-crime that relatively unskilled attackers could bring. Do the
same to any industry and you've done some damage. "Targeted crime" is a form
of warfare.

------
Pahalial
Foreign threats against national security exaggerated? Say it isn't so!

Of course, I'm glad Schneier is providing a sane counter-voice to all this
nonsense, but I am constantly amazed that it's even necessary. Everyone who
cares and/or matters in this 'debate' should understand the basic premise of
hyperbole being ridiculously common in any discussion of national security.

------
InclinedPlane
This may be so, but the threat of cyberwar has also been grossly under
appreciated.

Consider the state we live in today. Remote execution exploits that remain
unpatched for significant periods of time on the most popular operating
systems of the day are very common. Government authorities seem helpless to
stop relatively mundane acts such as leakage of secure data (identities,
financial data, etc.), maintenance of huge networks of "zombie" machines, use
of zombie networks in perpetrating denial of service attacks, etc.

Imagine a competent hostile foreign government with a well funded and talented
team of hackers putting every known technique into use. Doing research to
discover unpatched vulnerabilities. Taking control of massive botnets.
Exploiting numerous individual systems, using very sophisticated phishing and
social engineering techniques where necessary to gain useful confidential
information from individuals. Using that information to snow-ball into more
useful information. Carefully exploiting systems at major corporations to gain
access to sensitive data and systems.

Imagine what you could do with that if you were careful and executed a well
thought out plan well. Gain access to millions of email accounts without their
knowledge. Gain access to internet banking and stock trading. Transfer
billions of dollars out of the country before it can be stopped. Manipulate
stock prices and make a fortune. Crash the stock market and the entire stock
trading system by executing trades automatically on behalf of thousands or
millions of individuals without their knowledge. Destroy companies by causing
them irreparable damage. Sabotage an internet company's systems via
compromised internal systems, while botnets DDoS it from the outside. Or
simply execute huge numbers of automated orders, exhausting the company's
inventory. People end up with items shipped to them they don't want, the card
holders get the charges reversed as fraud, the company ends up with no
inventory and no revenue, for a lot of companies that could be a death blow.

It won't be the end of the world, it won't be a catastrophe on the scale of
hundreds or thousands of human deaths, but it could be an incredibly bad day
for a lot of people.

And this hardly touches the surface. What's _feasible_ and what's been done so
far are not the same. We are living in an era of false confidence due to non-
event feedback. It's only a matter of time before the right means and motive
come together, we can only hope that the result is only just barely bad enough
to kick us out of our complacency.

~~~
tbrownaw
...imagine if those "Microsoft-Spurned Researcher Collective" people had been
a wee bit angrier.

I wouldn't expect government-level resources to be particularly useful in
causing havoc -- stock-scammers and phishers and other spammers tend to do
just fine, and the only reason viruses/worms are less destructive than in the
DOS days is that people have better uses for them now (sending spam).

