This has confirmed all my worries. Whenever the intelligence agencies and the politicians lobby for "cyber-bills" and such, and it's almost never about "protecting US against threats", but about "attacking others".
So on one hand they keep drumming up the fear mongering about other countries attacking us through "cyberspace" and that they need "these bills" to stop that, when in fact the bills, and the bigger budgets, are all about US attacking others, and basically committing acts of war against them (their words, not mine).
If the US is really afraid of "cyber-threats", then they really need to ramp up the defense at home, not offense, and keep as much of the critical infrastructure off the Internet as possible.
Oh, and these are a couple of funny posts about the politicians' abuse of the word "cyber":
Piggybacking off your comment: I am surprised, am I missing something? Given the US' and the West's rather serious vulnerability in this arena, escalating the use of cyber-"weapons" doesn't obviously seem the best idea.
(Stockpiling hacks and crypto nastiness is obviously a good idea, doing something about China's cyber-espionage makes sense, and increasingly sophisticated and well-funded hacking is probably unavoidable; but TTBOMK, the US has been the first to directly attack targets of major military significance, both in Iraq and in Iran.)
What is the logic here? That if the US simply doesn't invest in offensive security research, nobody else will? That the US is somehow escalating the information security crisis?
That would be a ridiculous point, unworthy of debate.
Nation states around the world owe their first allegiance to their own interests, and then to the interests of their long-term economic and geopolitical prospects, and then maybe to their people. Any allegiance owed to principled conduct in "cyberspace" is way, way down the list. Any rival of the United States has an advantage that can be prosecuted using offensive security research is assuredly already doing so.
I also take issue with your last sentence, with the idea that the US was the first state to directly engage foreign targets. Obviously, the words "of major military significance" gives your argument a lot of room to maneuver, but the overall effect of the argument as it stands is that the US is the only state pursuing any kind of meaningful offensive security effort. That's almost definitely not the case.
I'm also unclear as to why I should be particularly disturbed by the weaponization of IT. Let's stipulate for a moment that Stuxnet was a weapon intended to sabotage a covert Iranian nuclear weapons program. OK. And? What moral authority does Stuxnet lack that a laser-guided bomb dropped from a jet owns? Did Stuxnet kill anyone? To the extent the US military can accomplish objectives using technological countermeasures rather than explosive munitions, I call that progress.
> I also take issue with your last sentence, with the idea that the US was the first state to directly engage foreign targets. Obviously, the words "of major military significance" gives your argument a lot of room to maneuver, but the overall effect of the argument as it stands is that the US is the only state pursuing any kind of meaningful offensive security effort. That's almost definitely not the case.
Absolutely. The US was simply the first to cause actual physical damage to a high-profile target. Other nation states have focused their efforts on accessing sensitive information, a la Aurora. Occasionally these attacks make it into the news but, more often than not, they go undisclosed by the target and/or unreported by the media.
Is "Stuxnet represents yet another step towards greater weaponization of IT" really ridiculous? I'm not arguing that the US is the only driver of that trend, nor am I arguing that the US should not (offensively) defend its miriad interests; rather, our (everyone's) extreme vulnerability scares me (especially SCADA and such.) And Stuxnet does make it harder to gather wide opposition to any other nations found hacking.
I otherwise agree with everything you say, especially that cyberwarfare is (so far) pretty nice.
"it's almost never about "protecting US against threats", but about "attacking others""
I'd like to see your sources. I think you might be confusing bills like SOPA and CISPA as actual cyber bills. Most of the actual cyber bills I've read are for things like the US being able to lock down the security of the power grid b/c NSA really is that much better at it than your average sysadmin.
I work for one of the companies listed in this article as a "Cyber Security Engineer." I have 2 issues with this article. First, the vast majority of cyber security work is defence. I would guess the percentage of people working defence is 100x more than the number of people working offence. (And yet the people on offence always have the upper hand, but that is a different story.) Second, most of the hiring for offensive talent is at the Speculation phase. NSA doesn't really outsource much of its work on this kind of stuff. The contractors know that the demand will eventually ramp up but it hasn't yet. So most offensive guys at contractors spend their time doing Internal R&D to use as demos for the government. Some day NSA will ask for help, but it isn't today. When it does though the contractors are trying to be ready.
Unlike a standing army, the US could conceivably have a majority of the world's skilled hackers and crackers on their payroll (directly or indirectly.)
It also makes for good record keeping by "interviewing" talent.
So on one hand they keep drumming up the fear mongering about other countries attacking us through "cyberspace" and that they need "these bills" to stop that, when in fact the bills, and the bigger budgets, are all about US attacking others, and basically committing acts of war against them (their words, not mine).
If the US is really afraid of "cyber-threats", then they really need to ramp up the defense at home, not offense, and keep as much of the critical infrastructure off the Internet as possible.
Oh, and these are a couple of funny posts about the politicians' abuse of the word "cyber":
http://www.techdirt.com/articles/20120614/01590919314/cyberp...
http://www.techdirt.com/articles/20120615/03214619333/politi...