Opinion, Berkeley Blogs

Keeping the Cyber-Peace

By Stephen Maurer

I recently heard a well-known computer scientist complain that Cyber War is the “real WMD” and that America needs to spend less money on nuclear weapons defense. I don’t want to take a cheap shot here, but it’s also true that people who spend weeks on end filling out grant applications are apt to say silly things. How seriously should non-computer scientists (a.k.a. taxpayers) take this threat?

To start with, I’ve never heard anyone claim that Cyber War can inflict casualties on a nuclear scale. But in truth, I don’t insist on that.  I’d be happy to know whether it qualifies as War on any scale at all.

I suppose it’s obvious that the answer depends on how you define the word “War.” But that doesn’t make the question empty or uninformative. At least, it doesn’t if you limit the discussion to analytically useful definitions. So how do you define War? When the Bush Administration announced its “Global War on Terror” or “GWOT,” plenty of people ridiculed the idea by pointing out that you’d never know when such a “War” was over. “Not true,” the Bushies replied, “GWOT will end when law enforcement can handle terrorism without the Pentagon’s help.” In other words, problems only become “Wars” when you run out of reasonable alternatives to calling in the military.

The dirty secret is that “Cyber War” has a hard time meeting this standard.  Consider, for example, the concept’s  current poster child – Russia’s 2008 attack on Georgia. The defense industry headlines couldn’t have been clearer: “Cyber War is Official,” Aviation Week smirked (Sept. 14 2009). The picture got blurry fast, though, for readers who expected to see stories of power grids going dark and air defense computers crashing. No, what readers actually saw were reports of “patriotic hackers” (= civilian amateurs or mobilized criminals) doing the same Cyber Crimes that the world’s IT managers see every day. Even the War’s most spectacular claim – That British Petroleum had stopped using Georgian pipelines because “[o]ccupation of ports and railroad lines coupled with cyber-attacks soon made all of the Georgian pipelines seem unreliable” Id. (emphasis supplied) – seemed underwhelming. I can understand why BP would get nervous when the Russians occupied Georgian ports and rail lines. But just what, exactly, did Cyber War add to that scenario?

Of course, I realize that knocking down a well-known story doesn’t prove much. In particular, I can’t prove that Cyber War is absolutely impossible. But in truth, I shouldn’t have to. The evidence, after all, is always incomplete – and yet, we still have to make judgments. Can we say anything more systematic about Cyber War’s plausibility?

Start with what we already know about Cyber Crime.  Today, there seem to be two basic strategies: (1) Send out automated viruses that damage things haphazardly across the Web, and (2) Mount focused, human programmer campaigns to break into specific computer systems. How likely are states like North Korea or China or Russia to boost these attacks from today’s massive-but-manageable levels (“Cyber Crime”) to something noticeably bigger and nastier (Cyber War”)?

Consider virus attacks first.  By far the most likely way to improve attacks is to hire human teams to find new and better software vulnerabilities in, say, Windows or Apple or LINUX. But spotting bugs is a “many eyeballs” problem so it’s reasonable to wonder how large these teams would have to be.  After all, the world already has thousands of Cyber Criminals and Cyber Vandals looking for bugs.  So if North Korea (or China or Russia) want to wage Cyber War, hiring a few dozen or even a few hundred would-be Cyber-Warriors won’t change the rate at which vulnerabilities are discovered by all that much.    Nothing is impossible, of course, but even for a State program that sounds like a lot of programmers.

(Actually, the argument may be stronger than that. Start with the observation that the world’s Cyber Criminals and Cyber Vandals almost always base new viruses on vulnerabilities that have been reversed engineered from Microsoft security patches. This suggests that Microsoft is much better at finding vulnerabilities than its enemies. And indeed, this seems sensible: After all, Microsoft receives millions of error reports from users every day. But in that case the number of eyeballs currently looking for vulnerabilities is enormously larger than the world’s population of Cyber Criminals and Cyber Vandals so that even State-funded searches become a drop in the ocean.)

Now think about the other Cyber-Crime strategy, hacking into specific, targeted computers. Once again, the question is whether State programs can plausibly mount qualitatively bigger efforts than thousands of Cyber Criminals and Cyber Vandals already do today. This seems unlikely for prominent targets like the banking system where there are already huge financial rewards for breaking into computers.  Admittedly, the argument is weaker for targets that Cyber Criminals care less about including, notoriously, the SCADA systems that drive the electric power grid. Still,  at least one recent survey suggests these systems are also attacked with great regularity. If so, they could be pretty tough also.

It seems to me that these ideas are useful precisely because they skip over the messy and incomplete details of how Cyber War is or could be done.  On the other hand, I do not claim to be an expert.  It could be that there are better arguments for worrying about Cyber War and that every computer science department in the country knows them.  If so, all I can say is that they ought to speak up.

It could also be that believing in Cyber War depends on knowing classified intelligence. Frankly, this argument troubles me much more. When critics argued that Ronald Reagan’s Star Wars proposals were physically impossible the man who invented “Trust but verify” didn’t ask them to take his word for it.  Instead, he promptly declassified the key technology insight behind the hydrogen bomb. It’s hard to imagine how any Cyber Secret could be comparably sensitive, let alone too dangerous to declassify.

Readers who have followed my arguments so far deserve a bottom line. Nothing I have said implies that Cyber Crime isn’t enormously costly and doesn’t hurt the economy. It does. And there’s no particular reason why the Defense Department shouldn’t fund Cyber Crime research to protect its own systems and everyone else’s. It should. But all of those things are already happening under the old “Cyber Crime” rubric. What troubles me about the new “Cyber War” phrase is that it smells like an escalation – and an expensive one at that.

Most of us love to hear how 17th Century Dutch got caught up in the Tulip Mania until otherwise sober businessmen invested everything they owned in bulbs. But in truth, the Age of Manias has never left us. Nor are modern academics immune. (Cf. Cold Fusion). All of which suggests that we should occasionally remind ourselves of the old Scottish verdict of “Not Proven.”

Cyber War could be every bit as urgent as its advocates claim. It’s just that I haven’t heard the case yet.

Note Added Three Months Later: You don’t win arguments in academic life by citing the speaker’s presumed authority (or lack thereof). The only things that count are logic and evidence. So really, readers should ignore how this blog intersects with a more recent interview in the March 4 number of WIRED magazine:

“Howard Schmidt, the new cybersecurity czar for the Obama administration, has a short answer for the drumbeat of rhetoric claiming the United States is caught up in a cyberwar that it is losing.

“’There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said.