SPECIAL REPORT: Bruce Schneier on the future of IT security

11 Nov 2010

A security guru has debunked cyber war and cyber terrorism myths.

The threats of cyber war and cyber terrorism have been grossly exaggerated and are hindering a real understanding of risks on the internet, one of the world’s leading information security experts has said. Bruce Schneier, the author and security technologist who is also chief security technology officer with BT, was speaking in Dublin yesterday at an event held by the Irish Institute for European Affairs (IIEA).

Schneier referred to the denial of service attack in Latvia in 2007, which brought down several government services for a time, and said it was most likely the first such cyber war attack against a state. However, he pointed out that just one person was convicted – an ethnic Russian living in Latvia who was apparently angered by the authorities’ decision to remove some statues dating from the Communist era.

“It could well be that the first cyber war was perpetuated by an annoyed, disaffected youth,” said Schneier. From a technical point of view, the incident was no different to a regular cyber crime tactic. “Estonia was a regular denial of service attack – it just happened to be against a country instead of Amazon.”

Similar attacks took place against systems in Georgia the following year, just before Russian forces invaded, but Schneier warned against opting for obvious conclusions. “We don’t know if it was government sanctioned or just activists playing politics,” he said.

Even technology security experts can’t agree on what constitutes cyber war, he said, “One of the problems we have is there is no good definition of what war looks like in cyber space … we don’t know when it starts or what a war looks like when it’s over.” Schneier posited that it’s a rhetorical war, like the war on crime or the war on terror, and remarked on the irony that the term is quickly applied to situations where no war exists, and not where it does. “It’s dangerous to apply the term war without knowing what’s going on.”

Schneier was similarly sceptical about the word cyber terrorism, calling it a media myth. Attacking the Stock Exchange or on a mobile phone network does not put people’s lives at risk and would not spread mass panic that a real terrorist attack would, he said. “I don’t like the term terrorism applied in places where it doesn’t belong.”

“There’s a lot of politics in cyber war, and this is where we have to watch language,” he added. “Using the war metaphor reinforces the notion that we are helpless. It’s immediately evocative. If I say ‘cyber war’ to a politician, he’ll get it. The message will be wrong, but he’ll get it.”

The Stuxnet worm

Schneier turned his attention to the Stuxnet worm, the subject of much security industry speculation since its discovery earlier this year. A combination of multiple threats, it is malicious and designed to attack a certain type of industrial control system, which led to speculation that it may have been targeting a power plant or nuclear facility in Iran.

Experts estimate that several years went into writing the code and it attacks previously unknown vulnerabilities. “We do know that Stuxnet is not a criminal worm because criminal worms try to steal money,” said Schneier. “The people who designed this knew what they were doing.” However, he said for all Stuxnet’s detailed design, it would probably do nothing. “Is this an act of war? If indeed the result was sabotage of a nuclear power plant, in the real world that would probably be an act of war, but we don’t know who wrote it,” said Schneier.

Absent a motive and identity, it’s hard to police cyber attacks under any kind of legal framework, he added. “The two things we don’t know are who’s attacking and why.” Discovering the real origin of attacks is difficult, which leaves the issue of reprisal completely open to question, said Schneier. “Cyber attacks don’t come with a return address. If a group wants to frame Russia (for an attack), this isn’t hard. You never know when your trace ends. I can trace attacks back to computers, but the link from computer to chair is very difficult.”

Cyber war treaties

The fact the US has a cyber command is a good idea and Schneier encouraged more debate around the issue. “Now is the time to think of cyber war treaties. The last thing we want is a cyber war arms race,” he said. While he claimed not to have answers for all the questions, he said they were worth asking in the context of a broad discussion on the subject. A cyber war treaty might include agreements that no civilians are to be targeted in any action between rival states. “Is it OK to create official Trojans and keep them in your back pocket until there’s a cyber war? It’s like stockpiling weapons,” he added.

Similarly, Schneier welcomed the kind of cyber war incident reponse test conducted this week by the EU. “It’s a good idea. The US does this all the time. There’s nothing bad in practising, simulating and training.”

Discussing these issues without resorting to hype makes sense because they will become increasingly relevant, said Schneier. “As more of our lives, economy and infrastructure move into cyber space, cyber space becomes a more attractive target. While the hype doesn’t serve us well, we should start talking about these things, we should start knowing what cyber war and cyber peace is so we can have less of one and more of the other.”

At the same time as the recent domestic unrest in Greece, some hacking was spotted in that country. The nature of the web means activism is amplified, even if it is only carried out by one person. Schneier likened it to the assassination of Archduke Ferdinand – the act of a single individual was the catalyst that pushed Europe into the First World War. “Cyberspace is a place where a disaffected person can magnify their message,” he said.

“I think the real threat is cyber crime and that is what we should be concerned about,” he said, calling on all nation states to be prepared for cyber attacks, whatever form they may take. “Every country needs some kind of CERT (computer emergency response team), and some kind of police investigative powers.”

Gordon Smith was a contributor to Silicon Republic

editorial@siliconrepublic.com