Shared publicly  - 
1
1
Alex Scoble's profile photoPaul Eubanks's profile photoBrad Chasenore's profile photo
16 comments
 
Umm, not at all nonsense, but thanks for commenting. Although I'm not sure that you read the post.
 
Yup, read all of it.  Complete nonsense.  
 
Come on, +Paul Eubanks, You can't just say that something is nonsense and walk away and expect to be taken seriously. Why is this nonsense?
 
Sorry, I didn't see your posts.  

Let's start with the tltle: "Forget about the bomb, the real danger is cyber warfare"

There's no plausible use of any communications network currently that could have a greater impact on the citizens of a country than full-on nuclear engagement.  Not even close.  

"One of the most dangerous things that our government is doing right now is the collection of unknown open computer vulnerabilities"

Dangerous?  That wholly depends what they're being used for, doesn't it?

"Cyber weapons... "

Cyber weapons?  Really?  I think you mean malicious code. Something meant to make a computer do something it wasn't intended to do.  Please quit using non-sensical terms like "Cyber" when what you really mean is computer network.  

"...can be launched from anywhere in the world with very low cost,"

Very low cost?  Compared to what?  

"are difficult to determine who constructed or launched them"

Difficult for whom?  Attribution is super easy as long as you have access to sufficient computing resources.  

"and can do significant damage to our infrastructure."

Again, compared to tactical engagement, not even close.  

"When we opened the gates to their use as a weapon of war with STUXNET and Operation Olympic Games, we in effect sent all of our troops out to battle without leaving anyone to defend the homeland."

What does this even mean?  You're trying to draw comparisons between deploying malicious code and deploying physical troops?  That analogy doesn't hold up for many reasons which I'm sure you're sharp enough to understand.  

"A much more effective strategy would have been to work with software developers to get those vulnerabilities closed and to make sure that our sensitive and critical computer systems were well defended against these types of attacks."

You're assuming our infrastructure is vulnerable to the same sort of operations?  Why?

"We denied Iran from getting the bomb for a while and instead gave them a brand new weapon that is far riskier to us because of the ease of which it can be used and the inability to attribute attacks to the real aggressors that launch them."

Again, NOTHING is more risky to us than Iran's possession of a nuclear weapon.  Certainly not malicious code which we understood well.  And again, you assume people are unable to attribute attacks, why?  If an attribution isn't made, it's usually due to diplomatic reasons, not technical reasons.  
 
Risk = Likelihood * Damage. The risk of anyone using a nuclear weapon against us is low to nil because of the deterrent effect of our arsenal. Use one against us and you are wiped off the map. Unless you believe that the Iranian regime is a bunch of crazies willing to commit suicide, which I do not. Sure the damage caused by a nuke is high, but risk is the calculus of both of those things.

The likelihood of countries like Iran using cyber warfare against us is 100%. They are already doing it. Ask the banks how much damage has been done because of the recent denial of service attacks done that are suspected to be the work of Iran. At least one event has happened via a suspected gas pipeline attacks causing explosion http://news.cnet.com/8301-1009_3-57429617-83/u.s-warns-of-cyberattacks-on-gas-pipeline-companies/ The threat here is real.

We are vulnerable to whatever unpatched vulnerabilities are out there. Our SCADA systems use the same technologies (Siemens, Windows, Linux, etc.) that the Iranians or anyone else uses and these systems are increasingly being connected to the internet.

What did I mean about sending troops to battle without leaving anyone home to guard the gates? We have performed a sophisticated attack that is tantamount to an act of war without ensuring that our defenses are capable of stopping  the same kind of attack. We have no one guarding the gates. We are extremely vulnerable. This isn't hyperbole.

When nation states attack each other through the use of computer systems on the internet, cyber warfare and cyber attacks are perfectly reasonable and logical terms to use.

The nature of IP based systems are such that you cannot with certainty determine who's in control of a particular botnet at a particular time and certainly not enough for us to perform a physical military response. These attacks can be done from anywhere in the world with nothing more than an internet connection and a computer.

Attackers do not have to have huge armies to have skin in the game. We all know what a few smart, resourceful and motivate people can accomplish in the computing space. Compare this to the massive amounts of scientists, technical people, logistics and equipment you need to even begin to have a nuclear program. Cyber warfare is indeed cheap compared to the cost of other kinds of combat.

In summary, what I wrote is the exact opposite of nonsense.
 
Ah but your title wasn't "The real RISK is Cyberwarfare".  Your title was "The real DANGER is Cyberwarefare"

"We have performed a sophisticated attack that is tantamount to an act of war without ensuring that our defenses are capable of stopping  the same kind of attack."

Why do you make this assumption?

"When nation states attack each other through the use of computer systems on the internet"

Attack each other?  Since when are you able to shoot someone in the face over the Internet?  You can monkey with infrastructure, sure, but I contend you can not cause people physical harm via the Internet.  Sure you hear the DoD making doomsday scenarios of trail derailments and traffic signal tampering and power grid explosions, but anyone familiar enough with how those systems work know this is complete fear mongering and nothing more.  

"The nature of IP based systems are such that you cannot with certainty determine who's in control of a particular botnet at a particular time and certainly not enough for us to perform a physical military response"

This is the nature of IP based systems, eh?  LOL!

"In summary, what I wrote is the exact opposite of nonsense."

To anyone who has a fundamental lack of understanding in the field of information security, sure . 

"cyber warfare and cyber attacks are perfectly reasonable and logical terms to use."

/facepalm  Okay if you insist on using non-sensical terms like Cyber-this and Cyber-that I have nothing further to contribute to this discussion.  
 
I don't know what you do for a living, +Paul Eubanks, but I hope it has nothing to do with IT security.
 
I can tell you off thread. If you'd like. I think you'll be quite surprised
 
I'd be quite dismayed, rather. If you think that you can attribute attacks performed from the internet with any degree of certainty, you have no business being involved with computer security.

What you wrote is complete nonsense. Have a nice day.
 
So you're not interested in what I do for a living anymore? :p
 
I disagree with Bruce schneier quite often actually. So what? He's a decent enough cryptographer, but his views on policy are usually misguided. 
Add a comment...