How The Defense Department And NSA Is Hyping Cyberwar To Better Spy On You

from the not-cool dept

We've discussed multiple times the massive unsubstantiated hype around the concept of "cyberwar", which mostly has been led by former government officials who are seriously cashing in on the hype. Yet, every time we mention this, we get people insisting that we just don't know the "real story" and the "threat" is really big. But we keep waiting for some evidence to support that theory.

Seymour Hersh, over at the New Yorker, who tends to be the most connected reporter around when it comes to getting the inside scoop on what's happening in the US military, has a (typically) long and worth reading analysis of the whole "cyberwar" concept that effectively agrees with exactly what we've been saying all along: it's totally hyped up beyond reality, in an effort to build the reputations of a few people and to cash in on a trend. People on all sides of the issue all seemed to point out to Hersh that "cyberwar" is blowing things out of proportion. There's plenty of espionage going on, but that's quite different (and a lot less sexy when it comes to trying to make money).

But what's even scarier than the people seeking to get money is the way the Defense Department has been using this to try to basically take control of the whole "cyber defense" aspect. Back in August, we discussed how there was this ongoing fight between the Defense Department (military) and Homeland Security (civilian) to manage the "cyber" threats, with the Defense Department basically using its experience in being incompetent to argue that it knows better.

And, as you look at the details, the Defense Department isn't just looking at "cyber defense," it keeps on making the argument that part of "cyber defense" is also "securing" private networks and usage. Jerry Brito, over at the Tech Liberation Front, just had a post questioning whether or not the military should have a role in civilian cybersecurity, and Hersh's long article gives plenty of reasons why it absolutely should not.

Multiple people note that one of the best ways to make various networks and systems more secure from espionage attacks is to increase (or even mandate) widespread encryption. That would certainly make things more difficult for espionage. But the NSA (part of the Defense Department) doesn't want that because that makes it much harder to spy on people. In fact, the very same NSA has been pushing the feds to put in place a mandatory backdoor to any encryption so that it can keep on spying.

But, of course, any such backdoor can (and absolutely will) be used by those trying to spy from elsewhere as well. So when you put the NSA in charge of "cyber security," it seems to focus on using that mandate to actually improve its ability to spy on everyone (including on domestic soil), rather than actually doing stuff related to actual "cyber security." We've had various pieces of similar stories over the past few months, but Hersh does a great job pulling it all together in a way that makes it pretty clear that this whole thing is a huge boondoggle for most of the players. The ex-gov't officials screaming "cyberwar" are making tons of cash, while the Defense Department and the NSA are using all that hype to gain more control over the internet and the ability to spy on people -- but not necessarily to make anyone more secure.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Dark Helmet (profile), Oct 27th, 2010 @ 1:23pm

    Dear God...

    I love it when the real world news coincides with a book query I'm sending out to agents. I think maybe I'll include a link to this article in the query letter....

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 27th, 2010 @ 1:52pm

      Re: Dear God...

      Darph Bobo? I thought I smelled vasoline.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Derek Bredensteiner (profile), Oct 27th, 2010 @ 2:18pm

      Re: Dear God...

      I bet you'd sell more books and/or get more responses to your query if you were peddling the "sexy" (as Mike put it) concept of cyberwar threats and not the unsexy concept of typical boring collusion and profiteering.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Dark Helmet (profile), Oct 27th, 2010 @ 2:23pm

        Re: Re: Dear God...

        "I bet you'd sell more books and/or get more responses to your query if you were peddling the "sexy" (as Mike put it) concept of cyberwar threats and not the unsexy concept of typical boring collusion and profiteering."

        Actually, I kind of am, indirectly. The book is about the first ever true all-digital consciousness created by a defense contractor as the prototype for the future digital "soldier". Did a ton of research on Digital Philosophy Theory and the like for it....

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Paul`, Oct 27th, 2010 @ 5:56pm

          Re: Re: Re: Dear God...

          We all know, like Dragons, that the first AI is going to be made by Disney under the guise of entertainment...

           

          reply to this | link to this | view in chronology ]

    •  
      icon
      rabbit wise (profile), Oct 27th, 2010 @ 2:27pm

      Re: Dear God...

      pssst - off topic, sorry about marty but thanks for adam.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Show me the money!, Oct 27th, 2010 @ 2:09pm

    You say, "The ex-gov't officials screaming "cyberwar" are making tons of cash" and that you "keep waiting for some evidence to support that theory."

    What evidence do you have to support your theory? How are they making their "tons of cash?"

    I'm all for privacy, but it seems to me that we would all be better served if people would suggest a better solution to address any potential cyber threats, rather than simply bash the government's efforts to actually do something about it...

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Dark Helmet (profile), Oct 27th, 2010 @ 2:21pm

      Re:

      "What evidence do you have to support your theory? How are they making their "tons of cash?""

      http://www.reuters.com/article/idUSTRE64O6V720100526?feedType=RSS&feedName=technology News&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A reuters%2FtechnologyNews %28News %2F US %2F Technology%29 --

      "Growing concern about cyber attacks is fueling a market valued at around $30 billion a year, prompting new investments by BAE and other defense companies that are keen to offset an expected flattening in spending on more traditional weapons."

      In other words, they've learned from their pharma friends. When profits from one threat begin to wan because that threat is no longer seen as a threat, manufacture another threat, with govt. or NGO help, and sell something for THAT....

      http://www.wired.com/dangerroom/2010/05/cyberwar-cassandras-get-400-million-in-conflict- cash/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A wired%2Findex %28Wired%3A Index 3 %28Top Stories 2%29%29 --

      "Back in February, for instance, former National Security Agency director and Booz Allen Hamilton executive vice president Mike McConnell declared that “the United States is fighting a cyber-war today, and we are losing.”"

      That same article details that Booz Allen, subsequent to those comments by an ex-govt. official, signed $400 million worth of "digital defense" contracts to add to it's already staggering $2.7 billion bank of govt. work.

      ....is that enough, or do you need more?

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      rabbit wise (profile), Oct 27th, 2010 @ 2:22pm

      Re:

      The evidence is sitting in the office next to me...

      ...and his suit does not match ... and that's bothering me a lot right now. This is corporate america now, bud, at least turn on the light while you are getting dressed.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 27th, 2010 @ 2:37pm

      Re:

      "What evidence do you have to support your theory?"

      There was never an cyber attack that resulted in loss of life was there, can you cite one?

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 28th, 2010 @ 3:46am

      Re:

      I'm all for privacy, but it seems to me that we would all be better served if people would suggest a better solution to address any potential cyber threats, rather than simply bash the government's efforts to actually do something about it...

      But privacy is security in a very real sense. You want solutions? Ok.... I'll give it a stab
      1. Encrypt everything
      2. Use intelligent multi-layered defenses based around Intrusion Detection and Intrusion Prevention throughout key points of the network
      3. Make sure these are algorythmic/holistic in nature rather than signature based to better stop zero-day exploits
      4. Make sure that you have a security plan that covers every device that may connect to your services be it mobile phone memory stick, laptop or smart washing machine.
      4. Make sure everything is logged and audited, including changes to logging and auditing processes
      5. Make sure the physical security of access to your resources is considered and likelwise monitored.
      6. And this one's really really important.... Make sure you consider the human element. Training and education to reduce social engineering attacks and plain stupidity.
      and of course 7. Don't let anyone governmental or otherwise deliberately put a hole in those defenses no matter what excuse they have

      Follow all that and you still won't stop every attack, but I guarantee you you'll be a damn sight better off that letting the goverment "handle" it.

      "Cyber war" could be done technically with lax security on many networks, but making it worse by centralising the vulnerability is hardly the answer. The things you'd be worried about being taken down aren't in government hands so educationa and encouragement of security improvement in a distributed way is what reduces the "threat", not hyperbole and posturing by politicians.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Oct 28th, 2010 @ 4:06am

        Re: Re:

        holistic
        Pretty sure I meant Heuristic there.........

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        BearGriz72 (profile), Oct 28th, 2010 @ 4:59am

        Re: Re:

        AKA: Computer Security Best Practices -or- the stuff that every IT/CompSec Professional WANTS to do but is prevented from doing by governmental and/or managerial incompetence.

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Coward, Oct 28th, 2010 @ 5:30am

          Re: Re: Re:

          AKA: Computer Security Best Practices

          Yeah... it's not like I invented it solely for the purposes of answering a post :-)
          As I said it's number 6 that's the kicker..... the number of people who claim "security is someone else's department - nothing to do with me." is scary.
          That's probably why it's so tempting to let believe the Government can sort it out.

          Cut to: Larson Farside cartoon.... party full of sheep, dog at door. Caption, hostess sheep saying "Oh Vernon the party's a disaster, no-one knows whether to sit, stand, eat, drink... Oh thank God! Here comes the border collie"

          response: Further Larson cartoon... field full of sheep, 1 standing on hind legs front legs raised, a look of revelation, caption "Wait! We don't have to be sheep!"

           

          reply to this | link to this | view in chronology ]

  •  
    icon
    Trails (profile), Oct 27th, 2010 @ 2:12pm

    Not just including domestic

    "it seems to focus on using that mandate to actually improve its ability to spy on everyone (including on domestic soil)"

    I would say that it's not just "including domestic spying", rather focused primarily on domestic soil.

    Foreign gov'ts and corps will simply not use flawed encryption tech, and develop their own sans "NSA ENTER HERE EVERYONE ELSE GO AWAY" backdoor.

    Hence, this opens domestic networks to everyone, including the NSA, but will have zero effect on foreign surveillance.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 29th, 2010 @ 5:25pm

      Re: Not just including domestic

      Many NGOs and small governments use AES for international communication. This includes NGOs like major drug cartels operating in our south of the border DoD and DoJ proving-grounds established by Bush Sr.'s war on drugs. Read the executive order if you like. Also more standardized encryption would likely be used by legitimate businesses globally when communicating outside their networks, like banks to clients. An independent and open encryption solution would solve this problem if it had proper market saturation, of course cooperation by Apple Inc. Microsoft and Google's android would be required at minimum.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        nasch (profile), Oct 30th, 2010 @ 9:09am

        Re: Re: Not just including domestic

        An independent and open encryption solution would solve this problem if it had proper market saturation

        TLS and SSL, the standard communication encryption protocols, use RSA, an open-source encryption algorithm. So we have that part solved at least.

        Also more standardized encryption would likely be used by legitimate businesses globally when communicating outside their networks, like banks to clients.

        Any bank that doesn't already use secure communication should be completely avoided.

         

        reply to this | link to this | view in chronology ]

      •  
        icon
        Trails (profile), Nov 1st, 2010 @ 2:17pm

        Re: Re: Not just including domestic

        Wow, didn't realise my point would be missed.

        The only entities who will knowingly use encryption with a backdoor are entities who have no choice.

        The only entities the US Gov't can force the choice on are entities that exist within the US.

        Hence, if the US mandates this, it will have an effect on domestic surveillance, but none on foreign. Drug cartels south of the border, for example, will use encryption without a backdoor.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Oct 28th, 2010 @ 12:26am

    Sounds like the real "cyberwar" is being waged by the government against the internet's anonymous nature. Fortunately, like the RIAA before them, they're too stupid to realize that the internet evolves in response to such threats.
    It's impossible for them to achieve the totalitarian control they're trying for. The best they can do is push people to start using VPNs, which would result in them getting even less intel.
    Of course, they're not going to sober up anytime soon. As such, let's look forward to watching over the coming months as they grasp at the shadow and lose the substance.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    darryl, Oct 28th, 2010 @ 4:38am

    Againg with the "there really is NO PROBLEM". trust me.. im Mike.. :)

    Yes, its funny how Mike goes to so much effort to discredit other people claims, but never provides his own facts or proof to support his 'argument'.

    "Sure, they are wrong, but I cant provide anything that shows Im right".


    It least these groups are trying to work out who and how to work on this cyber security threat. Mike you just claim it does not exist !!.

    And if you think cyber security issues do not exist you are the LAST person who is qualified to comment on said security.

    You are in denial..

    NSA and HS are saying "there is a problem, it is clear, so what can we do about it to try to mitigate that problem'.

    Mike says "You're stupid and waisting money, there is no problem, your chasing shadows".

    And ofcourse Mike has so much more skills, expertise and technical knowledge of these issues than the NSA or Homeland security.

    Ofcourse to Mike, there is no legions of script kiddes and wouldbe hackers, botnets dont exist, and the .gov and .mil domains are not attacked hundreds of thousands of times a day.. There are no hacker convention, and hacking "WELL IT REALLY IS NOT A PROBLEM".

    Great mike, way to boost you 'reputation' as someone informated.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 28th, 2010 @ 5:44am

      Re: Againg with the "there really is NO PROBLEM". trust me.. im Mike.. :)

      Not a suprising take on the article considering.... but also unsuprisingly a different interpretation exists.

      I read it as "Oh look. Government is hyping up a threat that's been there for years and decided suddenly to appear to 'Do Something About It', except that the actual aim seems to be something that can't possibly help and in fact will hinder the stated aim. But oddly the approach manages raise lots of cash, fear, and give much more domestic control. Don't you think that's a bit dodgy?"

      Of course that would make the other interpretation pretty much a non-sequitur of a post so it'll probably turn out that I'm in DeNile too.... that's fine - I fancy Africa this time of year.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      abc gum, Oct 28th, 2010 @ 6:00am

      Re: Againg with the "there really is NO PROBLEM". trust me.. im Mike.. :)

      darryl claims a lack of factual material in the post, and then provides none himself - Brilliant!

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    maxnicks (profile), Oct 28th, 2010 @ 5:37am

    Facetious fortune cookie

    Facetious fortune cookie say, "You need not worry if you are not doing anything wrong."

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 28th, 2010 @ 6:19am

      Re: Facetious fortune cookie

      Facetious fortune cookie say, "You need not worry if you are not doing anything wrong."

      Facetious indeed :-) Except in this case even that tired old platitude that you are correct will probably be trotted out isn't applicable.
      Even if I were dumb enough to accept it as a valid reason for violating privacy, in this case we're not just talking about privacy the government. I think I can 100% guarantee with no fear of being wrong that if a "backdoor" is engineered into every system "for the NSA", the NSA won't be the only ones walking through it. I may have "done no wrong" but what about the million other people you just let into my network? Do I have anything to fear from them?

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    BearGriz72 (profile), Oct 28th, 2010 @ 6:46am

    Oh Look it gets better the CIA is fighting the CyberWar too

    From our friends at /.
    "Launched by the CIA in 1999, In-Q-Tel's mission is to identify and partner with companies developing cutting-edge technologies that serve the national security interests of the United States. In-Q-Tel has invested an undisclosed sum in Silver Tail Systems, an emerging online fraud prevention and analytics company, an investment they say enables them to offer powerful technology companies in the U.S. intelligence Community and further protect the Nation's assets."
    From the linked Article: "Silver Tail Systems, a provider of fraud prevention solutions for Web sites, received solid validation of its products and business model this week. The company has entered into a strategic investment and development agreement with In-Q-Tel (IQT), the not-for-profit, venture capital arm of the CIA."

    HaHaHaHaHaHahahahahahaa.......

    Ok I'm done now.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Oct 28th, 2010 @ 6:59am

    The internet is to be treated as an enemy. It is not the mall to hang out in and meet cool people. It has turned into a commercial nightmare. So I say spy, spy, spy all you want. I will encrypt my emails and if necessary assign myself a private socket on our network and do my browsing that way. Treat it like it is an enemy and you don't get hurt.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Oct 28th, 2010 @ 8:52am

    "external threat to US government systems is real."
    Of course it is but what's the scope? There's a real possibility of me being elected the first President of a United Statesof Europe. It just doesn't seem too likely.
    The internal threats seem to be even more real, but I'd be more concerned about the threats to the companies actually running infrastructure including on behalf of the government if I were you. And by threat I mean basic open holes in security for undirected malicious code, rather than worry so much about a specific targeted "cyber war attack".

    Never attribute to malice that which can easily be explained by stupidity.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    DanVan (profile), Oct 31st, 2010 @ 11:38am

    Eh, those that say things like "you dont know the whole story" probably have a point that we may not know exactly the threats we face.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    necklaces with pendants, Nov 6th, 2011 @ 12:06am

    Hence, if the US mandates this, it will have an effect on domestic surveillance, but none on foreign. Drug cartels south of the border, for example, will use encryption without a backdoor.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This