How The Defense Department And NSA Is Hyping Cyberwar To Better Spy On You

from the not-cool dept

We’ve discussed multiple times the massive unsubstantiated hype around the concept of “cyberwar”, which mostly has been led by former government officials who are seriously cashing in on the hype. Yet, every time we mention this, we get people insisting that we just don’t know the “real story” and the “threat” is really big. But we keep waiting for some evidence to support that theory.

Seymour Hersh, over at the New Yorker, who tends to be the most connected reporter around when it comes to getting the inside scoop on what’s happening in the US military, has a (typically) long and worth reading analysis of the whole “cyberwar” concept that effectively agrees with exactly what we’ve been saying all along: it’s totally hyped up beyond reality, in an effort to build the reputations of a few people and to cash in on a trend. People on all sides of the issue all seemed to point out to Hersh that “cyberwar” is blowing things out of proportion. There’s plenty of espionage going on, but that’s quite different (and a lot less sexy when it comes to trying to make money).

But what’s even scarier than the people seeking to get money is the way the Defense Department has been using this to try to basically take control of the whole “cyber defense” aspect. Back in August, we discussed how there was this ongoing fight between the Defense Department (military) and Homeland Security (civilian) to manage the “cyber” threats, with the Defense Department basically using its experience in being incompetent to argue that it knows better.

And, as you look at the details, the Defense Department isn’t just looking at “cyber defense,” it keeps on making the argument that part of “cyber defense” is also “securing” private networks and usage. Jerry Brito, over at the Tech Liberation Front, just had a post questioning whether or not the military should have a role in civilian cybersecurity, and Hersh’s long article gives plenty of reasons why it absolutely should not.

Multiple people note that one of the best ways to make various networks and systems more secure from espionage attacks is to increase (or even mandate) widespread encryption. That would certainly make things more difficult for espionage. But the NSA (part of the Defense Department) doesn’t want that because that makes it much harder to spy on people. In fact, the very same NSA has been pushing the feds to put in place a mandatory backdoor to any encryption so that it can keep on spying.

But, of course, any such backdoor can (and absolutely will) be used by those trying to spy from elsewhere as well. So when you put the NSA in charge of “cyber security,” it seems to focus on using that mandate to actually improve its ability to spy on everyone (including on domestic soil), rather than actually doing stuff related to actual “cyber security.” We’ve had various pieces of similar stories over the past few months, but Hersh does a great job pulling it all together in a way that makes it pretty clear that this whole thing is a huge boondoggle for most of the players. The ex-gov’t officials screaming “cyberwar” are making tons of cash, while the Defense Department and the NSA are using all that hype to gain more control over the internet and the ability to spy on people — but not necessarily to make anyone more secure.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “How The Defense Department And NSA Is Hyping Cyberwar To Better Spy On You”

Subscribe: RSS Leave a comment
Dark Helmet (profile) says:

Re: Re: Dear God...

“I bet you’d sell more books and/or get more responses to your query if you were peddling the “sexy” (as Mike put it) concept of cyberwar threats and not the unsexy concept of typical boring collusion and profiteering.”

Actually, I kind of am, indirectly. The book is about the first ever true all-digital consciousness created by a defense contractor as the prototype for the future digital “soldier”. Did a ton of research on Digital Philosophy Theory and the like for it….

Show me the money! says:

You say, “The ex-gov’t officials screaming “cyberwar” are making tons of cash” and that you “keep waiting for some evidence to support that theory.”

What evidence do you have to support your theory? How are they making their “tons of cash?”

I’m all for privacy, but it seems to me that we would all be better served if people would suggest a better solution to address any potential cyber threats, rather than simply bash the government’s efforts to actually do something about it…

Dark Helmet (profile) says:

Re: Re:

“What evidence do you have to support your theory? How are they making their “tons of cash?”” reuters%2FtechnologyNews %28News %2F US %2F Technology%29 —

“Growing concern about cyber attacks is fueling a market valued at around $30 billion a year, prompting new investments by BAE and other defense companies that are keen to offset an expected flattening in spending on more traditional weapons.”

In other words, they’ve learned from their pharma friends. When profits from one threat begin to wan because that threat is no longer seen as a threat, manufacture another threat, with govt. or NGO help, and sell something for THAT…. wired%2Findex %28Wired%3A Index 3 %28Top Stories 2%29%29 —

“Back in February, for instance, former National Security Agency director and Booz Allen Hamilton executive vice president Mike McConnell declared that “the United States is fighting a cyber-war today, and we are losing.””

That same article details that Booz Allen, subsequent to those comments by an ex-govt. official, signed $400 million worth of “digital defense” contracts to add to it’s already staggering $2.7 billion bank of govt. work.

….is that enough, or do you need more?

TtfnJohn (profile) says:

Re: Re: Re:

Thing is though that they cyber war argument is entirely circular with little or no reference to reality.

The Great Firewall of China is about as secure as the pay walls around News Corp properties.

Still, as you point out there’s a LOT of money to be made chasing your own tail, it seems.

Interesting, isn’t it, that the British Government wants to drydock virtually all of the Royal Navy, park and store most RAF jets and still, somehow, support what few troops three are in Afganistan but are going to spend a small country’s GDP and cyber warefare.

And still the US NSA dreams of setting up a “secure” domain in cyberspace. Lemme know when they get that done or better yet let me know when you see pigs flying south for the winter of when the Cubs win the World Series.


Anonymous Coward says:

Re: Re: Re:


But I still maintain that it would still be more productive if folks crafted solutions. The debate over who should oversee the defense of the networks aside, the external threat to US government systems is real. Adversaries are constantly seeking to exfiltrate data to foreign servers. And the Russian attack on Georgian infrastructure–how would you classify that?

Bottom line: What would you recommend the United States do about it?

Dark Helmet (profile) says:

Re: Re: Re: Re:

“And the Russian attack on Georgian infrastructure–how would you classify that?”

International espionage. Watch a Bond film. This stuff ain’t THAT new….

“Bottom line: What would you recommend the United States do about it?”

Take the physical security precautions that they can, do some level-headed basic computer security precautions where necessary. None of that costs $30 billion. And fear mongering makes me unimpressed.

My suggestion? To be just as effective, give ME the $30 billion dollars, I’ll dress up like a flamboyantly gay Apache Medicine Man, get myself a Harry Potter wand, and shake it at every govt. computer in America while shouting “Ooga Booga, Ooga Booga!”

Actually, because I’m a patriot, and because I like dressing up like gay versions of indigenous peoples, I’ll do it for $20 billion….

Dark Helmet (profile) says:

Re: Re: Re:5 Re:,r:0,s:0

…..I win.

BearGriz72 (profile) says:

Re: Re: Re:8 Re:

From ‘Source’ Article:

The Coquilles (which tribal leaders prefer to pronounce KO-kwell) are probably the first tribe in the nation to legalise same-sex marriage

From The Coquille Indian Tribe Website:

Pronunciation and Origin of “Coquille”
Tribal anthropologists and historians agree that the word Coquille (“ko-kwel”) is derived from a Native name for a fish (lamprey) that was once very abundant and very important in the diet and culture of coastal Native peoples.

So not as ‘Unfortunate’ as it could have been…

Rich Kulawiec says:

Re: Re: Re: Re:

The problem is not a lack of solutions. There are plenty of solutions, most of which have been well-known, well-understood, and well-tested for somewhere between “years” and “decades”.

The problem is that these solutions do not make billions in profits for consultants and contractors. They thus have every reason to scrupulously avoid them, and to instead undertake hideously-expensive and not-quite-ineffective alternatives. (Which “not quite”? Because if they work too well, then no more gravy train. But if they work too badly, not more gravy train either. The trick is to walk the fine line and thus ensure next year’s revenue.)

I strongly recommend reading Marcus Ranum’s essays/rants, which are some of the most insightful things written about security in the last 40 years. In particular, “The Six Dumbest Ideas in Computer Security”, “The Anatomy of Security Disasters”, and “Stupid about Software” are good places to start.

If you read those and grasp them fully, then one of things that you will realize is that attacking the IT security problem as it currently stands is NOT a matter of “doing something”: it’s a matter of ceasing to do quite a few things that are known failures.

But that’s not sexy and doesn’t make headlines and doesn’t sell books and doesn’t make billions and doesn’t look good on a PowerPoint and oh, yeah, is far beyond the feeble comprehension of nearly every management critter on the planet. So it won’t happen.

Nope, instead there will be initiatives and plans and reviews and standards and yadda yadda yadda for the foreseeable future. And the cash register will ring — and if not enough, well, then some additional “cyberwar” fear mongering should do the trick.

Anonymous Coward says:

Re: Re:

I’m all for privacy, but it seems to me that we would all be better served if people would suggest a better solution to address any potential cyber threats, rather than simply bash the government’s efforts to actually do something about it…

But privacy is security in a very real sense. You want solutions? Ok…. I’ll give it a stab
1. Encrypt everything
2. Use intelligent multi-layered defenses based around Intrusion Detection and Intrusion Prevention throughout key points of the network
3. Make sure these are algorythmic/holistic in nature rather than signature based to better stop zero-day exploits
4. Make sure that you have a security plan that covers every device that may connect to your services be it mobile phone memory stick, laptop or smart washing machine.
4. Make sure everything is logged and audited, including changes to logging and auditing processes
5. Make sure the physical security of access to your resources is considered and likelwise monitored.
6. And this one’s really really important…. Make sure you consider the human element. Training and education to reduce social engineering attacks and plain stupidity.
and of course 7. Don’t let anyone governmental or otherwise deliberately put a hole in those defenses no matter what excuse they have

Follow all that and you still won’t stop every attack, but I guarantee you you’ll be a damn sight better off that letting the goverment “handle” it.

“Cyber war” could be done technically with lax security on many networks, but making it worse by centralising the vulnerability is hardly the answer. The things you’d be worried about being taken down aren’t in government hands so educationa and encouragement of security improvement in a distributed way is what reduces the “threat”, not hyperbole and posturing by politicians.

Anonymous Coward says:

Re: Re: Re: Re:

AKA: Computer Security Best Practices

Yeah… it’s not like I invented it solely for the purposes of answering a post 🙂
As I said it’s number 6 that’s the kicker….. the number of people who claim “security is someone else’s department – nothing to do with me.” is scary.
That’s probably why it’s so tempting to let believe the Government can sort it out.

Cut to: Larson Farside cartoon…. party full of sheep, dog at door. Caption, hostess sheep saying “Oh Vernon the party’s a disaster, no-one knows whether to sit, stand, eat, drink… Oh thank God! Here comes the border collie”

response: Further Larson cartoon… field full of sheep, 1 standing on hind legs front legs raised, a look of revelation, caption “Wait! We don’t have to be sheep!”

Trails (profile) says:

Not just including domestic

“it seems to focus on using that mandate to actually improve its ability to spy on everyone (including on domestic soil)”

I would say that it’s not just “including domestic spying”, rather focused primarily on domestic soil.

Foreign gov’ts and corps will simply not use flawed encryption tech, and develop their own sans “NSA ENTER HERE EVERYONE ELSE GO AWAY” backdoor.

Hence, this opens domestic networks to everyone, including the NSA, but will have zero effect on foreign surveillance.

Anonymous Coward says:

Re: Not just including domestic

Many NGOs and small governments use AES for international communication. This includes NGOs like major drug cartels operating in our south of the border DoD and DoJ proving-grounds established by Bush Sr.’s war on drugs. Read the executive order if you like. Also more standardized encryption would likely be used by legitimate businesses globally when communicating outside their networks, like banks to clients. An independent and open encryption solution would solve this problem if it had proper market saturation, of course cooperation by Apple Inc. Microsoft and Google’s android would be required at minimum.

nasch (profile) says:

Re: Re: Not just including domestic

An independent and open encryption solution would solve this problem if it had proper market saturation

TLS and SSL, the standard communication encryption protocols, use RSA, an open-source encryption algorithm. So we have that part solved at least.

Also more standardized encryption would likely be used by legitimate businesses globally when communicating outside their networks, like banks to clients.

Any bank that doesn’t already use secure communication should be completely avoided.

Trails (profile) says:

Re: Re: Not just including domestic

Wow, didn’t realise my point would be missed.

The only entities who will knowingly use encryption with a backdoor are entities who have no choice.

The only entities the US Gov’t can force the choice on are entities that exist within the US.

Hence, if the US mandates this, it will have an effect on domestic surveillance, but none on foreign. Drug cartels south of the border, for example, will use encryption without a backdoor.

Anonymous Coward says:

Sounds like the real “cyberwar” is being waged by the government against the internet’s anonymous nature. Fortunately, like the RIAA before them, they’re too stupid to realize that the internet evolves in response to such threats.
It’s impossible for them to achieve the totalitarian control they’re trying for. The best they can do is push people to start using VPNs, which would result in them getting even less intel.
Of course, they’re not going to sober up anytime soon. As such, let’s look forward to watching over the coming months as they grasp at the shadow and lose the substance.

darryl says:

Againg with the "there really is NO PROBLEM". trust me.. im Mike.. :)

Yes, its funny how Mike goes to so much effort to discredit other people claims, but never provides his own facts or proof to support his ‘argument’.

“Sure, they are wrong, but I cant provide anything that shows Im right”.

It least these groups are trying to work out who and how to work on this cyber security threat. Mike you just claim it does not exist !!.

And if you think cyber security issues do not exist you are the LAST person who is qualified to comment on said security.

You are in denial..

NSA and HS are saying “there is a problem, it is clear, so what can we do about it to try to mitigate that problem’.

Mike says “You’re stupid and waisting money, there is no problem, your chasing shadows”.

And ofcourse Mike has so much more skills, expertise and technical knowledge of these issues than the NSA or Homeland security.

Ofcourse to Mike, there is no legions of script kiddes and wouldbe hackers, botnets dont exist, and the .gov and .mil domains are not attacked hundreds of thousands of times a day.. There are no hacker convention, and hacking “WELL IT REALLY IS NOT A PROBLEM”.

Great mike, way to boost you ‘reputation’ as someone informated.

Anonymous Coward says:

Re: Againg with the "there really is NO PROBLEM". trust me.. im Mike.. :)

Not a suprising take on the article considering…. but also unsuprisingly a different interpretation exists.

I read it as “Oh look. Government is hyping up a threat that’s been there for years and decided suddenly to appear to ‘Do Something About It’, except that the actual aim seems to be something that can’t possibly help and in fact will hinder the stated aim. But oddly the approach manages raise lots of cash, fear, and give much more domestic control. Don’t you think that’s a bit dodgy?”

Of course that would make the other interpretation pretty much a non-sequitur of a post so it’ll probably turn out that I’m in DeNile too…. that’s fine – I fancy Africa this time of year.

Anonymous Coward says:

Re: Facetious fortune cookie

Facetious fortune cookie say, “You need not worry if you are not doing anything wrong.”

Facetious indeed 🙂 Except in this case even that tired old platitude that you are correct will probably be trotted out isn’t applicable.
Even if I were dumb enough to accept it as a valid reason for violating privacy, in this case we’re not just talking about privacy the government. I think I can 100% guarantee with no fear of being wrong that if a “backdoor” is engineered into every system “for the NSA”, the NSA won’t be the only ones walking through it. I may have “done no wrong” but what about the million other people you just let into my network? Do I have anything to fear from them?

BearGriz72 (profile) says:

Oh Look it gets better the CIA is fighting the CyberWar too?

From our friends at /.

Launched by the CIA in 1999, In-Q-Tel’s mission is to identify and partner with companies developing cutting-edge technologies that serve the national security interests of the United States. In-Q-Tel has invested an undisclosed sum in Silver Tail Systems, an emerging online fraud prevention and analytics company, an investment they say enables them to offer powerful technology companies in the U.S. intelligence Community and further protect the Nation’s assets.

From the linked Article: “Silver Tail Systems, a provider of fraud prevention solutions for Web sites, received solid validation of its products and business model this week. The company has entered into a strategic investment and development agreement with In-Q-Tel (IQT), the not-for-profit, venture capital arm of the CIA.


Ok I’m done now.

Anonymous Coward says:

The internet is to be treated as an enemy. It is not the mall to hang out in and meet cool people. It has turned into a commercial nightmare. So I say spy, spy, spy all you want. I will encrypt my emails and if necessary assign myself a private socket on our network and do my browsing that way. Treat it like it is an enemy and you don’t get hurt.

Anonymous Coward says:

“external threat to US government systems is real.”

Of course it is but what’s the scope? There’s a real possibility of me being elected the first President of a United Statesof Europe. It just doesn’t seem too likely.

The internal threats seem to be even more real, but I’d be more concerned about the threats to the companies actually running infrastructure including on behalf of the government if I were you. And by threat I mean basic open holes in security for undirected malicious code, rather than worry so much about a specific targeted “cyber war attack”.

Never attribute to malice that which can easily be explained by stupidity.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...