OECD: Concept Of Cyberwar Is Overhyped
from the nice-to-finally-see-this dept
We’ve spent plenty of time over the past year or so discussing how the concept of a “cyberwar” has been blown totally out of proportion, often by those seeking to get rich off of the fear. We’ve been ridiculed for this, often getting messages from people saying that we don’t know what’s really going on. However, now the OECD, a rather respectable organization, has stepped up and said the same thing: the concept of a “cyberwar” is totally overhyped, and while there may be random computer-based hacks and attacks here and there, to label it as a “war” is way beyond reasonable.
Attempts to quantify the potential damage that hi-tech attacks could cause and develop appropriate responses are not helped by the hyperbolic language used to describe these incidents, said the OECD report.
“We don’t help ourselves using ‘cyberwar’ to describe espionage or hacktivist blockading or defacing of websites, as recently seen in reaction to WikiLeaks,” said Professor Peter Sommer, visiting professor at LSE who co-wrote the report with Dr Ian Brown of the Oxford Internet Institute.
“Nor is it helpful to group trivially avoidable incidents like routine viruses and frauds with determined attempts to disrupt critical national infrastructure,” added Prof Sommer.
Part of the problem is that people (again, often with questionable agendas) like to lump all sorts of very different activities under the single heading of “cyberwar” to make it sound like a bigger issue than it really is (and, presumably, to get more money). It’s nice to see more level-headed analysis coming out of groups like the OECD. Now, if only governments will actually listen…
Comments on “OECD: Concept Of Cyberwar Is Overhyped”
Organisation for Economic Cooperation and Development.
Yup, call in the economists to explain a computer issue.
Was just going to send this one in. Nice to see a bit of recognition that there’s a vast amount of hype and fear-mongering going on.
I think we truly should publicize this issue more in the press so everyone can really see how fear-mongering and hype could be the end of our society, and our country as we know it.
Perhaps Rep. King could get right on this …
And yet, nobody I’ve actually met in person pays attention to the issue. No matter how much they hype it.
Re: Re: dammit!
Unfortunately it’s worse if people don’t pay attention to it. Then it becomes insidious, like the rest of security theatre, all you have to do is keep blasting it out in the media “there’s a war going on you know nothing about and we are keeping you safe even though you never see it”.
Because people actually don’t understand it and don’t care that much it goes in at a lower-conciousness level and becomes generally accepted wisdom, which is much harder to fight against with reasoned argument because everyone “knows”.
Re: Re: Re: dammit!
And then people wonder why I have infowars as my URL. Hoping Average Joe is reading.
Re: Re: Re: dammit!
Excellent, EXCELLENT post. Can’t click ‘Insightful’ enough. I was going to say something similar, but you put it much more eloquently that I would have.
Bottom line for me: fearful people are much easier to herd and control. This is why ‘they’ implemented the color-coded turrist alert system, and why ‘they’ will keep beating the cyberwar drum.
‘they’ = media, government, paranoid delusionals, pick your poison
Ask the Iranians
I am guessing that OECD didn’t ask the Iranians about the reality of cyber warfare. http://www.itworld.com/security/133836/us-israel-appear-confirm-role-stuxnet-nyt
My biggest concern is that governments around the world will use the excuse of cyberwar to do lots of other things such as imposing more intrusions into personal freedoms and enhancing IP protections.
Re: Ask the Iranians
I’d be wary of any government that sponsors development of worms and viruses.
Re: Re: Ask the Iranians
So, all of them?
The Imaginary and the Real
Granted that there is a lot of hype around cyberwar,
let’s also keep in mind the real-world demo of a weapon in this war. Stuxnet, if we believe the analysis, caused major grief in Iran and had a significant impact on the development of their nuclear capabilities.
This appears to have been well architected, tightly targeted, military-grade smart weapon that has been very difficult to remediate and caused serious hardware damage.
I wouldn’t want my infrastructure to be the target of Stuxnet 2.0.
Re: The Imaginary and the Real
Agreed – there are real things that could reasonably be put under the heading of “cyberwar” (even if it is a somewhat sensational heading – the concept isn’t entirely unsound). Of course, it seems that simply referring to these things as new forms of digital attack used in conflicts is more accurate than creating a whole new class of conflict – but you’re right that there are elements of cyberwarfare out there, and one day we may see a war that is primarily driven by digital attacks.
However the real issue is, as you say, the hype – mainly the hype that lumps all sorts of things together as cyberwar. Suddenly spam, fraud, Wikileaks and 4chan are all part of the “cyberwar” – and that’s where things start to get silly.
Re: The Imaginary and the Real
Stuxnet, if we believe the analysis, caused major grief in Iran and had a significant impact on the development of their nuclear capabilities.
I would argue that’s much more on the espionage front, than any “war” development.
Re: Re: The Imaginary and the Real
And may I add that, if there’s any “war” development in this case, it would not happen on the network side.
I’d consider them as “brain-dead” if they don’t enforce physically isolated network in their nuclear development facilities. You don’t need a targeted espionage… just some random routine virus/worm can wreak havoc easily.
Re: Re: The Imaginary and the Real
but that is exactly the point. it wasn’t espionage. or at least not primarily, stuxnet’s purpose was to infiltrate iranian nuclear facility and to destroy as many centrifuges as possible before being detected. i agree that a lot of things like hacking, espionage, ddos, etc… aren’t “cyberwarfare” at all.
Nor is it helpful to group trivially avoidable incidents like routine viruses and frauds with determined attempts to disrupt critical national infrastructure,” added Prof Sommer.
exactly. stuxnet was a “determined attempt to disrupt critical national infrastructure”
you really need to read more deeply into it, because half of what i,ve read you comment on it is wrong.
Could it be that Mother Nature is the biggest potential cyber terrorist? (solar flare) Do not expect any attention to be paid towards this very real threat … no, in fact this will be largely ignored because there is no monetary reward. When it does happen, it will be called a natural disaster and tax money will be used to fix it – so why should any business feel responsible for addressing the issue in a proactive manner when it has a negative affect upon their bottom line. I recall news items from the past where satellite outage was attributable to solar activity, as was at least one power grid disruption. I imagine that the cost was absorbed by either the tax payer, rate payer, or insurance payer. It is almost humorous to watch, but they are gambling with my money and without my consent.
I think the main problem is the word “war” in the term “cyberwar.” People use the word “war” to describe any conflict between two individuals/organizations. You can, for example, have a huge, multi-year conflict between two or more nations that involves shooting, bombing, and invading countries, but not declare actual “war,” yet people still call it one (and perhaps rightfully so, although not strictly correct in legal terms). You can have corporate wars, where two corporations struggle for the same market. You can have format wars, where two technologies backed by large groups compete for the same niche. Then you get the world wars and (thankfully non-existent) nuclear wars.
So yes, Mike, defining a cyberwar as one nation-state using cyber assets to cripple or destroyer another nation-state, the threat of cyberwar is vastly over exaggerated, especially considering that cyber attacks generally augment physical attacks. But who’s to say that a “cyberwar” is not what we’re seeing right now?
We (the country/world/media) have to decide on a definition of “cyberwar” before you can even think to start discussing if one is likely.
I declare a cyberwar
Gotta say, stuxnet looked like one hell of a step forward in terms of offensive capability. We might not be taking cyberwar seriously, but a lot of money paying a lot of talent…black projects have been behind a lot of interesting developments.
Vison for the future?
I’m wondering if the next presidential race is going to be on a platform of a war on the internet. They’ll of course use a PC word (aka Net neutrality). And in true Orwellian fashion we’ll believe both Net neutrality and protection from net threats are one truth… or I mean bill.
The American government has always felt that the only way to unite the people is to have a war to incite patriotic fervor.
Stuxnet very real, but statistics are indeed inapplicable
I disagree about Stuxnet: dismissing Stuxnet for not being the norm is not a good idea. On the other hand, I agree about the inapplicability of statistics. Demonstrating cyber-war shall be qualitative rather than quantitative. Cyber-war shall be dealt with, but it cannot be demonstrated by statistics, but by analysis of all that has not yet happened.
See interesting post about the research: Cyber-war Risk Exaggerated?.