The Worst Article You Might Ever Read About 'Cybersecurity'
from the this-one's-special dept
There has been a lot of discussion lately about “cybersecurity” “cyberwar” “cyberattacks” and all sorts of related subjects which really really (really!) could do without the outdated and undeniably lame “cyber-” prefix. This is, in large part, due to the return of CISPA along with the White House’s cybersecurity executive order. Of course, the unfortunate part is that we’re still dealing in a massive amount of hype about the “threats” these initiatives are trying to face. They’re always couched in vague and scary terms, like something out of a movie. There are rarely any specifics, and the few times there are, there is no indication how things like CISPA would actually help. The formula is straightforward: fear + handwaving = “we must have a law!”
However, I think we may now have come across what I believe may top the list of the worst articles ever written about cybersecurity. If it’s not at the top, it’s close. It is by lawyer Michael Volkov, and kicks off with a title that shows us that Volkov is fully on board with new laws and ramping up the FUD: The Storm Has Arrived: Cybersecurity, Risks And Response. As with many of these types of articles, I went searching for the evidence of these risks, but came away, instead, scratching my head, wondering if Volkov actually understands this subject at all, with his confused thinking culminating in an amazing paragraph so full of wrong that almost makes me wonder if the whole thing is a parody.
The piece starts off, though, by playing up those supposed “risks,” discussing how companies face “economic devastation” due to the “theft of valuable trade secrets.” Here’s an exercise: name one such company that has been so devastated. We’ll wait. Then he talks about how these hacks could lead to “disclosure of consumer and employee information.” Of course, he seems to be mixing and matching the types of hacks he’s talking about. The “trade secret” stuff is generally corporate espionage, whereas the leaking of data tends to just be more general malicious hacking. Very different issues that probably require very different responses. But they’re lumped together here.
So we’ve got an ill-defined problem, but have no fear, because the answer is here: Congress!
At the core of the problem is Congress’ failure to act. For years now, Congress has tried to enact meaningful cybersecurity legislation.
Any analysis of whether or not the attempts at “meaningful cybersecurity legislation” would have any impact at all on the kinds of attacks discussed in the first paragraph? Why, no. Because that would be useful. But that’s okay, because Congress needs to act!
The risks are too large and the consequences of failing to act can result in serious economic consequences.
Again, can someone point to any evidence of cybersecurity issues having “serious economic consequences” to date? Yes, it’s possible they might in the future, but let’s put these things in perspective.
And then we get to this. I warn you ahead of time: reading the following paragraph may cause certain knowledgeable brains to experience something akin to spasms.
Recent cyber-attacks have illustrated the ability of terrorist groups and foreign governments to cause havoc on the Internet. The United States Sentencing Commission’s website was destroyed when activists attacked the site to protect the federal prosecution of Bart Swartz which eventually led to Mr. Swartz committing suicide. For years, the Chinese government has launched massive daily attacks against our government and private industry which are aimed at disrupting government operations, stealing trade secrets and undermining economic activity.
Let’s break this down. Bit by awful bit.
Recent cyber-attacks have illustrated the ability of terrorist groups and foreign governments to cause havoc on the Internet.
Where and how? So far, the only example of any government causing any sort of “havoc” appears to have been the US with Israel with their attacks on Iran via Stuxnet, Flame and possibly some other very targeted malware attacks. What “terrorist groups” or “foreign governments” have actually caused any actual “havoc on the Internet”? The answer is none. It’s certainly not what comes next:
The United States Sentencing Commission’s website was destroyed when activists attacked the site to protect the federal prosecution of Bart Swartz which eventually led to Mr. Swartz committing suicide.
Yeah. Okay. (1) The United States Sentencing Commission’s website was temporarily hacked (and later taken down). It was not “destroyed” in any sense of the word. (2) Activists are neither the “terrorists” nor “foreign governments” we were promised in the preceding sentence. (3) Taking down the site briefly did not cause “havoc.” (4) BART Swartz??!??!? (5) The hack was to protest the federal prosecution of Aaron Swartz, not to “protect” it. (6) While many of Swartz’s friends and families do say that the prosecution likely led to his suicide, no one can say for sure. (7) Nothing about the hack by Anonymous had anything to do with “cybersecurity” nor would CISPA have protected the Commission’s website (better programming might have). Basically, this sentence is just about as wrong as it could possibly be, and has nothing to do with what the article is about, other than drumming up fears about “cybersecurity.”
For years, the Chinese government has launched massive daily attacks against our government and private industry which are aimed at disrupting government operations, stealing trade secrets and undermining economic activity.
There’s been plenty of talk about these Chinese hacks, which definitely do appear to be happening. But, what economic activity has been undermined? So far, the hacks may have been a nuisance, but it’s unclear that they’ve done any real damage. It is also unclear how CISPA helps stop such hacks, other than making Congress feel like it’s “done something.”
Are there issues with online security that need to be taken seriously? Yes, absolutely. Do we need legislation to deal with those problems? That’s debatable, and we’re still waiting for some evidence not just of scary sounding threats, but that this kind of legislation will actually help. Unfortunately, this article keeps us waiting. But, it did make us laugh. Unintentionally (we think).
Filed Under: aaron swartz, cispa, congress, cybersecurity, exaggeration, michael volkov
Comments on “The Worst Article You Might Ever Read About 'Cybersecurity'”
Aaron Simpson?
Perhaps he conflated Bart Simpson and Aaron Swartz. The similarities are astounding. Both were a constant thorn in the side for authority figures, and …oh, that’s about it.
Re: Aaron Simpson?
Volkov needs to stay after school and write the following 100 times on the blackboard:
It’s Aaron, not Bart, ay carumba, what a hack I am!
Re: Aaron Simpson?
Bart said “Eat my shorts”. Aaron said “Free these briefs”
Can't help but wonder
…if Mr. Volkov is now offering “cybersecurity consulting services” to companies. (For a very reasonable fee, of course.)
Re: Can't help but wonder
A journalist or scientist, he will never be. The piece is a very bad post. Without the two-sides represented of a debate-piece, without the coherence or new views of an opinion-piece and without the specifics for a scientific piece or an expos?. Also its lack of fact checks truely leaves it in the dust of “junk you only find on the internet”.
The guy is even stupid enough to use the disclaimer:
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Which makes your “consulting services”-theory pretty much confirmed…
Re: Can't help but wonder
corruption laundering at its finest
Prior to launching his own law firm, Mr. Volkov was a a partner at LeClairRyan (2012-2013); Mayer Brown (2010-2012), Dickinson Wright (2008-2010); Deputy Assistant Attorney General in the Department of Justice (2008); Chief Counsel, Subcommittee on Crime, Terrorism and Homeland Security, House Judiciary Committee (2005-2008); and Counsel, Senate Judiciary Committee (2003-2005); Assistant US Attorney, United States Attorney’s Office for the District of Columbia (1989-2005); and a Trial Attorney, Antitrust Division, United States Department of Justice (1985-1989).
So rooting for more power is right up his alley.
Woe unto us, we are beset on all sides. The only way to forge peace is to forge war.
/gag
The problem I typically have with Congress isn’t so much how or when things get done….it’s the fact that the finished product is almost always overkill.
Is this a telephone thing?
Is he going to be telling us next that if it weren’t for cyberattacks, the planes wouldn’t have fallen out of the sky over Pearl Harbor?
Gee... This piece verges on ADEQUATE.
You got through it without “ridiculous”, and I don’t see any ad hom… Just take out “actually” from “actually caused any actual”, and always avoid the word “issues”, then I’ll call it FULLY ADEQUATE.
‘we’re still waiting for some evidence not just of scary sounding threats, but that this kind of legislation will actually help.’
what it most definitely will do is give Congress (or some member) the excuse to put yet another bill on the table of another reason why we must have CISPA! given that the guy is a lawyer, i hope when he goes into court he has researched the case fully. his poor defendant could end up in the shit when there was previously no shit to be in!
Mr Volkov’s piece is straight out of the annals of “Shit! I’ve Got A Deadline to Meet!”
Typos and stuff
If you take “protect” as a typo for “protest”, substitute “Aaron” for “Bart”, let him say that the prosecution caused the suicide, which may be false but certainly isn’t an absurd position to take, and wave away “destroyed” as coming from someone who doesn’t understand websites, that sentence makes sense.
Re: Typos and stuff
But then note that this follows a sentence in which he insisted that “terrorists” and “foreign governments” were causing “havoc” on the internet, which requires the need for CISPA. So you would expect the following sentence to support that. So even if you assume that those were mere sloppy typos, the whole sentence is problematic.
Re: Re: Typos and stuff
Problematic, sure. But it lowers the level of problem from “bats@#t f*#king insane” to “non sequitur” or perhaps “poor journalism”.
Re: Re: Re: Typos and stuff
The Joker is “bats@#t f*#king insane”, and he can string together more coherent and logical sentences than Michael Volkov did in the referenced article.
Re: Re: Typos and stuff
he insisted that “terrorists” and “foreign governments” were causing “havoc” on the internet, which requires the need for CISPA.
There have ben a number of long running denial of service attacks on mostly US banking sites originated by Iranian groups, which are thought to be funded by the Iranian government. Now, I don’t automatically associate Iranian with terrorist, but it is easy for many people to ignore the distinction. And they’re pretty standard DDoS attacks, nothing particularly out of the ordinary.
Of course, the point about CISPA stands – there’s no need for it even in those cases.
Re: Typos and stuff
Um, not really, no. Re-reading it again, it more looks like he’s trying to subtly make a link between the hacking of the website and Aaron Swartz’s suicide, which falls more into the disgustingly and cynically manipulative category.
Re: Re: Typos and stuff
I think you give his grammar too much credit – I read that as the prosecution led to the suicide.
Maybe I’m giving him too much credit…
Re: Re: Re: Typos and stuff
I have to agree with you. Any way I read that sentence it comes of to me as meaning that the prosecution leading to the suicide. I also suspect that you are right that he meant to say protest instead of protect and just never proof read the sentence before putting it up. It makes a whole lot more sense then. It’s still DEAD WRONG, but it’s then at least coherent.
And don’t you know that that is what asteroids do – DESTROY THINGS… apparently even in cyberspace. 🙂
Re: Re: Re:2 Typos and stuff
In terms of that specific sentence out of context I’d tend to agree – I was more looking at the context of it being in the middle of a rant about “cyber-terrosism and scary-type-computer-stuff”. If he had directly inferred a link, there would have been outrage but to put the 2 things in the same sentence in the middle of the other things he’s talking about seems to me to try and infer a link purely by association – otherwise why refer to his suicide in that context at all?
But then maybe I’m totally wrong and giving him too much credit for rationality and subtlety. It’s entirely possible he’s just talking total bollocks throughout.
Yippeekayay
“Recent cyber-attacks have illustrated the ability of terrorist groups and foreign governments to cause havoc on the Internet”
Sounds like someone got drunk and mistook Die Hard 4.0 for the evening news
Re: Yippeekayay
ROFLOL! That was rich.
Another Law that will What
To repeat on the point of what will CISPA (or any law) do to help the situation. What evidence is there that any new law will stop the blankety-blank-war attacks. I mean just like laws against stealing, killing, and jaywalking have totally stopped all of those activities, passing CISPA will just instantly stop all of those activities that the insiders want to call Cyber something to make it sound ominous. Anyone with a computer hooked to the Internet will still need to put a lot of effort into providing security (to everything). The only thing a new law could possibly provide is the ability to go after suspected violators way after the fact AND to use to HARASS others who do something that is not liked. Its alredy illegal to break in and take things, now just better locks are needed, not new laws.
Its more likely the sponsors of pork barrel spending needed a new piece of legislation, that the prez was likely to sign, to tack on some fat and this article was its foreruning rally cry. I agree this is some unsubstantiated (and even wrong) claim of terror.
The unanswered, unspoken question is what is really being attempted here. What self protectionism special interest (group?) is going on behind the scenes produces such wild, and certainly, unneeded proposed legislation. It is at least possible that this is just another way to legalize what has already been (being?) done.
The executive order definitely seems more rubber-stamping by the current administration. Its kind of irresponsible in the light of current politicians ability to create constitutionally viable law especially in the area of privacy.
Misspelling Aaron Swart’s name is almost comedic. Did anyone writing the article care about an activist anyway. Relating activists to terrorists the demonetization of a whole class of Americans. Would that be declaring class warfare in writing? If they would hire some of them to program their websites I’d bet their vulnerability to China hacks would be much less.
I said what I needed to about privacy in this recent post: http://www.techdirt.com/articles/20130226/14360422120/supreme-court-effectively-says-theres-no-way-to-challenge-warrantless-wiretapping.shtml#c681 which was one of my more difficult essays. It takes a bit to write my (wordy) posts and its at the end. The only error I made was not removing Carter as an exception.
The current US batch of politicians seem to have entered a no privacy zone. I hope the voters issue a stiff parking ticket.
The consequences of collecting private intel on the lifestyles of average citizens is summed up on this post: http://www.techdirt.com/articles/20130225/18022322104/north-carolina-newspaper-with-no-backbone-apologizes-its-request-public-records.shtml#c1019 (don’t be a bully!)
am glad I wrote those posts so this post can be so short. haha
Re: Re:
You’re full of yourself aren’t you?
Re: Re: Re:
If thats your opinion thats good really. ?Full of myself? would imply that I was just spouting my opinion alone with no substantiation of it. Furthermore. Much of what I write is not my original content but just an attempt to make sense of difficult to grasp concepts (and of what I read and hear) and possibly fill out some of the logic gaps.
Despite some education I find the gaps to be huge especially in the areas of monopolies and top down media business models and the effects on shared culture areas. I am of course hoping to get some commentary/feedback involving this. Its a wonderful intellectual exercise full of discovery.
I put a bit of effort into the logic behind the topic each post is about. They can be a bit wordy and the time that takes usually means they are near last and comments are sparse. Argue with me. Tell me I’m wrong. But. Please explain how so I can elaborate as it seems each paragraph and sentence of my posts can be a whole essay in themselves. I’m kind of eager for it.
Thanks for commenting.
I’m sorry. You lost me at Bart Swartz.
Re: Re:
Me too, that was an eyeball hijacking of the highest order.
ouch. I misspelled the name I criticized someone else for. Embarrassing should one print it in a newspaper. Ill just dump on myself for that.
Re: Re:
There’s some irony for ya. 🙂
If Cybersecurity is such an issue, why aren’t these people calling on Microsoft to produce a more secure product? Why are they not jumping on the doorsteps of those that make the SCADA systems for not designing better security within? Why are they not ramping up efforts to change the basic way email works?
If this were something besides misdirection for more draconian laws to allow more invasion of privacy, it would seem that addressing where the points of weakness are, would be the solution. Those solutions that work pretty much always address the root cause, not the hand waving, vaporous, symptoms.
Re: Re:
Anyone with a server knows this is nothing new
And not that big a deal.
Anyone who has a server gets probed on a regular basis. They come from everywhere (including the US). I don’t know why China is being singled out (other than they’re a convenient bogeyman).
Just for fun sometime, everyone should have to put up an old server with an old un-patched OS without any firewall or NAT. Within a day, your login prompts will generally be swapped out with some gotcha message. These attacks generally come from script kiddie thrill seekers, not malicious communists trying to destroy the Internet.
And it doesn’t take much precautions to keep fairly safe on the Intertubes.
Mosquitoes are a good analogy. Mosquitoes do cause billions of dollars of damage in the world (real dollars, not hype dollars). And I often get some mosquitos outside my windows. But I’m not giving the cops the keys to my place because of the problem. First of all, I don’t need the invasion of my domain, secondly I don’t see the cops being able to do much more than I can. So what’s the point?
Re: Anyone with a server knows this is nothing new
That’s optimistic… last time I tried that a few years ago the thing was penetrated practically in minutes and totally hacked to hell and gone in hours… ‘course that was on a corporate address range, I guess it might last a bit longer on a generally less target-rich environment like a bog-standard home broadband DHCP range….
Re: Re: Anyone with a server knows this is nothing new
Not much longer. My servers, sitting on bog-standard consumer broadband, get scanned incessantly, and more serious actual hacking attempt occur daily.
Fortunately, this stuff isn’t really that hard to deal with.
he lost me at
At the core of the problem is Congress? failure to act
I think there is some soft of bias in this piece.
Re: Failure to act? Not!
Seems to me that the real problem here is lack of failure to act. The only thing that Congress seems to know how to do is act.
I'm surprised
Followed the link in the article and was shocked that it didn’t link to The Onion.
Re: I'm surprised
It belongs there.
The stronger the laws restricting and prosecuting hacking get, the less secure your actual actual networks will get. And yet, somehow the risk of someday having a real attempted attack from foreign terrorists or governments seems unlikely to be affected, considering they probably don’t give a flying **k about your restrictive laws.
I don't even
…Bart? BART?! Really?! It’s not like his name was one of the most publicized and recognizable names in the tech WORLD for a while or anything!
Re: I don't even
Bart…where did that even come from? I could see Adam or Ashton or something else that begins with A…but Bart?!
Sends whatever else he has to say straight into the crapper, he can’t even get a name right.
It is simple, the US has developed and deployed already cyber-weapons(i.e. STUXNET) now they want to make it legal to do so, not because they are tremendously afraid of other nations, but because they are already using the fraking crap.
Probably illegaly and want to cover their asses.
Re: Re:
Also if STUXNET is any sign of viability of “cyber-attacks” one should note that it failed in its mission but it caused a lot of collateral damage to other systems all around the world.
Fixed one mistake, left the rest.
It looks like he finally changed “Bart” to “Aaron.” But he left all the other mistakes. Including “protect.” Perhaps that wasn’t even a typo…
Re: Fixed one mistake, left the rest.
Come on Mike, a lawyer (?!) of his caliber wouldn’t have committed such mistake. I’m sure this was a result of Bart Simpson hacking into his site and writing something that’s akin to “Bart was here”. If CISPA was already up and running none of this would have happened!
On a more serious note my brain skipped a few electric pulses while reading all that bullshittery.
Re: Fixed one mistake, left the rest.
He did change protect to protest as well.
i can name one HBGARY. couldn’t have happened to a nicer bunch of pissants.
The scary thing here isn’t the threat of ‘cyberwar’, which is absurd. No, the real scary thing is that some people are dumb enough to actually believe this nonsense.
Anyone can conjure up hypothetical scenarios of doom and gloom playing out in the future; that doesn’t make them true or inevitable. From what I gather, some people’s job in government is solely to drum up fear and panic over manufactured what-if scenarios, then attempt to shift responsibility to Congress to act or be held accountable for the ‘consequences’ of doing nothing to prevent it. Yes, somehow, it’s government’s job to be future-proof against all manner of crime. Invariably the idea is to give themselves more extraordinary powers. They’re so predictable, they may as well be a broken record.
To "Volkov"
Volkov (verb)
Definition: To so thoroughly misunderstand a topic as to undermine your argument at the same time as you display your own massive ignorance and stupidity. Example: “protect the federal prosecution of Bart Swartz”
cyber security threat?
The biggest cyber security threat is FISA a spy program run by the US govenment against it’s own citizens. No way to protect yourself from it.