[ISN] Re: Will Rodger's "Cyberwars: Proper vigilance or paranoia?"

From: mea culpa (jerichot_private)
Date: Mon Oct 12 1998 - 01:38:03 PDT

  • Next message: mea culpa: "[ISN] Verisign Adds Key Recovery"

    Reply From: <anonymous>
    >Cyberwars: Proper vigilance or paranoia?
    >By Will Rodger, Inter@ctive Week Online 
    >The last war was on land, air and sea. The next one may be on your
    >-- Armed with reams of data showing dramatic increases in computer
    >crime since 1995, a wide-ranging but little-noticed federal working
    >group is moving swiftly to try to knit together a private and public
    >partnership against armies of hackers, government spies and terrorist
    >agents that could make cyberspace unsafe for democracy. 
    wooooo -- "armies of hackers?"
    a big "hacker group" is much smaller than a platoon, a really big hacker
    group would be about the same size as a platoon.  hmmm, what is it that
    the writer is trying to suggest?  is this the traditional scare tactic
    that comes out of the mouths of those who are afraid of what the "evil
    internet" has wrought?  afraid of change, are we?  don't understand the
    "meaning of life" at the turn of the millennium?  (hackers, of course,
    threaten all these things...)
    one of the difficulties that people have in trying to apply the archaic
    "world view" or "paradigm" to the new "digital world" order is that it
    simply does not apply.  analog and digital are different.  one of the
    major differences that distinguishes the "new world" from the archaic one
    is the underlying principle of self-organization.  in the decaying analog
    world, interest groups (a simple analogy for "hacker groupings") did
    organize, but they were subservient to a central organizing institution
    -- the government.  but this model is no longer relevant.  power is being
    pushed down to the people, and the internet is simply _one_ manifestation
    of this.
    the centralized model of risk assessment and threat defense may not be
    the appropriate model for fending off the "evil" hackers of the new
    world.  hackers are not organized into military-like units, taking
    centralized instructions on where to go or who to target.  their targets
    are more opportunistic or whimsical than intentional.  targeting DoD or
    nasa is simply too inviting, but defensive strategies should keep this in
    mind: other kinds of "strategic assets" may not receive the kind of overt
    attention that DoD or nasa does...
    "could make cyberspace unsafe for democracy?"
    i am truly at a loss for understanding how the connection between
    cyberspace and democracy was arrived at.  democracy is a pre-digital
    concept (and ideal), one that has little to do with an evolving
    communications medium.  this is obviously a little bit of hyperbole, but
    it is the kind of statement that is increasingly being made by
    politicians and journalists.  without addressing the ignorance that is
    implied by such statements, let's examine the facts.
    if anything, the presence of the internet should make political space
    more, not less, democratic.  the inclusion of more voices -- including
    more anonymous voices -- is a good thing.  how is it that "hackers" (or
    terrorists) can threaten this development?  hacking into a political web
    site and leaving a political message only adds to the multitude of
    voices.  it probably does frustrate the owners of the site, but then,
    they shouldn't leave their front (or back) door open, assuming that no
    one will enter.
    the real threat to democracy posed by the internet comes not from the
    "evil" hackers who explore and test the security of numerous sites, but
    the reigning institutions who use intellectual curiosity as a
    justification for imposing more restrictive measures upon society.  while
    they are using hackers as an excuse for proposing oppressive laws and
    regulations, _their_ real purpose is to perpetuate existing institutions
    (governmental, corporate, etc) while attempting to configure the emerging
    digital order using the old, archaic model of conduct, regulation and
    thus, the dilemma of the emergent internet in a democratic society is not
    that _hackers_ "could make cyberspace unsafe for democracy" but that
    existing institutions may decide that cyberspace is _incompatible_ with
    democracy as they know it.  while the internet may still be evolving,
    governments have clearly decided that they do not wish to continue to
    evolve; they like it where they are and _anything_ that threatens that
    stasis threatens society *as they know it!*
    >The fear: that no part of the industrialized world is safe from digital
    >disaster. Successful attacks on power grids, hospitals, banks, farms,
    >factories and railroad switches could plunge a target nation into chaos
    >and dysfunction.  
    this is clearly possible, but...
    a.) it is equally true that no part of the industrial world is safe from
    nuclear disaster, whether of military or corporate origins.  interesting
    that this does not prompt the kind of response that so-called hacker/
    terrorists do...
    b.) do we really expect the military, as it is presently constituted, to
    be able to defend "cyberspace" from the perceived threat?
    c.) do we really think that such a "digital attack," when/if it comes,
    will come in the form of a concerted "surprise" attack, or the "digital
    equivalent of pearl harbor?"  this premise relies on a dangerous
    presumption, that there exists this great hoard of hackers out there,
    ready, willing and able to conduct an attack on such a massive (and
    concerted) scale...
    d.) in the meantime, people overlook some of the more obvious threats
    posed to the announced targets (power grids, hospitals, banks, farms,
    factories and railroad switches): the general lack of (computer) security
    in these "strategic" assets; the predominate threat posed by employees
    and other insiders, who are far more likely to "attack" the computers of
    these assets than are hackers; and the possibility -- nay, the
    probability -- that real hackers would not shut-down these facilities but
    merely alter their performance for other purposes...
    >Administration officials say this is no joke, ticking off threats
    >already encountered:
    the threats that are repeatedly mentioned are minor compared to what is
    possible, especially by those who have graduated beyond "script
    >At the center of the U.S.' attempts to create a cyberdefense structure 
    >is the Critical Infrastructure Coordination Group, an assembly of 
    >cabinet undersecretaries and other senior officials sworn to work with 
    >the FBI and American business to protect a society that now depends 
    >on a safe, free flow of bits and bytes. 
    this is exactly the wrong level to address the real threats that exist in
    "cyberspace."  people at this level are committed to maintaining the
    existing power struct, and are generally oblivious to the "threat" that
    the internet presents to that struct.  people who could actually foresee
    and defend against the real threats to cyberspace are more likely to be
    invisible to that level of government/corporate official -- and unlikely
    to be credible to it...
    >'I don't think the government can any longer say we know what's good 
    >for you and we're going to take care of it.'
    >-- James Adams, head of Infrastructure Defense Inc.
    and yet there is no indication that this philosophy is actually being
    adopted by the clinton administration or any other industrialized
    >But even as the defense structure emerges, civil libertarians, industry
    >executives and even administration insiders worry about how well the
    >Clinton administration or its successors can steer between protecting
    >against all forms of disruption on one hand and creating a police 
    >state on the other. 
    >Fears that police agencies will use the threat to gain unprecedented 
    >power "reflect a misunderstanding of what we're all about and what the
    >administration is all about," said Michael Vatis, director of the 
    >National Infrastructure Protection Center (NIPC) at the FBI. 
    well, let me clear up this "misunderstanding" by drawing upon personal
    experience: existing central organizations want the tools of a police
    state without acquiring the reputation of one.  the nuance between the
    two is something that i have, as yet, failed to comprehend...
    >"We are structured as a real partnership [between government and 
    >free enterprise]. It's our own intention to bring people on board from
    >private sector. We all say the same thing." 
    the threat posed by the democratizing potential of the internet is as
    much a threat to the existing corporate structure as it is to the
    government.  it is in both their interests to reign in the current
    explosive evolution of the net...
    >But James Adams, former chief executive officer of United Press
    >International and head of the newly formed Infrastructure Defense Inc. 
    >consultancy, said government must surrender more power first. "I 
    >don't think the government can any longer say we know what's good 
    >for you and we're going to take care of it. The government is becoming 
    >increasingly irrelevant. 
    yes, it is.  and it is predictable that increasingly irrelevant
    organizations will fight til the death to maintain not only their
    relevance but also their power in the social structure...
    >Either way, bitter, seemingly endless disputes between the 
    >administration and the people whose cooperation it needs already 
    >have tainted the process of developing a national approach to 
    >protecting critical information assets, both sides said. A five-year
    >over use and export of data-scrambling technologies crucial to data 
    >security, for instance, has alienated much of the computer industry. 
    why is it that an "increasingly irrelevant" institution retains the
    "right" to keep secrets from us while it resists our right to keep
    secrets from it?  why is it that the clinton administration continues to
    want to compartmentalize the people's right to privacy (which it calls
    secrecy) into various levels, allowing corporate privacy in "strategic
    sectors" (such as banking), and promoting the right of american
    corporations to maintain their security from foreign "industrial spies"
    but still refuses to allow private citizens the _right_ to digital
    privacy (whether in the work place, in the home or over the net), or the
    right of wired companies to export secure products using real encryption?
    >FBI demands that telephone companies spend hundreds of millions of 
    >dollars to make wiretaps easier to perform, meanwhile, have led to 
    >charges of betrayal by phone companies that claim they were 
    >promised more compensation than they're getting, and civil libertarians 
    >who say the new proposals invite abuse by rogue police.
    this needs to be said: the fbi is an institution unlikely to evolve
    sufficiently to participate in the new digital world.  whereas it might
    have been useful in arresting and convicting the mobsters of olden days,
    it is uniquely unprepared to face the real threats of the digital world. 
    the fbi remains alone in its inability to crack des, which shows how
    unprepared it is to face the criminals of cyberspace...
    >"Our members are scared to death of this whole program," a
    >Washington association executive said, insisting on anonymity. 
    >"You've got the FBI and the National Security Agency pushing this 
    >thing. These guys are spies."
    and they want to know _everything_ about you!  the legacy of j. edgar
    hoover is simply too obvious; the more they can learn about you, the more
    that they can hold your secrets against you in order to gain your
    cooperation, compliance or at least your obeisance.  if nothing more,
    this form of blackmail (yes, government-organized, federally-approved
    blackmail) insures their continued funding...
    >"Then there are these 'private sector' groups springing up to 
    >coordinate 'information sharing' about how different companies have 
    >these huge holes in their networks. Some of them are headed by 
    >ex-Defense Department people. The whole thing makes us paranoid." 
    the juxtaposition of the emergent digital order is such that even those
    who have reason to agree on the preference for stasis cannot agree on how
    this stasis should be maintained!
    i have come to the conclusion that the internet cannot be all things to
    all people.  it is not a simple, benign structure that merely extends
    existing communications, corporate and governmental entities.  the net
    does change the nature of society, communication and human interaction,
    and this will force a change in economic and governmental institutions.
    the argument is made that the federal government is somehow the mother of
    the internet, responsible for its existence because it provided the
    initial funding.  but this overlooks all the time and expertise devoted
    to the net's development by its users, who developed the resources that
    the world so values today.  both e-mail and the web were offshoots of the
    "internet project," hacks performed to extend its usefulness and
    significance -- not responses to federal funding.  the backbone that the
    government financed is no different than the interstate highway system
    that it built in the 1950s -- and we do not value interstates so much as
    the cars that use them.  the same thing is true of the net!
    the federal government's "ownership" of the net has been onerous at best.
     where once hardware was important, the new digital world values code,
    not hardware; yet, on the net, most of the code went (and continues to
    go) out for free!  if this code was actually quantified its value would
    far exceed that invested by the federal government, and the real
    investors, the real developers, of the net would be dully recognized. 
    the federal government gave us a playground -- one that it provided for
    its own selfish purposes.  we should be thankful for this playground, but
    we should not be subservient to the federal government for it.  we made
    that playground useful, we made it fun and we made it important.
    the presence of such strategic assets ("power grids, hospitals, banks,
    farms, factories and railroad switches") is an afterthought on the net. 
    their presence represents an alien invasion that needs to be
    accommodated, but should not necessarily change the nature of the net. 
    no one is thinking about this.  rather, the government is attempting to
    impose archaic values of centralized governance upon the net -- a place
    where such values will surely fail!
    perhaps more important, those institutions that seek to port themselves
    over to the digital environment need to think out carefully what they are
    doing -- and specifically, what they are getting themselves into.  many
    fortune 500 companies and many government agencies have extensive
    security apparati to protect their physical assets, and yet they are
    shocked, shocked i say, by the need for security measures on the net. 
    who are they kidding?  why is it that they assume that the net is just
    like the commercial environment in which they are accustomed in every way
    except security?  and why do they scream for "protection" from "evil"
    hackers before they spend the time and money to close their wide-open
    doors and windows?  is this merely another attempt at securing corporate
    finally, i say again: who invited them here?  these archaic institutions
    invade the digital environment, seeking to port their values to it, and
    then expect its colonizers to sit idly by?  come on, who's conning who?
    a very nouveau-political concept is that of stakeholders (union members
    as stakeholders of corporations, etc).  _we_ are the stakeholders of the
    net, and we do not necessarily accept the attempt to port lame concepts
    of commercialism and behavior to our environment.  hackers are not
    terrorists, they are explorers.  we are far more interested in your code
    than your database -- although that can be a fun place to play, too. 
    hackers tend to be less interested in taking advantage of security
    weaknesses as in pointing them out -- and the more prominent the target
    (ie, DoD, NASA, any microsoft product), the more prominent the
    "announcement" that its security measures are obviously inadequate.
    hackers are not the threat, but the solution to the threat.  it is a
    mistake to think otherwise...
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:07:16 PDT