Another poll, another breathless doom and gloom prognostication. This time cyberwar is seen as top threat facing US:

Cyberwarfare is the most serious threat facing the United States, according to almost half of US national security leaders who responded to the inaugural Defense News Leadership Poll, underwritten by United Technologies.

If we skip over the details of the poll, some of it questionable due to the self-selection of the respondents (out of all the subscribers asked to respond to the survey only 9% did) and the slightly dubious truthfulness of the respondents to their actual ranks:

  • 57% of the military respondents said their rank is at least brigadier general/rear admiral;

  • 45% of the industry responders said they’re corporate executives;

  • … you get the idea.

Knowing, and working on a daily basis with, corporate executives I can tell you that they do not jump at every opportunity to respond to polls. But we’re not here to pull that poll apart. We’re here to shine critical light on the latest mass hysteria: cyber warfare.

When I saw the tweet to the survey results retweeted by an Australian think tank I had to say something.

Here is why cyberwar is overhyped from the technology point of view:

Remember how much time and effort was estimated for creation of Stuxnet? Years in the making, required expertise in a number of disparate technologies that had to work together just right in order to complete the mission. And once discovered it was rendered ineffective in hours. That was a cyber attack on a single type of industrial control system (ICS) and it worked only because it was tailor made for that system and it did not make itself obvious. Imagine you wanted to stop production (of electricity, refined oil, whatever…) at a facility. You have two options:

One, deliver the malware long in advance and hope it doesn’t get discovered until a pre-set event (because remote control is something you really shouldn’t bank on); or,

Two, spend your perfectly good attack on a single facility and hope it produces a big enough bang for your buck.

Remember, that’s just a single facility out of many that will need to be attacked at the same time in order for the system to really feel the pressure. There is a high chance that other facilities will require you to change your code in order to work properly for that environment.

In short: you can spend years to develop malware that will end up having the same effect as a squirrel chewing through the wrong cable.

Yes, the malware delivery channel could, theoretically, be reused. However, same rule applies: once it is discovered it will be rendered ineffective. Consider it a one-shot wonder, so don’t waste it on single attacks.

And you are running against time: the longer it takes to write and test exploits the higher the likelihood that your target is going to do enough changes to their internal systems that you will need to rewrite parts of your code - or even the lot of it.

That is, in simple terms, why cyberwar hype does not stand up to scrutiny from technical perspective.

Cyberwar does not make sense economically, either.

First of all, to wage “cyber warfare” you need a steady supply of experts and money. You also need to stay off the list of countries to which certain technologies cannot legally be exported to. This last bit automatically makes it that much harder for two of the favourite cyber villains: Iran and North Korea. That leaves two other cyber villains sitting at the poker table: Russia and China. China being the favourite whipping boy for the Five-Eyes countries of course fits the bill:

Economic strength? Check.

Availability of skills and talent? Check.

Availability of required technology? Made in China. (Designed elsewhere.)

So why wouldn’t China play in the big game of “let’s have cyberwar and jolt the world that is giving us humongous sums of money that are keeping our economy going which is in turn keeping the lid on internal dissent and making the middle class if not happy then at least begrudgingly spend-happy”? Gee, I wonder. It’s not as if Chinese Central Committee isn’t doing everything in its power to keep the party (heh) going. Oh, it is?

OK, but what about Russia? Yes, Russia definitely has the nous and the capacity to do severe damage to the world that is feeding it. Except, you see, Russian powers that be have the same preoccupation as the Chinese: keep the middle classes off the streets (keep economy from tanking completely in Russia’s case). So if we accept that countries go to war in order to gain benefits, what’s the benefit of kicking oneself in the teeth again?

Tags: china, cyberwar, Russia, stuxnet