Words will never hurt me?
Patching is too important to be neglected
Misuse of language is turning 'ordinary, decent computer criminals' into 'cyberterrorists' who menace world peace.
While the tanks were rolling into Georgia during the recent military conflict with Russia, there was, apparently, a simultaneous “cyber war”, with Russian forces accused of conducting widescale denial-of-service attacks against Georgia's internet infrastructure.
And this isn't the first time Russia has done it, some believe. In May 2007, following violent protests after the removal of a war memorial in Tallinn, a number of Estonia's official websites were defaced or subjected to denial-of-service attacks. At the time, commentators suggested that the hidden hands of the former Soviet security forces were on the keyboards.
The reality was less exciting, with the attacks being traced to disgruntled individuals doing their bit to protest. This sort of “hacktivism” is not particularly new, being pioneered back in the 1990s with tools such as Floodnet.
It's too early to say whether the attacks on Georgia were state-sponsored or not. What is clear to any reasonable observer is that they were militarily ineffective. Taking out a country's internet would definitely have an economic impact in the longer term. It is however unlikely to be of tactical significance in smaller conflicts.
There is a trend to promote “cyberwarfare” as the new threat to panic about. This is tied in with the catch-all field of “critical national infrastructure” protection. Ironically, this trend took hold in the UK a few years after we had finished dismantling the old civil defence infrastructure that covered similar ground. We are reinventing the wheel.
It's not all bad. The UK's Centre for the Protection of National Infrastructure (CPNI) is doing a lot of good work and its website (www.cpni.gov.uk) is worth checking out, as it has a wide range of useful publications (I'm pleased to see that in typical British fashion CPNI adopts the less trendy term “electronic attack”, eschewing the use of any terminology found in Dr Who scripts).
The more worrying trend involves using inflammatory language about “cyber attacks” to inflate relatively harmless computer criminals into James Bond-style terrorist masterminds seeking the overthrow of the free world.
Take the case of Gary McKinnon, who “hacked” a number of US military systems and is now facing extradition to the US as a “cyberterrorist”. McKinnon's “hacks” mainly involved systems that had no passwords set, so perhaps the US military's focus should be on its sysadmin staff. The systems he attacked were also relatively low-grade; unfortunately, the popular press and much of the public seem unable to distinguish between “systems run by the military” and “systems critical to military operations”.
McKinnon's actions were almost definitely illegal (under the UK Computer Misuse Act) and certainly foolish (he broke in several times shortly after the September 11 attacks), but to suggest they represented a serious threat to the operational capabilities of the US military is laughable.
Or rather it would be, if it weren't likely to end up in harsh and unjustified punishment for him (see the five-year sentence for Kevin Mitnick, whose prosecutor famously claimed could launch a nuclear attack by whistling into a payphone).
We are going through a time of “terminology inflation”, where a simple change of the naming convention turns relatively harmless computer criminals into dangerous “cyberterrorists” whose extradition is justified. It's doubtful we even need the term cyberterrorist; if a terrorist uses a car, we don't call them “autoterrorists”.
More important is the differentiation between criminal and military action and how we respond.
It would be foolish to assume that hostile military organisations have no intention to attack the electronic infrastructure of their enemies; it would be equally foolish to assume that any attack aimed at a military computer system is an act of war. Treating “ordinary decent criminals” as military attackers sets a worrying precedent.
Nick Barron is a security consultant. He can be contacted at email@example.com