Security

Check the Hype -- There's No Such Thing As 'Cyber'

How can you tell the difference between a real report about online vulnerabilities and someone who is trying to scare you about the security of the internet because they have an agenda, such as landing lucrative, secret contracts from the government? Here’s a simple test: Count the number of times they use the adjective “cyber.” […]
Image may contain Nature Urban Town Building City Smoke and High Rise

cyberwar_sabotage
How can you tell the difference between a real report about online vulnerabilities and someone who is trying to scare you about the security of the internet because they have an agenda, such as landing lucrative, secret contracts from the government?

Here's a simple test: Count the number of times they use the adjective "cyber." Nobody uses the word "cyber" anymore, except people trying to scare you and trying to make the internet seem scary or foreign. (Think, for instance, of the term "cyberbullying," which is somehow much more crazy and new and in need of legislation than "online bullying.")

When was the last time you said, "I saw this really cool video in cyberspace" or "My cyber connection is really slow today"? Of course, no one speaks like that anymore. The internet is no longer distant or foreign (though it thankfully remains beautifully weird). It's familiar and daily. It's the internet. It's so ordinary, Wired.com stopped capitalizing it more than five years ago.

Need an adjective to describe something that is internet-based? Try "online."

But when it comes to scaring senators, presidents and the nation's citizens into believing the Chinese, the Russians or Al Qaeda are stealing all our secrets or bringing down the power grid, the internet somehow morphs back into "cyberspace."

Here's a good example of the "cyber" test from a pretty interesting story from The Washington Post about the National Security Agency disabling (rather ineptly, it seems) an online forum used by radical Islamic fundamentalists to plan terrorist attacks.

The Post uses the adjective 12 times in describing how the NSA and CIA bickered over whether NSA "cyber-warriors" should use hacking techniques to take down a message board that suspected Al Qaeda were using to make plans. In a brilliant stroke of "cyberwar," the NSA "cyber-operators" took down the CIA-sponsored honeypot message board where extremists were being monitored, somehow inflicting collateral damage on some 300 innocent servers in the process.

Forbes got into the "cyber" action this week as well.

Amit Yoran, a respected security expert who runs a company that sells computer security services to the government, wrote a long post on a Forbes blog this week to defend the concept of "cyberwar," in no small part because this blog ranted about how that term is used to hype militarization of the internet and feed a new and very dangerous arms race.

Yoran says the debate doesn't matter (even as he falls firmly in the cyberwar camp), but what's important is that everyone recognize that the dangers of underestimating online risks is worse than "the impact of misrepresenting or miscalculating risk [...] in the sub-prime market," which led to "cascading global financial meltdown."

Gulp.

That sounds scary. Bad firewalls will lead to something worse than a global financial meltdown? (That sounds suspiciously like what Michael McConnell told President Bush to scare him into creating a secret government "cybersecurity" plan.)

Most Popular

Those looking for a reality check might check how many times Yoran uses "cyber" in the body of his piece?

The answer: 42. (Yes, we think that's funny, too.)

Yoran defines "cyberwar" as being launched via "cyber attacks" or "cyber exploitation." He defines the latter as "the compromise of these targets without their destruction or disruption, but rather through covert means, for the purposes of accessing information or modifying it or preparing such access for future use in exploitation or attack."

That's the very definition of what the NSA does – wiretapping abroad (and sometimes domestically), finding ways to spy on electronic machines simply by capturing their unintentional electromagnetic radiation, and scooping up radio and satellite communications of allies and adversaries alike.

Yoran and Forbes also fail to mention that his company, NetWitness, markets computer security equipment to the government and has a vested interest in the outcome of this debate.

Yoran disputes that his company stands to gain if the "cyberwar" terminology wins.

"We're not a government 'cyberwar' operation by any stretch and have nothing to gain by the terminology I suggested in my blog," Yoran wrote, saying that his company sells the exact same technology to corporations and governments. "I don't care what it's called. And think, if anything, the war implication is a bad one for many reasons."

But for those who relish the idea of a new front for war, it's way cooler and scarier to say we are in the midst of – and losing – a cyberwar, than to factually state that the Chinese want to steal our secrets and we want to steal theirs and we should have better computer security.

That kind of rhetoric doesn't launch sensationalist – and often demonstrably false – scare stories in opinion-making outlets like 60 Minutes, The New York Times, The Wall Street Journal, The Washington Post and the National Journal.

No, when that kind of fear-mongering is needed to loosen the purse strings for computer security, only one word will do.

Cyber.

And it's even better when repeated ad nauseum in front of Congress and at the country's top security conferences by former and current government officials, even if those people couldn't even enable MAC address filtering on their own wireless routers.

Or as the Beastie Boys might have put it a couple of decades later, "Our Backs Are Up Against the Wall/Listen All Y'all, It's Cyberwar."

Update: 3:40 PM Pacific – The story was updated to include comment from Amit Yoran and to correctly note that his company sells technology products, not services.

See Also: