Q&A of the week: 'The current state of the cyber warfare threat' featuring Jeffrey Carr

Q&A of the week: 'The current state of the cyber warfare threat' featuring Jeffrey Carr

Summary: In this week's Q&A, I chat with Jeffrey Carr, the founder and CEO of Taia Global, and the author of 'Inside Cyber Warfare: Mapping the Cyber Underworld', on the current state of the cyber-warfare threat.

SHARE:
TOPICS: Security
22

Dear blog readers,

ZDNet's Zero Day begins a new weekly feature called 'Q&A of the Week' which aims to bring you invaluable insights from industry leaders and internationally recognized experts in the areas of cybersecurity, cybercrime and cyber warfare.

In the first post of its series, I chat with Jeffrey Carr, a cybersecurity expert and author of 'Inside Cyber Warfare: Mapping the Cyber Underworld', on the current state of the cyber warfare threat.

We discuss Stuxnet, Russia, China, Iran, cyber conflicts, false-flag operations, and the U.S's current understanding or lack of understanding of its adversaries' true cyber-warfare capabilities.

Enjoy and don't forget to TalkBack, we'd love to hear from you!

Let's start from the basics. Who is Jeffrey Carr?

Jeffrey Carr, the founder and CEO of Taia Global, is the author of “Inside Cyber Warfare: Mapping the Cyber Underworld” (O’Reilly Media 2009 and 2011 (2nd edition)). His book has been endorsed by General Chilton, former Commander USSTRATCOM and the Forward to the Second Edition was written by former Homeland Secretary Michael Chertoff. Jeffrey has had the privilege of speaking at the US Army War College, Air Force Institute of Technology, Chief of Naval Operations Strategic Study Group, the Defense Intelligence Agency, the CIA’s Open Source Center and at over 60 other conferences and seminars.

Now that you know more about Jeffrey, here's the actual conversation.

Dancho: Nowadays, the mainstream media often portrays cyber attacks using the term "Digital Pearl Harbor"? Do you believe that a devastating attack on U.S infrastructure must take place for policy makers and the general public to start paying more attention to the ongoing cyber-warfare arms race? Also, do you believe that the focus on a devastating attack has shifted the attention from the current threat landscape where cyber spies from multiple governments systematically penetrate and steal intellectual property from Fortune 500 companies?

Jeffrey: No, I don't think a major catastrophe is necessary. We're already at a point where cyber security is being taken more seriously due to the vast amount of IP theft. That's not to say that we're doing the right things because we aren't. But the awareness of the problem and the desire to do something about it both currently exist sans any type of digital Pearl Harbor.

Dancho: How significant is the role of mainstream media to raise awareness on the current situation, and do you believe it has the knowledge and understanding of the problem to do so?

Jeffrey: Media is critical in raising awareness but 99% of journalists don't have the requisite knowledge to report the story accurately.

Dancho: How would you describe Iran's current understanding of information warfare operations, and overall cyber-warfare ambitions? Do you believe Iran is a threat, based on the relatively modest hacking activities we've seen by pro-Iranian hacktivists, or are they on purposely not revealing the true state of their cyber warfare capabilities in order to misinform the public and U.S policy makers?

Jeffrey: I believe that Iran should be taken seriously as a State with aggressively developed cyber-warfare capabilities. Iran's Islamic Revolutionary Guard Corps set up its first official cyber-warfare division in 2010 with an estimated budget of US$76 million. There is also an Iranian cyber militia that is supposed to number about one million persons. Some of their hacker crews have demonstrated a high degree of skill in past attacks against Israeli government sites and China's Baidu.com - and at least one crew is known to be connected with the Iranian government.

Dancho: Can you compare Russia vs China in terms of operational capabilities and intent to launch cyber attacks, which of these countries is more persistent, and what is the overall difference in their cyber-warfare doctrines, if any?

Jeffrey: Yes, both Russia and China are spending a lot of money on encouraging foreign investment within their borders which in turn allows their security services to capture a vast amount of proprietary information in three ways: (1) via normal communication channels (satellite, landline, mobile, VPN, etc.); (2) through technology transfer which occurs when Russian and Chinese engineers are hired to work at foreign companies for 1-2 years and then transfer to State-owned companies - +taking the knowledge that they learned with them; and (3) by their respective security services, approaching foreign companies and demanding copies of their source code for national security reasons. All three of these strategies are perfectly legal and don't require hacking into a network. Having said that, both countries also acquire stolen IP from professional hacker crews of mixed nationalities.

And both countries have stood up information warfare units (neither country uses officially uses the term "cyber") but only Russia has combined kinetic attacks against foreign countries with a cyber component (i.e., Georgia, Kyrgyzstan, and Chechnya). China has not used its cyber capabilities in an offensive way - at least not as far as I've seen.

Dancho: Collectivist societies such as Russian and China have a stronger and more vibrant civilian cyber militias, compared to individualistic societies. Do you agree, or disagree and why? Also, do you believe that Russia and China are "subverting the enemy without fighting him", by forwarding the process to their collectivism-minded civilian or government-tolerated cyber warriors?

Jeffrey: I believe that Estonia is organizing a cyber militia and they're a democratic society. I think the U.S. would have some success at that as well if the DOD ever agreed to set it up. Many countries, including the U.S., Israel, Russia and China, engage in information warfare and influence operations which include a cyber component. However, Russia won't hesitate to use an iron fist where China will find ways to exert pressure in more subtle ways.

Dancho: While the Pentagon is busy drafting cyber warfare rules of engagement, Russia and China are busy allowing the development of self-mobilizing civilian cyber militias? Do you believe the Pentagon is aware of these latest developments, or it's stuck in a "paper tiger" warfare with these nations?

Jeffrey: The Pentagon is certainly aware of those foreign cyber militias. It's not as if it's a secret. I just don't think that the DOD wants such a civilian militia set up in the U.S. unless it's part of the National Guard.

Dancho: Are you aware of the existence of the so called "People's Information Warfare" concept, originally pioneered by China, as well as the rise of opt-in botnets where average Internet users knowingly donate their bandwidth and network connectivity for use in ongoing cyber attacks?

Jeffrey: Yes, I think it's a testament to the fierce nationality and patriotism found in many foreign countries. Many citizens naturally want to support their government in times of crisis. For example, most of the cyber attacks done by Chinese hackers against foreign targets were performed after an attack against China (i.e., the Kosovo bombing of China's embassy, the downing of a Chinese military jet, the attack against Baidu, etc.). The Russian cyber attacks against Estonia were launched after the perceived insult of Estonia moving a Russian statue. I'm not siding with either government. I'm simply making the observation that civilians typically involve themselves in group cyber attacks when they believe that they're defending their country.

Dancho: For years China has been developing and promoting the use of its own hardened secure Operating Systems, such as Kylin OS and Red Flag Linux. Europe followed this example with its secure OS Minix, and Russia is also showing interest in the concept or a nation-sponsored secure OS. Taking into consideration the fact that the U.S military has spent years developing offensive cyber warfare weapons affecting Microsoft's Windows, the most widely distributed operating system globally, does this put the U.S at a strategic disadvantage, or is China actually undermining the security of its own infrastructure by introducing a new, largely untested Operating System for public and military use?

Jeffrey: Well, I'd call it an inconvenience at most. We should have the resources to obtain the source code for those new operating systems in much the same way that our own source code is obtained by foreign agents or hackers. Interestingly, a lot of coding is out-sourced to other countries so the opportunities to "intercept" it are certainly there.

Dancho: Microsoft recently kicked out a Chinese company from its Microsoft Active Protections Program (MAPP) program. However, through its Microsoft’s Government Security Program (GSP), the company is sharing source code with Russia's FSB and the Chinese government. Do you believe this poses a risk to U.S national security, and are the financial benefits out of the deal worth the possible national security implications in the age of Microsoft's mono-cultural dominance?

Jeffrey: Yes, I do see it as a national security threat. In fact, any foreign company that wants to do business in Russia, China, or even India, must surrender their source code upon request of the security services or face the possibility of having their license to do business in that country pulled.

Dancho: It's fairly logical to assume that nations involved in defensive cyber-warfare activities, are also busy pursuing the developing of offensive cyber-warfare weapons. In fact, in the past on numerous occasions the Pentagon has expressed its intentions to use kinetic force against sources of cyber attacks somehow endangering the CIA's (Confidentiality, Integrity and Availability) networks. Are you a firm believer in the applicability of "virtual shock and awe" campaigns in today's interconnected world? How would you comment on the possibility of an adversary using compromised legitimate infrastructure as a "virtual human shield" in an attempt to undermine the offensive cyber warfare capabilities of a particular nation, the U.S for instance?

Jeffrey: I can only speculate, of course, but I think you pose a reasonable strategy that many nation states are worried about; hence the frequent discussion of drafting treaties that dictate certain Rules of Engagement. Most want to prevent cyber attacks against critical infrastructure or other civilian targets that could cause mass disruption.

Dancho: Government tolerated vs government sponsored cyber attacks? Do you make a difference between the two and just how important is it at the end of the day?

Jeffrey: Both Russia and China "tolerate" certain illegal actions by organized crime groups in exchange for future cooperation from those same groups in matters related to national security. This could certainly include cyber criminals who are affiliated with organized crime. A "sponsored" attack might mean one performed by one of those protected gangs or one done by a patriotic organization such as the official state-run youth associations in Russia or large patriotic hacker organizations like the Red Hacker Alliance in China. I think it's important to understand that these states have multiple resources to draw from before they get to the third option - using their in-house capabilities; i.e., their foreign intelligence services.

Dancho: The Russia vs Estonia cyber attacks are often described as "World Web War I"? Do you believe this is the case, why and why not?

Jeffrey: No, not at all. It certainly wasn't the first time that Russia mounted cyber attacks against another State. They did it at least twice before in 2002 (Chechnya) and 2005 (Kyrgyzstan). Chinese hackers mounted thousands of attacks against U.S. government websites in 1999 after the accidental NATO bombing of the Chinese embassy in Kosovo.

Dancho: In Russia vs Georgia cyber attacks we saw an example of Russia's understanding of information warfare operations . Do you believe the attackers were government sponsored, or were they basically government tolerated given the lack of prosecution for any of the involved hacktivists and botnet masters? Is it important to make the difference between the two cases in the context of cyber attack attribution? Why and why not?

Jeffrey: I believe that there was government direction involved in the cyber attacks mounted against Georgia, and that this direction was funneled through the State office that runs the Nashi. I'm confident that Nashi leadership received their instructions from highly placed Russian officials and passed it to their membership who in turn organized their attacks via online forums like StopGeorgia.ru. Most of the research that I've done on the cyber component of the 2008 Russia Georgia war can be found in my book "Inside Cyber Warfare" and in the Project Grey Goose reports (Phase I and II).

Dancho: The discovery of Stuxnet also dubbed the "Nuclear Worm" changed everything. Do you believe this was the first time the security community successfully intercepted a nation-to-nation cyber black ops operation?

Jeffrey: Yes, Stuxnet was certainly a game-changer in terms of known cyber attacks. There may have been more sophisticated worms out there but Stuxnet was the first of its kind that was made public.

Dancho: Could Stuxnet be described as the revenge of the pro-Western Ph.Ds, or do you believe it had to be a pro-Western government-funded operation to begin with? Also, do you need a Ph.D to launch a cyber operation similar to Stuxnet, or not so technically sophisticated attackers could have achieved the same effect if they wanted to?

Jeffrey: You certainly don't need a Ph.D. to create a worm like Stuxnet. Ralph Langner, who has done much of the heavy lifting around analyzing Stuxnet, doesn't even have an engineering degree. He has a degree in Psychology, I believe, and taught himself engineering later in life. You do need to have a knowledge of industrial control software and an engineering degree would certainly help, but that's about it.

Dancho: In the latest edition of Richard Clarke's book 'Cyber War', he argues that Stuxnet is a virtual boomerang that will eventually hit back the U.S, a country he believes is among the countries that sponsored and actually executed the attacks. How would you comment?

Jeffrey: Richard Clarke should stick to something he knows about like counter-terrorism and avoid speaking about things which he knows nothing about like cyber warfare or cyber security. I doubt that he can make any kind of case that the U.S. was responsible beyond a wink and a smile. No one wants Iran to have nuclear weapons and that includes Russia and China. The fact that neither country wants Iran to be enriching uranium and that fact that both countries haven't supported sanctions suggests to me that Stuxnet could have come from either of those two countries just as easily as from a Western nation. After all, if not sanctions, why not a worm designed to cause havoc and hopefully dissuade Iran from further enrichment activities?

Dancho: I once pointed out that "Cybercrime is an element of economic warfare". How would you comment?

Jeffrey: I agree with you. I've also pointed out that cybercrime finances the development of cyber "weapons" which can be used in acts of espionage or geo-political actions like Estonia, Georgia, etc.

Dancho: Malware infected hosts has been used as stepping stones for launching more cyber attacks, and hiding the physical location of the attacker for years. Burkina Faso could easily impersonate Russia, China or Iran online, a scenario we've already seen in Tom Clancy's 'The Sum of all Fears'. Locked in between all the current cyber warfare tensions, do you think we're missing the possibility of an ingenious anti-Western oriented mastermind or a regime located in a Third World country, pulling the strings behind such campaigns? How realistic do you believe is the potential that developing nation states could be launching false-flag cyber operations in an attempt to engineer cyber-warfare tensions between developed nations?

Jeffrey: I'm not much for "masterminds" but a false-flag operation is a real threat and, in my opinion, it's standard operating procedure to launch an attack from servers that are not in the same geographical region as the attacker.

Dancho: Access to thousands of geolocated malware-infected hosts could be easily purchased, thanks to the increasing number of underground market propositions offering access to such hosts. With each and every Fortune 500 company reporting a successful cyber intrusion or that they're permanently under attack, just how prevalent do you believe is the collection of valuable OSINT data through these easy to purchase botnets?

Jeffrey: My view based on incident response work that my company has done for DIB members and other Fortune 500 companies is that most attacks are done by mercenary hacker crews who in turn sell the valuable data that they've stolen to governments or other interested parties. Those hacker crews most likely utilize cheap botnets whenever they can since it would help obscure any attempt to identify who they are.

Dancho: North Korea is well known to have developed its own cyber-warfare units, for instance, the infamous "Unit 121". How would you describe North Korea's current understanding of information warfare operations, its capabilities and intent to launch cyber attacks against the U.S and South Korea?

Jeffrey: North Korea has spent a great deal of money on its IW capabilities. It sends its soldiers to excellent schools in India and China for technical training. If you can believe South Korea, it suffers from multiple successful attacks originating from the North. I haven't seen any evidence of North Korea launching what I would call serious attacks. They seem to be mostly nuisance DDoS or defacement strikes. South Korea has cried "wolf" a bit too much for me to believe everything they say about being the victim of cyber attacks from Unit 121.

Dancho: With its well known ally China, North Korea could easily adopt China's information warfare model in an attempt to gain strategic advantage in future cyber-warfare conflicts. With cybercrime-as-a-service underground market propositions increasing, just how feasible do you believe is a situation where North Korea starts outsourcing all of its cyber warfare needs to Russian or Chinese cyber criminals?

Jeffrey: I doubt that's ever going to happen. The North Korean government is too unstable, too irrational, for either Russia or China to tolerate that situation.

Dancho: North Korea is often given a relatively low score on the infamous Cyber Threat Matrix estimating the cyber warfare capabilities of multiple nations. However, the same doesn't apply to Russia or China. Do you believe in the relevance of Cyber Threat Matrixes? Do you think that North Korea could easily occupy one of the top positions on these by simply outsourcing its cyber-warfare needs to its ally China, or perhaps even Russia? Should we fear North Korea's in-house cyber-warfare doctrine, or should we feel the day it starts outsourcing in an attempt to catch up with the rest of the world?

Jeffrey: I haven't seen a cyber threat matrix that I have any confidence in. North Korean IW soldiers are well-trained as I said in my answer to one of your previous questions. I wouldn't put them at the top of any list but neither would I put them at the bottom. I think they hold a solid mid-level position.

Dancho: From Eligible Receiver, to Silent Horizon and Cyber Storm, how would you describe the practical relevance of cyber exercises performed by the U.S in today's fast changing cyber threat landscape? Moreover, how would you describe the OPSEC leak when Cyber Storm's Power Point presentation containing details on the actual cyber warfare scenarios leaked on Cryptome.org in 2006? Do you believe this leak allowed foreign adversaries a peek into the U.S's understanding of cyber warfare, or did it have a minimal impact on the OPSEC of the exercise?

Jeffrey: Leaks are never good from an OPSEC point of view. And other governments closely monitor everything that the U.S. Dept of Defense is doing in cyberspace.

Dancho: From Solar Sunrise, Moonlight Maze, Titan Rain, Operation Shady RAT, the the Night Dragon campaigns, the rise of the so called advanced persistent threats (APTs) is pretty evident. Do you believe that publicly sharing details on successful cyber-espionage campaigns undermines the confidence of the U.S's allies in the U.S's ability to protect its critical networks, potentially giving its enemies the blueprint to launch similar attacks in the long term?

Jeffrey: Our allies are sometimes the ones responsible for those attacks, Dancho! France, Germany, and Israel are all very active in terms of conducting cyber-espionage operations against corporations. Overall I'm in favor of information sharing as long as the names of the victims are kept confidential. I see no risk to the U.S. in publishing facts about network breaches. No country is safe from those types of attacks.

Find out more about Dancho Danchev at his LinkedIn profile, or follow him on Twitter.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

22 comments
Log in or register to join the discussion
  • the most amaizing part of this interview

    is that most questions are more verbose than answers.
    ForeverSPb
    • Even more amazing

      is that the author is speaking in a second, non-native language. Obviously he takes a lot of pride in his grasp and command of the English language, since it took a lot of work to achieve it (and it shows).
      klumper
  • If it's so dangerous

    online these days, then why not put a lot higher requirements on important parts of the IT? We already know that Windows PCs are responsible for the lion's share of the problems and subsequent high costs.

    The logical consequence is to remove Windows.
    We'll never hear that recommendation from the experts building security software, they want us to subscribe on virus definitions instead, of course.

    This industry thrives on the on-line chaos, a lousy built MS Windows and a more or less clueless average joe.
    Mikael_z
    • laughable

      windows works just great. its end-users lacking in simple safety practices that result in the lions share of problems. your probably one sentence away from advocating OSX in enterprise. But then that would mean you agree, that users need to be kept in a walled garden. and that windows in and of its self is not the root of the problem.
      jonathan tucker
      • If you with "walled garden"...

        mean security automatically then sure, we absolutely need that, even "experts" such as myself. This is exactly where Microsoft has failed almost completely.
        In real life and for most of us the platform simply is irrelevant.
        What's important is our data such as music, photos, text documents and so on. A computer can read and process all of this, a GOOD computer can also successfully protect it.
        Microsoft should have been kicked out from the enterprise and our homes a long time ago.
        Mikael_z
      • They are all vulnerable

        It is absurd and demonstrably false to assert that we have robust security available from any modern stack of operating system, communication software, and business documents. As the percentage target, Microsoft has been subject to the most attacks and is arguably now the more secure. Exploits of OS X have appeared with increasing frequency and severity the last two years. Its greater vulnerability was widely asserted at BlackHat 2011. The Flashback botnet has exploded any confidence in its security. Companies respond to market pressure in prioritizing development efforts, and Microsoft has seen the most such pressure due to their being the larger target.

        The bottom line is that a few good coder-months of effort will yield a new exploit in any of these systems, and a few attacker-weeks will deliver it as a zero-day exploit to any target person who functions in a modern business communication environment. If someone has those resources, we have no defense if we are connected.

        Regardless of the systems for which you may be fanboi or hater, they are all vulnerable and will be for the forseeable future. The only true cyber security is an air gap, at the cost of isolation from the business world.
        cbiow
      • @cbiow, All things are NOT equal

        one platform stands out as significantly worse than the rest combined, and above that, it has provided a virtual smorgasbord of tools for writing viruses and other types of malware.

        Why on Earth Microsoft did this is beyond me.
        Maybe it was usability before security, flexibility before common sense...
        Mikael_z
      • @Mikael_z

        Please, I emplore you to think about what you're saying. The article is talking about nation states sponsored hacking, with almost limitless resources available to them.

        There are good number of ways to circumvent Linux machines as well.

        No system is secure. None. They were all designed by people to be used by people. Surely you can see the elephant in the room? No?

        Let's imagine you change every OS for some fictitious operating system that is 100% uncrackable. That doesn't mean the users bones are uncrackable does it. The hacking will continue. Only this time it will be compromised users under duress siphoning the data or whatever the willing of the people making threats against them, or most likely their families.

        The reality is Mikael_z, that security is just an illusion. In much the same way that the lock on your front door only keeps out honest people.
        Bozzer
      • @Bozzer, but it's so *easy* to hack MS Windows PCs.

        Count the viruses!
        So if you want to secure your precious America then at least remove the Windows PCs from the critical points of your digital infrastructure.
        Still possible to hack but at least a lot more difficult.
        Mikael_z
    • The OS is immaterial.

      The nature and the purpose behind these hacking events, nation states, rogue or otherwise will render the choice of OS immaterial.

      I can't see the Chinese rulers going "oh well, if it's Apple, don't bother then.."
      Bozzer
      • Well Said

        Hit the nail on the head there, Bozzer.
        f0real
  • The Egg Games

    All this chatter about cyber security & warfare reminds me of contests involving eggs. There is one in particular called "egg tapping" (or knocking) where two people, each armed with a hardboiled egg, take turns to tap the smaller end of his egg on the likewise smaller end of the egg of the opponent. Hopefully needless to say, whoever's egg gets cracked first is the loser. The software coding that is being attacked and/or defended against, from OS to app, is much like those eggs, and maybe not even so hardboiled: it's ever more both complex and fragile every year. Private industry has been a complete failure in coming up with any robust solutions on its own, and organizations responsible for setting standards in coding, protocols, web design, communications standards, and such have been nearly utterly ineffective and/or glacial.

    Government would be much, much better off in the long run to invest more in getting better, much more robust software systems & protocols in place, whether directly or by underwriting companies who actually know what they are doing. The details of how a little company like BBN ended up getting the contract to essentially create both the Internet and email communication as we know it should be a required reading for anyone in government prefixing anything with the word "cyber".
    JustCallMeBC
    • So your blaming the virus outbreaks

      and other security failures on the evolution of the Great Internet?
      So what you're saying is that Microsoft is not to blame?
      Mikael_z
      • ??

        How the hell did you get that out of what I wrote?
        JustCallMeBC
      • @JustCallMeBC, I don't know, you tell me.

        -
        Mikael_z
      • If I had to venture a guess

        @Mikael_z can't read. Microsoft is a chronic failure at writing secure code, but there are also things like Java and Adobe's products being rather troublesome vectors of late. There is a large constellation of reasons why hacking and cyber threats are at the state they are now, and while Microsoft can probably take credit for being the largest single factor, instances like the Flashback bug, the Samba bug, DNS vulnerabilities, and so on show that it's not just Microsoft at fault. Standards for software coding, file storage, communication protocols, and Internet access need to be more more organized and made more robust.
        JustCallMeBC
    • Actually

      The Government would be better to put a stop to offshoring full stop. Why have spies when countries such as a America are prepared to hand over the manufacture of the infrastructure to countries such as China.

      Can you imagine a medieval king on seeing the blueprints for some new weapons systems then asking a rival Kingdom to build them for him.

      No, it wouldn't happen would it.
      Bozzer
  • Security is...

    ...a concrete box, a vault door, a metal Faraday cage and a guard with a machine gun. Keeping secrets anyplace else is pretty much useless.
    Tony Burzio
  • This whole propaganda is scary

    Without any actual evidence (admitting themselves that whatever happens is all outsourced) they blame certain other countries for some "cyber-warfare", must be nothing but another path to prepare people to accept the idea of total censorship & great firewall.
    polarcat
  • The Threat of Cyber-war Is Grossly Exagerrated

    Bruce Schneier is right.

    This guy is basically full of crap. So he wrote a book on cyber-war. This makes him an expert how? I can write a book on the mating habits of birds, but this doesn't make me a orthinologist. Michael Chirtoff wrote the forward to his book. Great. But there's one problem -- Chirtoff is not a computer scientist nor an expert on the subject. He is a poltician. I would not feel comfortable with Chirtoff being my doctor and I don't feel any more confortable with him proclaiming to be an expert in computer science.

    There's a *lot* of charlatans and scare-mongers in the IT security industry (many of whom have profit motives of their own). Most of the government people sounding alarms also have motives. DoD (NSA) simply wants more control to make their snooping job easier. And others outside of DoD know there are billions of dollars in government contracts that are up for grabs here. Chirtoff and other former DHS and NSA people mostly work in the private sector for technology firms who want a piece of this contract action.

    Another issue is there are no credentials to prove one is an expert in "cyber security." If I want a professional opinion on superstring theory, I go to MIT and talk to a PhD in theoretical physics. If I want an opinion on cancer, I go to Johns Hopkins and talk to a guy with M.D. or PhD (usually both) behind his name who specializes in oncology. If I want opinions on cyber-security, the best I can do is talk to some random guy who *claims* to be an expert. This guy could be a true expert, but he could just as easily be full of crap. Most of these people have no degrees of any sort, or if they do, it is usually a very general degree in computer science (which is not a degree focused on security). It hasn't been until the past few years that universities are even teaching courses focused on these topics. In the past it was sort of a "roll your own" type of field. People who knew about computer internals and networking sort of understood the threats, but there was no organized field of "security." Sure, there are some professional certifications out there, but there are hundreds of them of varying quality. That's one of our biggest problems -- there is no easy way to identify "experts" in this field. Simply having a computer science degree doesn't cut it. Simply writing books on the topic doesn't cut it either.

    I do not deny that there are threats out there. There are cyber criminals who make big bucks by fooling unsuspecting users into doing stupid things with their machines. There are viruses, trojans and worms (for Windows mostly) out there. There are even people who perform DDOS attacks (kids mostly). But this is not war. To say it is "war" is simply disingenuous. It falls under the category of crime or espionage, not war.

    He mentions Russia attacking Georgia and Estonia. The truth is no one knows what happened in those cases. The only person convicted in either of those cases was a 22 year old basement hacker who had nothing whatsoever to do with the Russian military. Those are the facts. Performing a DDOS attack is neither sophisticated nor difficult. It is also *very* easy to make it appear it is coming from somewhere else. This was what happened in 2009 with the "North Korean" DDOS on U.S. government sites. Everyone assumed it came from North Korea, but some of the IP's were traced to Florida and London. The truth is we simply *don't know* where it came from.

    Stuxent was a true military attack. No one denies that. But it likely had inside help (i.e., a CIA or Mossad operative got inside to drop it in). So, if you want to consider that cyber-war, I find it ironic that the U.S. and Isreal started the war. (Not saying I disagree with thier motivation, but just making a point.)

    So, yes there are threats, but calling them "war" is very dangerous. The truth is we simply do not know where most attacks originate. IP addresses tell you nothing. You need other intelligence gathering techniques to get a good idea of what may have happened and why. And even then you will probably never be able to prove it beyond a reasonable doubt if the attacker is sophisticated. And if you are going to go to war over a cyber-attack you better be damn sure who did it. As Bruce says "The two pieces of information you need to know in order to respond to a cyber-attack is who is attacking and why. But the two things you *don't know* in any real cyber-attack is who is attacking you and why."

    This guy also mentions China stealing IP. I'm sorry, but that's not war. It is copyright infringement and in most cases it is not even a criminal offense, but a civil one. I do not deny that it is happening, and I do not even deny it is a big problem for the failed business model of the MAFIAA, but it is not "war." Using that term for mere copyright infringement is dangerous and inflammatory and does nothing but ratchet up international tensions.

    He also mentions the Chinese telling software makers to open their source code or get out. You know what? I don't blame them. if I had a critical (national security) system to protect, I would want the source code too and I would make damn sure my engineers went through every single line of it! How is this nefarious? The U.S. government does *exactly* the same thing to Microsoft (they have always demanded the entire source code to Windows since, in some cases, Windows is used on sensitive systems). Does this mean the U.S. government is committing "cyber-war" against Microsoft? I mean the argument is preposterous. These American software companies should be grateful that the Chinese are at least using their software and not BSD or Linux (which truly are free and open, and frankly, better).

    So, the argument this guy is making is that we should hand over control of the Internet to NSA. And then we should give billions of tax-payer money to the NSA-firendly government contractors to come up with "solutions" (often in secret) to solve the problem.

    What we should be doing instead is having open initiatives and research money going to open institutions like universities. Then we should develop open security standards. No secret junk like CISPA. If the government wants to secure their infrastructure in secret, great. Can't blame them. But don't force those methods on the rest of us.
    KodiacZiller