Wednesday, February 27, 2013

The Worst Article You Might Ever Read About 'Cybersecurity'

from the this-one's-special dept

There has been a lot of discussion lately about "cybersecurity" "cyberwar" "cyberattacks" and all sorts of related subjects which really really (really!) could do without the outdated and undeniably lame "cyber-" prefix. This is, in large part, due to the return of CISPA along with the White House's cybersecurity executive order. Of course, the unfortunate part is that we're still dealing in a massive amount of hype about the "threats" these initiatives are trying to face. They're always couched in vague and scary terms, like something out of a movie. There are rarely any specifics, and the few times there are, there is no indication how things like CISPA would actually help. The formula is straightforward: fear + handwaving = "we must have a law!"

However, I think we may now have come across what I believe may top the list of the worst articles ever written about cybersecurity. If it's not at the top, it's close. It is by lawyer Michael Volkov, and kicks off with a title that shows us that Volkov is fully on board with new laws and ramping up the FUD: The Storm Has Arrived: Cybersecurity, Risks And Response. As with many of these types of articles, I went searching for the evidence of these risks, but came away, instead, scratching my head, wondering if Volkov actually understands this subject at all, with his confused thinking culminating in an amazing paragraph so full of wrong that almost makes me wonder if the whole thing is a parody.

The piece starts off, though, by playing up those supposed "risks," discussing how companies face "economic devastation" due to the "theft of valuable trade secrets." Here's an exercise: name one such company that has been so devastated. We'll wait. Then he talks about how these hacks could lead to "disclosure of consumer and employee information." Of course, he seems to be mixing and matching the types of hacks he's talking about. The "trade secret" stuff is generally corporate espionage, whereas the leaking of data tends to just be more general malicious hacking. Very different issues that probably require very different responses. But they're lumped together here.

So we've got an ill-defined problem, but have no fear, because the answer is here: Congress!
At the core of the problem is Congress’ failure to act. For years now, Congress has tried to enact meaningful cybersecurity legislation.
Any analysis of whether or not the attempts at "meaningful cybersecurity legislation" would have any impact at all on the kinds of attacks discussed in the first paragraph? Why, no. Because that would be useful. But that's okay, because Congress needs to act!
The risks are too large and the consequences of failing to act can result in serious economic consequences.
Again, can someone point to any evidence of cybersecurity issues having "serious economic consequences" to date? Yes, it's possible they might in the future, but let's put these things in perspective.

And then we get to this. I warn you ahead of time: reading the following paragraph may cause certain knowledgeable brains to experience something akin to spasms.
Recent cyber-attacks have illustrated the ability of terrorist groups and foreign governments to cause havoc on the Internet. The United States Sentencing Commission’s website was destroyed when activists attacked the site to protect the federal prosecution of Bart Swartz which eventually led to Mr. Swartz committing suicide. For years, the Chinese government has launched massive daily attacks against our government and private industry which are aimed at disrupting government operations, stealing trade secrets and undermining economic activity.
Let's break this down. Bit by awful bit.
Recent cyber-attacks have illustrated the ability of terrorist groups and foreign governments to cause havoc on the Internet.
Where and how? So far, the only example of any government causing any sort of "havoc" appears to have been the US with Israel with their attacks on Iran via Stuxnet, Flame and possibly some other very targeted malware attacks. What "terrorist groups" or "foreign governments" have actually caused any actual "havoc on the Internet"? The answer is none. It's certainly not what comes next:
The United States Sentencing Commission’s website was destroyed when activists attacked the site to protect the federal prosecution of Bart Swartz which eventually led to Mr. Swartz committing suicide.
Yeah. Okay. (1) The United States Sentencing Commission's website was temporarily hacked (and later taken down). It was not "destroyed" in any sense of the word. (2) Activists are neither the "terrorists" nor "foreign governments" we were promised in the preceding sentence. (3) Taking down the site briefly did not cause "havoc." (4) BART Swartz??!??!? (5) The hack was to protest the federal prosecution of Aaron Swartz, not to "protect" it. (6) While many of Swartz's friends and families do say that the prosecution likely led to his suicide, no one can say for sure. (7) Nothing about the hack by Anonymous had anything to do with "cybersecurity" nor would CISPA have protected the Commission's website (better programming might have). Basically, this sentence is just about as wrong as it could possibly be, and has nothing to do with what the article is about, other than drumming up fears about "cybersecurity."
For years, the Chinese government has launched massive daily attacks against our government and private industry which are aimed at disrupting government operations, stealing trade secrets and undermining economic activity.
There's been plenty of talk about these Chinese hacks, which definitely do appear to be happening. But, what economic activity has been undermined? So far, the hacks may have been a nuisance, but it's unclear that they've done any real damage. It is also unclear how CISPA helps stop such hacks, other than making Congress feel like it's "done something."

Are there issues with online security that need to be taken seriously? Yes, absolutely. Do we need legislation to deal with those problems? That's debatable, and we're still waiting for some evidence not just of scary sounding threats, but that this kind of legislation will actually help. Unfortunately, this article keeps us waiting. But, it did make us laugh. Unintentionally (we think).

No comments:

Post a Comment