Security expert suggests demilitarizing cybersecurity

perspective As if the wars on terror and drugs weren't keeping U.S. officials busy enough, the drum beats of cyberwar are increasing.

There were the online espionage attacks Google said originated in China. Several mysterious activities with Internet traffic related to China. The Stuxnet worm that experts say possibly targeted Iranian nuclear centrifuges. An attack on the WikiLeaks site after it released classified documents damaging to U.S. foreign policy. And don't forget the Internet attack on Estonia from a few years ago.

To deal with the geopolitical dramas that are projected in the online world, the U.S. is using military strategy and mindset to approach cybersecurity, creating a Cyber Command and putting oversight for national cybersecurity under the auspices of the Department of Defense.

But offense isn't always the best defense, and it never is when it comes to Internet security, says Gary McGraw, author and chief technology officer at security consultancy Cigital. More secure software, not cyber warriors, is needed to protect networks and online data, he writes in a recent article, "Cyber Warmongering and Influence Peddling."

ZDNet Asia's sister site CNET talked with McGraw about how the militarization of cybersecurity draws attention from serious threats.

CNET: So, Tell me what's wrong with going to DEFCON 1 in cyberspace now?
McGraw: I wrote an article with Ivan Arce, the founder and chief technology officer of Core Security Technologies. He's from Argentina. Every time I talk to him he asks 'what is up with you Americans and cyberwar anyway? Why are you so obsessed with cyberwar?' Because nobody else is talking about it in the rest of the world. I travel a lot internationally and he is right. So we started talking about why that was. One of our main points is that there is a confusing blend of cyberwar stuff, cyber-espionage stuff and cybercrime stuff, and the stories are used to justify whatever political or economic end people may have, instead of trying to disambiguate these three things and talk about what they actually are.

What's the danger with that?
The danger is that if we lump everything under 'cyberwar', then our natural propensity in the United States is to allow the Defense Department to deal with it. The DoD set up a Cyber Command in May. Cyber Command has an overemphasis on offense, on creating cyber-sharpshooters and exploiting systems more quickly than the enemy can exploit them. I don't think that's smart at all. I liken it to the world living in glass houses and Cyber Command is about figuring out ways to throw rocks more accurately and quickly inside of the glass house. We would all be better suited trying to think about our dependence on these systems that are riddled with defects and trying to eliminate the defects, instead.

Is the rhetoric all driven by attracting money? That's a very cynical way of thinking.
A lot of people think it is. The military industrial complex in the U.S. is certainly tied very closely to the commercial security industry. That is not surprising, nor is it that bad. The problem is the commercial security industry is only now getting around to understanding security engineering and software security. The emphasis over the past years has been on trying to block the bad people with a firewall and that has failed. The new paradigm is trying to build stuff that's not broken in the first place. That's the right way to go. If we want to work on cybercrime and espionage and war, to solve all three problems at once, the one answer is to build better systems.

You mention that cybercrime and cyber-espionage are more important than cyberwar. Why is that?
Because there is a lot of crime, less espionage, and very little cyberwar. (chuckles) And the root cause for capability in all these things is the same. That is dependence on systems that are riddled with security defects. We can address all three of those problems. The most important is cybercrime, which is costing us the most money right now. Here's another way to think about it: everyone is talking about the WikiLeaks stuff, and the impact the latest (confidential files) release is having on foreign policy in the U.S.

The question is, would offensive capability for cyberwar help us solve the WikiLeaks problem? The answer is obvious. No. Would an offensive cyberwar capability have helped us solve the Aurora problem where Google's intellectual property got sucked down by the Chinese? The answer is no.

What would have helped address those two problems? The answer is defense. That is building stuff properly. Software security. Thinking about things like why on earth would a private (officer) need access to classified diplomatic cables on the SIPRNET (Secret IP Router Network)? Why? If we thought about constructing that system properly and providing access only to those who need it, then things would be much better off.

The term "cyber" makes it seem more scary. We're just talking about Internet, right? Might there be a problem with semantics?
There could be. There has been an over emphasis on cyber war in the U.S. The problem with cybersecurity is that there is just as much myth and FUD and hyperbole as there are real stories. It's difficult for policy makers and CEOs and the public to figure out what to believe because the hype has been so great, such as with the Estonia denial-of-service attack from 2007. So that when we talk about Stuxnet it gets dismissed.

So it's the boy who cried wolf problem?
Yes.

Stuxnet is real. Is that cyberwar?
It seems like a cyberweapon. I think it qualifies as a cyberwar action. My own qualification is that a cyberattack needs to have kinetic impact. That means something physical goes wrong. Stuxnet malicious code did what it could to ruin physical systems in Iran that were controlling centrifuges or that were in fact centrifuges. If you look at the number of centrifuges operating in Iran you see some big drops that are hard to explain. (Iranian President Mahmoud) Ahmadinejad admitted there was a cyberattack on the centrifuges.

So why does the attack on Estonia not qualify?
The kinetic impact is important, but also an act of war is the act of a nation-state. The Estonia attacks fail the nation-state actor test. It also fails the real impact test. Sure, their network went down, but whoop dee do! Who cares? If you took that same sort of attack against Google or Amazon they wouldn't even notice. I think people were using that attack--which was carried out by individual cybercriminals in Russia, not by the state--to hype up the cyber war thing. In fact, in my work in Washington [D.C.], the Estonia story keeps coming up, over and over again, as an example of cyberwar.

What is your qualification to discuss cyberwar matters and policy?
This year, I've been working more in Washington than I have in past. I've been to the White House, the Pentagon, talked to think tanks. I'm a little bit worried that the discourse is too much about cyberwar. We should try to untangle the war, espionage, and crime aspects and maybe emphasize building better systems and getting ourselves out of the glass house as opposed to trying make a whole new cadre of cyber-sharpshooters as [CIA Director] General Hayden suggests. For policymakers the conception of our field [of security] is muddled.

I'm worried we're not spending on [Internet security] defense at all. There's no way to divide and conquer networks. That is, we can't defend the military network or the SIPRNET but not defend the Internet because we're ignoring 90 percent of the risk. Most of the infrastructure in the U.S., 90 percent of it that's important, is controlled by corporations and private concerns, not by the government. The notion that we can protect military networks and not the rest of it just doesn't make any sense. That's one problem.

The other problem is the Air Force has always been about domination in the air and taking away that capability from the enemy early and eradicating infrastructure. This notion of a 'no-fly zone' is kind of interesting. Unfortunately those tactics don't work in cyberspace because there is a completely different physics there. There is no such thing as taking ground or controlling air space in cyberspace. Things move at superhuman speed in cyberspace. So some of these guys who are good military tacticians are having a hard time with cyberwar policy and cyberdefense because of the analogies they're using.

You mentioned in your article that "in the end, somebody must pay for broken security and somebody must reward good security". Are you suggesting that we hold software makers liable for flaws?
I don't know what the answer is. We need to change the discourse to be around how do we incentivize people to build better systems that are more secure and how do we disincentive building of insecure systems that are riddled with risk? As long as we can have that conversation then policy makers might be able to come up with right sort of levers to cause things to move in the right direction. We're not suggesting any particular approaches, like liability. We're just trying to change the discourse from being about war to being about security engineering.

Anything else?
I think we are at risk and I do think cyberwar is a real problem we have to grapple with. But even though we are at risk, we need to have rational conversations about this. Too much FUD and hyperbole don't do anything to help the situation. The poor guys that are charged with setting policy have a hard time doing that because we're having the wrong conversation at the policy level right now.

This article was first published as a blog post on CNET News.