In any truly innovative business or development environment (technology, content or otherwise) it’s always crucial to incorporate a diversity of opinions, as I’m firmly of the belief that in many instances the most effective way to find the middle on any topic of debate is to identify people who widely disagree, set them loose on each other, and then start working back to the center.
At least that’s how our family dinners worked growing up as presided over by a lawyer and politician.
Now, some might argue that the current state of U.S. politics serves as a glaring example of how ineffective this sort of approach to compromise via diametric opposition can be in terms of making progress on any given issue of the day. But, let’s face it, running a country of this size is a pretty complicated affair and while our system is far from perfect, if anything it evidences the characteristics of a process that integrates an extremely wide range of input.
The issue of cyber-war – this growing notion that we are on the cusp of an era in which our electronic and interconnected systems will become a primary aspect of military, terrorist and even economically-oriented attacks (or that they already have) – is also a very complex concept, and as a result there are an immense variety of opinions being expressed as to the current, near-term and eventual risks posed by to this ongoing evolution.
With the Wall St. Journal reporting last week that insurgents in Iraq were found in possession of video intercepted from one of our most cutting-edge and increasingly popular military programs, the use of unmanned fighting machines – in this case drone aircraft, there’s little argument that hacking, surveillance and other electronic tactics have become an even more significant element of intelligence gathering and warfare activities than ever before, and will continue to do so.
But the issue of whether or not attacks aimed directly at, or carried out using our electronic infrastructure itself (for example the SCADA systems used to manage many aspects of our power grid) will soon be used against us as a weapon of disablement and destruction is an area where a wide range of expert predictions are being issued these days as to the likelihood, timing and nature of how such threats might continue to play out over time.
Overlooked vs Overhyped
In another WSJ story that the IT security community followed with great interest in 2009, we were told that U.S. government officials had concrete evidence that foreign attackers (specifically those based out of, or porting their activities through China) had been able to infiltrate the electronic systems used to control much of our power grid for an unspecified, but reportedly substantial period of time.
That’s pretty disturbing for a lot of reasons (consider a military assault that involves disablement of electronic infrastructure ahead of a more traditional physical attacks) and as a result we heard a lot of people espousing the immense risk that the scenario encompasses. At the same time, other pundits pointed out the fact that whether or not there had been a successful infiltration, there was little-to-no apparent proof of any related assault or systems manipulation.
Here at Core Security, we’re lucky enough to have two extremely experienced, opinionated area experts who have slightly different takes on the whole cyber-war/cybergeddon phenomenon.
On the one side, we have Tom Kellermann, our VP of Security Awareness, who works with many of the leading IT security practitioners and strategists in the government and private space, and who is heavily involved in trying to help advocate for the need for everyone to more closely consider the incredible risks already posed by SCADA security, cloud computing, virtualization and just about anything else you can think of. Many of his blog posts on this site detail those views.
On the other side, we have Ivan Arce, our CTO, who has had his hands in the world of hacking, attacks and exploit development for over a decade, and has the chance to hear many insider stories from his peers in the research community, our customers, and our Core pen testing consultants in the field. As noted in his latest CSO blog post, he seems to think that the whole “cybergeddon” craze, as he calls it, has been pretty well overblown.
Cyber-war, cybergeddon or straight up cybercrime, clearly at this point no matter what you call it there’s no immediate end or solution in sight.
But what do you think? Do we simply need to get policy makers thinking about this issue now, before it’s too late, or has the ship already set sail?
-Matt Hines, Chief Blogger