< Is International Cyber Warfare a Real Threat?

Transcript

Friday, December 02, 2011

BROOKE GLADSTONE:

Last month the media were buzzing about a broken water pump in Illinois, allegedly due to Russian hackers breaking into the control system of a water utility. It would have been the first known instance of hackers using cyber warfare to destroy a real world target in the United States.

But, as it turns out, the Department of Homeland Security soon determined that the pump had just burned out. The Wired.com blog Threat Level reported this week that the charge of cyber sabotage was based solely on the fact that a facility consultant was on vacation in Russia when he was asked to advise on a technical issue and responded from a Russian computer. “J’accuse!”

Nevertheless, the fact that there had been no foreign cyber attacks on critical infrastructure here has not quelled fears of cyber war.

Jerry Brito, director of the Technology Policy Program at George Mason University's Mercatus Center, says that the heated rhetoric over the issue just doesn't square with the reality. Jerry, welcome to the show.

JERRY BRITO:

Thanks for having me.

BROOKE GLADSTONE:

So the case of the water pump, apparently not damaged by Russian hackers, is great for making your case that the cyber warfare threat is overrated. But it’s not unreasonable that a foreign state could and would want to engage in that kind of attack, right?

JERRY BRITO:

It's certainly possible for a foreign power to use a cyber weapon against United States. And if you look at what happened to Iran, with their nuclear program, it was delayed because their centrifuges were affected by what is now known to be a worm called Stuxnet. And so, something like that could certainly happen to the United States.

What I'm concerned about is sort of the alarmism that we see in the media and from members of Congress. So, for example, I mean, take Richard Clarke, his book called Cyber War, where he talks about what's possible. And he talks about, quote, “the collapse of the government’s classified and unclassified networks, refinery fires and explosions in cities across the country, the release of lethal clouds of chlorine gas from chemical plants, the destruction of the major financial computer networks,” etc., etc. And none of that really is borne out by the evidence.

BROOKE GLADSTONE:

Yet, we don't want the smoking gun, so to speak, to be the cyber equivalent of a mushroom cloud –

[OVERLAP/BOTH AT ONCE]

JERRY BRITO:

That’s right.

BROOKE GLADSTONE:

- if I may – [LAUGHS] paraphrase –

JERRY BRITO:

That’s right.

BROOKE GLADSTONE:

- Condoleezza Rice.

JERRY BRITO:

Who was saying that about nuclear weapons in Iraq. And how did that turn out?

BROOKE GLADSTONE:

It turns out to be highly overrated.

JERRY BRITO:

And that’s just not the way that we should make public policy. We shouldn’t make public policy out of fear.

BROOKE GLADSTONE:

You have pointed not only to the overly hyperbolic language in the intelligence community and in Congress, you also point to uncritical assessments of cyber warfare threats in the media.

JERRY BRITO:

In major – the newspapers like in the Wall Street Journal or The New York Times we see stories that are anonymously sourced. And they will say things like, the U.S. infrastructure, including power plants and water plants and, you know, other utilities, are laced with logic bombs that have been left there by Russians and Chinese, and we know this according to anonymous government officials.

BROOKE GLADSTONE:

What is a logic bomb?

JERRY BRITO:

I – who knows?

[BROOKE LAUGHS]

This is –

[BROOKE LAUGHING]

I think what they mean when they say “logic bombs” is simply a computer virus that could be triggered remotely that would cause the system that it's on to crash. And then what happens is, is that members of Congress, when they give a, a presentation before Congress in support of a cyber security bill, all the evidence that they’ve put forth are, as the Wall Street Journal reported last week –

BROOKE GLADSTONE:

Mm-

JERRY BRITO:

- we are full of those logic bombs in our infrastructure.

Well, wait a minute, that was anonymously sourced. I'm not suggesting that reporters today are not doing their best and really trusting their anonymous sources. But what I’m saying is that we shouldn't trust those anonymous sources. We should demands from Congress, before they pass cyber threat legislation, examples of why they’re doing this.

BROOKE GLADSTONE:

What's in it for the powers that be in Washington to sell the cyber threat?

JERRY BRITO:

If you follow the money, it leads, first and foremost, to the defense contractors. Defense contractors are the one who are going to be selling cyber security solutions to the federal government.

We recently saw the Air Force stand up and use cyber commands. There was a big contest to see where it would be sited. Different districts around the country were - were vying for this, are making investments in trying to get this cyber command, which would bring with it 10,000 jobs estimated and, and billions of dollars in spending.

BROOKE GLADSTONE:

What are we talking about when we talk about cyber warfare, because Richard Clarke can speak to dozens upon dozens of incursions by Chinese and Russian hackers into American security systems all the time?

JERRY BRITO:

We're talking about several different things, and they all tend to be conflated. And that’s part of the problem. So you have denial of service attacks, where a website is taken down. And you have cyber espionage, where you have hackers, whether it’s criminal groups or perhaps even state-sponsored hack into private networks and steal information. Those definitely exist and, and they’re serious.

But what happens is that somebody like, like Richard Clarke, they use examples of these things that we know, and then they say, and as a result, we should be worried about trains derailing, planes falling out of the sky.

And there, you’re talking about real kinetic cyber attacks that we have very little evidence for.

BROOKE GLADSTONE:

What's the harm in passing stringent cyber security measures?

JERRY BRITO:

Well, that could include telling private networks how they should run their security operations. In many cases, these companies know very well what they need to do because, after all, it's their networks. They know them better than anybody else. And it's not clear to me that a regulator in Washington, D.C. is gonna know how to do that.

BROOKE GLADSTONE:

But this is the same argument that the banks have put forth, and they’ve done a thoroughly crappy job of regulating themselves. It's the same argument that the health industry has put forth. Is this just an anti-regulatory argument?

JERRY BRITO:

There's two things. So number one is legislation that would require private networks to comply to security standards set by DHS. It forces them to comply to one standard, and if they do that, then they're done, instead of actually innovating and, and figuring out what to do.

But secondly, some of the proposals that we've seen would require reengineering of the Internet to force people to identify themselves when they log on. That has very big First Amendment and free speech implications.

But you have other proposals in Congress. For example, there are legislations that require disclosure of attacks. One of the bills that I know that does that is the Safe Data Act, which was introduced by Representative Mary Bono Mack.

Right now you have financial companies and other companies that hold personal information that are breached, and when they’re breached, your personal information may be compromised. And what they do is that they keep that to themselves.

And so, if you require disclosure – just say, for example, that Citibank or Sony, as we saw earlier this year, is breached and personal information becomes compromised, they should be required by law to disclose that. And by disclosing that, they are providing information to the market.

You and I, when we’re shopping for a bank, we’re gonna take this into account. Consumer Reports is going to take that into account. So that’s one way that we could have legislation that would be helpful here by providing more information.

BROOKE GLADSTONE:

Jerry, thank you very much.

JERRY BRITO:

My pleasure.

[MUSIC UP AND UNDER]

BROOKE GLADSTONE:

Jerry Brito is the director of the Technology Policy Program at George Mason University's Mercatus Center.