http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/07/25/IN6K18S60M.DTL
*This is John Arquilla, he's a very capable, well-briefed and intelligent defense-futurist guru. Washington should pay attention to him, but they won't. They can't, really. I think the military-entertainment complex has simply lost the capacity to defend itself from cheap asymmetric threats of this type. They've exhausted themselves searching for razor-blades and shoe-bombs. And the players, who should have been on the same page, have lost all capacity to sacrifice for the greater good. They're worse-off than the American health system or American car manufacturers.
*We don't get an "electronic Pearl Harbor," because that comes from an identifiable state adversary. We might not even get "a 9/11," where something identifiably American gets humiliatingly set on fire in public. It might look much more like a Twitter/Facebook collapse that falls down and stays down – and we wouldn't understand it or cope with it, any better than we can understand the ongoing collapse of our financial system. We wouldn't even be sure it was the work of "enemies." We'd just suddenly be within a changed world that was much poorer, much more violent, much more dangerous and much more friendly to narcoterror global guerrillas.
*We could easily blow OURSELVES up, just by training a few cyberwarrior gungho guys who get discharged, join Blackwater and blow up the Internet pipes by aiming a blunderbuss in the wrong direction. "Hey, let's teach that obscure Georgian blogger a good lesson!" Boom!
*I know this sounds rather "Cybarmageddon," but a crisis comes when systemic weaknesses go unredressed for many years. One week after that calamity happened in real life, people would be cynically wringing their hands about how it was all inevitable: "Oh the security bubble, the security bubble, whatever were we thinking?" And when will we claw our way back to the status quo ante? "Gosh, I dunno, maybe ten years, maybe never."
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/07/25/IN6K18S60M.DTL
(...)
"A decade ago, one of our own military exercises - still classified, so little can be said openly - revealed serious vulnerabilities. This was soon followed by actual intrusions into our defense information systems, apparently emanating from a site in Russia, that were persistent and wide-ranging.
"More exercises followed, to test new security standards, with names like Silent Horizon and Cyber Storm. They showed that we were still quite open to attacks against crucial infrastructures. And more real events came into play - this time apparently connected in some way to China: a swarm attack that nearly took down the power grid in Southern California several years ago and, more recently, another series of cyber raids on sensitive military data.
"Beyond our own direct experiences - the latest being some relatively minor attacks on the Fourth of July that also hit South Korea - others also have started to feel the cyber heat. Estonia came under cyber attacks in April and May 2007, and so did Georgia in August 2008. Both apparently were staged from Russian and other servers, and the effects were so serious that Estonia had to reboot by cutting its cyber links to the outside world. The Georgians lost the ability to communicate with their own armed forces - in the middle of a Russian invasion.
"And the Russians are hardly alone in waging this sort of cyber-war. Israeli ground forces dealt punishing blows to the Palestinians in Gaza in the January 2009 fighting, but a Muslim cyber-militia, apparently operating out of Iran, struck back effectively against a number of key Israeli sites - including one that provided civil defense instructions for what to do when under rocket attack.
"These cyber attacks were on smaller countries, but if such actions were aimed at us, they would be exceptionally costly. That makes it most puzzling that so little has been done that actually improves our defenses. (((This is rhetorical – I doubt this guy is "puzzled" by all these lost years of security-theater.)))
"To be sure, a whole business model based on selling firewalls and security updates has emerged. But, as one master hacker I know likes to say, "There are no firewalls. They only recognize what they already know to be threats and have great trouble when intrusion and attack tools are even slightly tweaked."
"Or, as I like to tell my military masters, we are steeped in a Maginot Line mentality - our cyber defenses are as easy to outflank as the French fortifications were in 1940. Instead, we have to "imagine no lines" and accept that the bad guys will get into our systems. Against this threat, we must rely more on strong encryption - so intruders won't even know what they're looking at - and conceal our most important information by parceling it out in encoded portions in myriad hiding places in "the cloud" of cyberspace.
"Commercial companies are just starting to take steps like these. But their pace of change is far too slow, and their intellectual property continues to be plundered by cyber raiders. Individuals are even more vulnerable - millions of Americans are unknowingly turned into zombies, their computers enslaved by virtual body snatchers. And our military, whose efficiency depends on secure connectivity, remains at risk.
"In the face of all this, we must of course strive to reduce vulnerabilities. But there is one other thing we might do: engage in cyber arms control. Not the sort that seeks to prevent the spread of technology, because this cannot be done. All computers can be used as weapons, and they are everywhere. So instead of trying to control hardware, we have to strive to control our own behavior.
"Perhaps this would take the form of a multilateral agreement to refrain from intruding into or attacking others' information systems except in response to acts or imminent threats of virtual or physical aggression. Ironically, it was the Russians - now so adept in cyberspace - who first floated this idea 13 years ago in a meeting with their American counterparts.
"When the Russian position was communicated to higher-ups in the U.S. government, the response was negative. I know because I was part of the American team..."
