Archives

Peter W. Singer (photo: pwsinger.com)

We cannot treat cyber security as something just ‘for the nerds’: Peter W. Singer, expert on 21st century warfare

Passwords stolen, email accounts hacked, customer data leaked, computer networks infected: Almost every day brings news that affects our lives in the world of cyber space. Yet, many people still don’t care about secure passwords, safe browsing or how much of their data is floating around in the web. Renowned warfare expert and author Peter W. Singer digged into the topic and wrote the book “Cybersecurity and Cyberwar. What Everyone Needs to Know”. Peter spoke with netwars / out of CTRL about what he thinks is the reason for this ignorance about cyber security, how the fear of a cyber strike feeds a whole industry and what would be a good way to deal with cyber threats.

Your previous books “Wired for War” and “Corporate Warriors” focused on automated warfare and mercenaries. How did you get into the cyber topic and what drove you into writing “Cybersecurity and Cyberwar. What Everyone Needs to Know”?

My work focuses on how war is changing. That is why I wrote the book about private militaries, then on child soldiers and warlords, and later focused on robotics and drones. Working on that last topic led to me to wonder about a new question of not only what is new in where we are fighting but also ‘What happens when people get the wrong kind of access?’. This question sort of links my previous books to my recent book “Cybersecurity and Cyberwar”.

Peter W. Singer: Cybersecurity and Cyberwar. What Everyone Needs to Know
Peter W. Singer: Cybersecurity and Cyberwar
http://www.cybersecurityandwar.com/

What is different, however, is that in my past books, I was trying to get people to pay attention to things they didn’t know was becoming important. Cyber is the exact opposite: We all know it is important and all of us are making decisions on cyber security. But we’re doing it without effective knowledge.

In my book I’m trying to give the reader very simple tools to understand what’s happening in the space of cybersecurity: how the Internet actually works, what cyber crime and cyber terrorism is, and what we can do about it as individuals, companies, governments and military. My sense was that there was a kind of gap: books on that topic were either highly technical only for specialists or books that mostly wanted to make people scared.

Why do you think that is?

The cyber topic needs to come out of only being seen as for the so-called “IT crowd.” For too long, cyber security was viewed as a domain “only for the nerds,” as one White House official put it. Yet, that is how the Internet itself was looked at in the 1990s. But nowadays we all use it in so many different ways: communication, commerce, and in critical infrastructure. 30 trillion emails are being sent every year. You cannot find an industry that does not use the Internet.

The threats we face range from the security of your bank account, your social network or email account, to the security of the business you work at. Not to mention that cyber has become a matter of geopolitics, of conflicts on war and terrorism. We cannot treat cyber security as if it were just something “for the nerds.” At the same time, we should not treat it like something we should get overly scared about.

Nevertheless a lot of people do get scared about it. Cyber security and cyber war seem to be on everyone’s lips right now.

There are real threats and real dangers in this space. The problem with cyber security is that a lot of people lump very different things together just because they are using the same technology: The former NSA director, General Keith Alexander, testified to Congress that America’s military faces “millions of cyber attacks every day.”  He was actually talking about  very different things to get that enormous claimed number, everything from automated prosed and address scans to attempts to get inside the network for a variety of reasons hacktivism, theft, economic espionage, military espionage and so on. Yet, none of these “millions of attacks” was the so-called “cyber Pearl harbor” that people think is the risk. Talking about millions of attacks is like talking about the millions of bacteria attacking your finger right now; its true, but also useless as your only way of understanding a threat.

Do these threats feed a new market, a cyber security market?

When there are real threats, there is always a market where people seek to respond to it and profit from it. In 2012, the US Pentagon’s budget mentioned the word “cyber” 12 times. This year’s budget mentions it 147 times. The cyber security business will take off within the next years, not just within business, but also at every level of government: the city level, the state or province level and the national level. And it’s not just the US. Italy just launched a 30 million dollar cyber security center. It is a globally growing business.

We have seen and will continue to see cyber incidents. As much as a hacker is taking advantage of your vulnerabilities, flimflam people might be taking advantage of your ignorance and fear. Businesses claiming to offer 100 percent cyber security when you buy their products. There is no such thing as 100 percent security – if there isn’t in real life, why should it be in cyber?

infographic: How the cyber market develops

How likely is it that one day we will face an attack on our financial system or power grid?

There is a real danger that someone will try and carry out a cyber attack and cause physical damage. In fact there has been and there still are attempts to attack the power grid system. Such an attack could include knocking down the system and messing with the machines’ operations, just like Stuxnet did in the Iranian uranium enrichment facility in Natanz. There is a possibility that attackers could use something similar to mess with the infrastructure.

Yet, we also have to understand such systems have long been under physical threat too, from everything from criminals to squirrels. We can either just get more scared or manage our risks and fears.

What would be a good way to take precautions?

The key is to shift from only the mentality of a catastrophic and fearful ‘cyber 9/11’ vision to a mentality of resilience. We should expect that there will be bad things that will happen. That is a reality of life, as well as cyberlife. The key is to not just try to prevent them, but also to think about how to get back up again. It’s about not just preventing it but powering through.

All the nations that have benefited a lot from the Internet in an economic, social and political way must now realize that this connectivity also creates some vulnerabilities. Yet, the dependence that nations like the U.S. and Germany and others have on the Internet should not lead us back into a Cold War mentality of think the only safety lies in building the offense up to scare the other guys into not attacking. It is more about being able to power through the risks and threats, how to get back on track, how to control the damage and bring the status back in case something happens. ‘Keep calm and carry on’ is the best response.

What can be done on a personal level to think and live cyber security in a new way?

There is a need for what I call “cyber hygiene.” The best thing to be safe is to think twice about what you’re actually doing there. Its not as highly technical as too many fear. For example, it is always a good start to secure your passwords, having complex passwords and to change them frequently. And like in real life, don’t take candy from strangers – so don’t take any hardware you don’t know and don’t click on any links that you don’t know.

Even the U.S. military walked into that trap: the most successful foreign government attack on US military networks happened quite simply. A soldier picked up a shiny object in a parking lot that turned out to be a flash drive. Since he was curious what might be on it, he plugged it into a computer on the base that was linked to a classifed network.

Hygiene is not just about the simple measures of protecting yourself, but also a broader ethic. We teach our kids to cover their mouths when they cough. Why do we do that? It doesn’t protect them directly, instead it protects others from getting infected. We should think the same thing in cyber space. We have a responsibility not only for our own safety but for the safety of everyone else we connect with.

 

About Peter W. Singer:

Peter Warren Singer is the founder of technology advisory firm NeoLuddite. Dr. Singer is considered a leading expert on changes in 21st centruy warfare and has authored a number of award winning books. He has consulted for the US Military, Defence Intelligence Agency, FBI and a wide-range of entertainment programs. Prior to his current position, Dr. Singer was the founding Director of the Center for 21st Century Security and Intelligence at the Brookings Institution. In September he will join the New America Foundation as strategist. Visit his website: www.pwsinger.com  To learn more about his book, visit www.cybersecurityandwar.com

,,,,,,,,

Passwords stolen, email accounts hacked, customer data leaked, computer networks infected: Almost every day brings news that affects our lives in the world of cyber space. Yet, many people still don’t care about secure passwords, safe browsing or how much of their data is floating around in the web. Renowned warfare expert and author Peter […]

author M. Sean Coleman (photo: private)

It was my research that made me think I may be being watched: netwars author M. Sean Coleman

The netwars Graphic Novel App “The Butterfly Attack” premiered some weeks ago in mid May. The story: An elite hacker group is asked by the Norwegian government to hack the power supply system. What is supposed to be a war game becomes reality. The team has to win a race against time. The story was written by British author M. Sean Coleman. Sean not only wrote the script for the Graphic Novel App, he also wrote the ebook “The Code”, where he takes the reader on a trip through the darker side of the Internet, the Deep Web. netwars / out of CTRL spoke to Sean about his work on the book and the Graphic Novel App.

Please tell our readers a little bit about yourself and how you came across netwars.

I was born in the UK and brought up in South Africa. I enjoyed writing stories from a young age and, thanks to some excellent English teachers at school, I was able to explore that passion. I studied a BA in Scriptwriting for Film and Television at Bournemouth University, and an MA in Screenwriting at the London College of Printing.

My first proper, paid writing job was for Douglas Adams, helping to create the online version of Hitchhikers Guide to the Galaxy. It was a great job, and introduced me (way back in the mid-90s) to the idea of entertainment broadcasting over the internet.

The Internet has changed a lot since then, and the way we receive our entertainment has changed too. Netwars is a great example of that change. I was first asked to write the story and scripts for the Graphic Novel series – you will have to ask the producers why they chose me – but I’m very glad they did. The challenge of writing for a Graphic Novel format, combined with the subject matter of cyberwar, cyberterrorism and cybercrime was too exciting to pass up.

How did you come up with the story? What inspired you?

We had a big brainstorming meeting with a whole lot of people who would be involved in the project. The idea was to make sure that we all had the same concept about what the project as a whole was trying to say to the audience. One of the biggest challenges for me in writing a fictional version of accounts, was that nothing I came up with could be out of the bounds of reality. If the documentary parts of the project clearly stated that Cyber War would not happen, then the Graphic Novel story couldn’t say that it had!

Check out the trailer for the Graphic Novel App:

At first I had all sorts of wild ideas about what I would like to happen, which were more in the realms of science fiction if I’m honest. Over the course of a lot of research and a number of conversations with the experts who were consulting on the project, I slowly came up with a story that I was happy with and the team at Filmtank liked too. There were not as many stories in the news back then, as there are these days, but there was information online if you knew where to dig. I found old presentations and briefing documents for war games and cyber war games and the story developed from there.

Were you familiar with the cyber topic when you started working for netwars?

I wasn’t unfamiliar with it. I read a lot of technical and science journals anyway, and I know a lot of people who work in the IT industry. I had heard of the Deep Web, I had heard of Tor, and Silk Road and all of that. But I hadn’t really thought of it in terms of the threat it posed both to us as individuals and to our nation states. I have always been something of a geek, so researching the technology side was not difficult.

As I said before, the bigger problem was drawing the line between reality and fiction. I was aware that the audience for this project would not really appreciate me just making up facts, so I spent a long time researching what was and wasn’t possible. Of course, it’s fiction, so you have to be able to stretch the truth to the edge of plausibility, but I hope I managed it.

You did some research on the deep web for “The Code”. What did you find there and how did you feel about it? Were you scared or did you feel threatened at any point?

Netwars - The Code 1

I did do a lot of research. In fact, probably more than I needed to considering how much it is used in the story. It wasn’t so much the research into the deep web that made me feel uneasy, it was my research into how to hack cars, planes, elevators, government computers, all of that kind of thing, that made me think I may be being watched. It did strike me that if any major cyber-linked terrorist attack happened, I would probably be on the list to visit. At least I would be able to show the authorities the novel, which I’m guessing most terrorists don’t have as an excuse.

While I was writing the book, our neighbours sold their house, and I was convinced that they had sold it to the National Crime Agency here – maybe they did, but they make very good neighbours! I also kept noticing unmarked vans parked in the street outside for hours on end. I kept feeling a lag in our internet connection, or strange connections on my phone. The thing is, when you’re locked in your room writing as hard as I was writing every day, you get paranoid anyway. When you’re writing about a cyber assassin, you have no chance!

What I tried to get across in the book is that the Deep Web is a place where anything, legal or illegal, can be bought or sold, pretty much anonymously. Life, death, right, wrong – it’s all different down there. When I tell people some of the stuff I came across, they ask why nobody is doing anything about it. I tell them that they are, they just can’t keep up. It scares people. We like to think that we are protected and safe, and that this kind of thing can’t happen to us. For the most part, we are safe from those threats, but then, we also hope that about serial killers and axe-murdering hitchhikers, and somehow we take them more seriously than any cyber threat.

Did working for netwars change your view on the topic? Are you worried about safe cyber security or surveillance these days?

It certainly made me more aware of things I could do to protect myself. It also made me more nervous of going in elevators, cars that can park themselves, or small planes… I’m something of a fatalist, in terms of the bigger picture. If it’s going to happen, then we’re all buggered anyway. But on the personal side, I think we all need to make it a little harder for people to know everything about us. Whether that is governments or malicious actors, our private data should remain private.

It makes me smile now that, here in the UK, people used to go on protests about the proposed identity card scheme, claiming that it was giving the government too much information about our personal lives. Those same people never thought twice about jumping on Facebook and sharing everything they like, think and do with the whole world. People just don’t seem to notice how much they give away. I am certainly more aware of that now.

hacker attack

Of course I have a series of very complex passwords, but as I know from my research, they aren’t really going to help that much if someone is able to put a keylogger on your machine, which is a pretty simple thing to do. I work on the basis that I am too boring to follow for long, too poor to rob, and too sensible to be radicalised. I also still believe that if someone really has it in for me, there are plenty of ways to get rid of me that are both cheaper and easier than turning my tech against me. They just may not be as superbly anonymous.

What are your next projects?

I have an interactive storybook for pre-school children, called Milli’s Adventures on Apple-Tree Hill, coming out in the summer on iPads and Android tablets. It’s about a little snail called Milli who doesn’t know how to be a snail and has wonderful adventures trying to find out. It was created and illustrated by the wonderful Jana Schell and I am honoured to have been able to write the stories for it. I love it. Meanwhile, I have just begun writing the sequel to The Code, so keep your eyes open at the end of the year for the second book.

 

About M. Sean Coleman:

Born in the UK and raised in South Africa, Sean is a writer of film and television drama, a novelist, and an award-winning writer and producer of cross-platform drama and reality series. He holds a BA in Scriptwriting from Bournemouth, and MA in Screenwriting from LCP. His novel “The Code” is available in English, German and Chinese on Amazon, on the iTunes store and on Google Books. For more info, visit his website: http://www.mseancoleman.co.uk/

,,,,,,,,,

The netwars Graphic Novel App “The Butterfly Attack” premiered some weeks ago in mid May. The story: An elite hacker group is asked by the Norwegian government to hack the power supply system. What is supposed to be a war game becomes reality. The team has to win a race against time. The story was […]

Teufelsberg, Berlin (photo: Real Fiction Filme)

Director Niels Bolbrinker searches for Big Brother

Almost one year has passed since the Snowden revelations. Since then, data collection and surveillance have been the subject of an ongoing discussion. In his documentary “Reality Check”, director Niels Bolbrinker tries to find out if Big Brother has already become reality. “Reality check” is out in German cinemas Thursday, May 15th. Check out the trailer:

Trailer DIE WIRKLICHKEIT KOMMT from filmtank on Vimeo.

,,,,,

Almost one year has passed since the Snowden revelations. Since then, data collection and surveillance have been the subject of an ongoing discussion. In his documentary “Reality Check”, director Niels Bolbrinker tries to find out if Big Brother has already become reality. “Reality check” is out in German cinemas Thursday, May 15th. Check out the […]

,,,,,,,,

netwars / out of CTRL spoke to award winning journalist and author Julia Angwin, who wrote a book about privacy and data collection in times of the Internet. With netwars, Julia spoke about her book “Dragnet Nation” in which she describes how she tried to erase her digital footprints.   1. When did you decide […]

TonjeHessenSchei

Drones have changed war and possibly our future: Director Tonje Hessen Schei

netwars / out of CTRL spoke with Director Tonje Hessen Schei about her latest documentary DRONE, the downsides of the drone war and the impact this kind of warfare has on the human mind.

DRONE is a documentary about the covert CIA drone war. The documentary is part of Arte’s theme special about war in the fifth dimension and will air right after netwars / out of CTRL on April 15th, 9.10pm. Tune in!

1. What drove you into making the movie and what is the idea behind “Drone”?

I got the idea for DRONE when I came across a story of a gamer who dropped out of high school and joined the Army. Because of his gaming skills he was quickly recruited as a drone pilot, and at the age of 19 he was an instructor for other drone pilots. I’m very interested and fascinated by the blurred line between the virtual and real world. When Obama promised to close Guantanamo and instead ramped up the drone war, the largest targeted killings program in history, I decided to make this film.

DRONE TRAILER TV-Version from FlimmerFilm on Vimeo.

DRONE TRAILER TV-Version from FlimmerFilm on Vimeo.

2. What do you want to teach your audience?

Drones have changed war and possibly our future. Yet so many people here in the West don’t know what a drone is. We are increasingly distant to the wars we fight, and I do believe that the consequences of drone warfare must to be discussed and debated. People need to know what is going on. The US is setting a very dangerous precedent with their use of drones, and right now Europe is moving forward acquiring armed drones – so we are at an important turning point and I believe it is crucial that we establish strong international rules for the use of drones. I also believe that there needs to be full disclosure and an investigation on who has been killed by the US drones in Pakistan, Yemen and Somalia. A decade into the drone war with no transparency or accountability and this is not acceptable. So to me it is extremely urgent that we get drone warfare on the agenda!

Recruiterwithkid_LucianMuntean
Recruiter with kid; copryright: Lucian Muntean

3. You approached the drone topic by taking a closer look into the gaming community and how the US military recruits young gamers for their programs. After all the research you’ve done, what do you know about the training of the drone pilots? Do you think they realize the consequences of their actions? How does the military make sure they are aware of the thin line between war games and actual war?

Gamers have very important skills that are much needed in modern warfare, and militaries across the world are now targeting gamers in their recruiting strategies. The ties between the military industry and the entertainment industry are very strong – militaries are using tools and advice from the world of entertainment to make their operations more efficient, and weapon companies also own intellectual property rights in games that are produced. I’m intrigued by the new warriors that are killing people on the other side of the world through joysticks. This does not mean that drone pilots believe they are participating in a video game, and it’s been profound to see what impact this new way of killing really has. The intimacy of observing people for long periods of time before killing them w a push of a button, then witnessing the horror and death you have caused on the ground, then often to kill people who come to rescue the wounded has serious implications for the drone pilots. So we are looking at a new and different sacrifice and post traumatic stress. To me drone pilots are part of a grand experiment and we really don’t know the consequences of this warfare on the human mind.

4. Does anyone wonder about the security of these systems? Are they aware of the fact that the system could easily fail – or even worse, that someone might get into the system, take over control and use their weapons against themselves?

The threat of hacking has always been an issue with drones. Iran claims it landed a US drone and  we have yet to see the consequences of this! Hacking a drone can be done fairly easy. Through the production of DRONE we met a US professor who hacked a drone with his students in a few hours as an experiment for the US Department of Homeland Security. So I don’t feel this threat has been properly addressed with drone technology – but this is also one of the main selling points for autonomous systems – hacking is less likely when the drone is self contained. But that raises a whole spectrum of other threats and ethical problems.

Kidswithmissilepiece_NoorBehram
Kids with missile pieces, copyright: Noor Behram

5. US President Barack Obama carried out a surprising change of American Power. He made drone strikes and cyber attacks a top priority when it comes to war (think about Stuxnet). What are your feelings on waging war on a cyber level?

The wars of the future will for sure be waged on the cyber level, and my biggest fears are that we are facing devastating wars waged by invisible enemies, outside of declared battlefields, with no laws, no human rights, no transparency or accountability. In some ways I don’t think it’s hard to imagine that we are heading towards massive cyber attacks combined with a Robot Ragnarokk. Hopefully by then we have managed to take control of the new weapons of war and have a system of strong international laws in place.

6. We learn from your movie that drone pilots often monitor their targets for weeks or even months. This is a very frightening form of voyeurism and brings us back to surveillance and privacy. How did the revelations of Chelsea Manning and Edward Snowden affect you and your work on the movie?

Manning and Snowden have changed so much, and to me their revelations show the importance of transparency. I do believe we do have the right to know what is being done in our name, and it’s crucial to have information to understand the world around us. We live in age of surveillance and the manhunt on whistleblowers has exploded under Obama. For us this has effected how we have worked with our sources and at the same time as our investigations aim to achieve more transparency in the covert CIA drone war.

7. Meanwhile companies like Amazon think about using drones to deliver packages. How did making the movie change your views on these developments?

The civilian drone market is a whole new and different area, with DRONE we focus on the useof drones in war. But personally I don’t like the idea of anybody hovering anything over me to observe me for any length of time. So I’m really concerned about the possibilities drones open up in terms of surveillance, and the development of smaller drones that often replicated birds, bees and insects to better blend into the natural world. I am however not anti-drone technology – and believe there are many great uses to be explored, but first we need to make solid regulations to protect our rights and understand fully where we are headed. I often dream of ordering wine or food that could be delivered with a drone to the peninsula I live on. I also personally do own a drone that I intend to learn how to fly over various places here in Norway as soon as I have some time.

28x19_lying

 

About Tonje Hessen Schei

Tonje is a Norwegian filmmaker who has been working with independent documentary film since 1996. She is the director and producer of the award-winning documentary Independent Intervention (2006). Other productions include Texas and the Death Penalty (1997). Tonje has a masters in film from the University of Trondheim in Norway and a BA in film production from the University of Texas in Austin. Tonje is the co-founder of Ground Productions, an independent international documentary production company based in Portland and Norway.

MarcelKolvenbach_dark

Cyber is an aspect of war: netwars director Marcel Kolvenbach

The director of our netwars documentary visited Las Vegas to gather some material. Marcel Kolvenbach attended two hacker conferences, Black Hat USA and Defcon. We spoke with him about his impressions:

How does it feel to be among these dangerous guys? Actually – are there only guys? 

Yes, unfortunately there are almost no girls. I love dangerous girls! The guys – to me – didn’t look dangerous at all. I had the feeling that the place had been hijacked by government officials and company representatives to find new talent. It has been hard to spot the few hardcore hackers among the audience. I guess the reaction to the speech of the NSA boss was symptomatic: there was only one outspoken voice of protest. 99% of the audience would just applaud.

Did you take any personal precautions to prevent being hacked?

I don’t use smartphones, even in normal life. There were a number of presentations proving smart phones to be a very vulnerable target. I didn’t have any important personal data on my travel laptop. I tried to run the laptop only with a Ubuntu system, loaded from an USB stick. After the visit I will format all my media that have been exposed to online use. I didn’t use the WLAN, just the cables at the press center – as recommended. I still feel I might have been hacked, some time ago, during a Skype conference with one of the most famous US hackers. He sent me a PDF file and – I clicked on it before thinking about it. Stupid.

Did you feel personally threatened at any point?

No, not really. I feel threatened by the fact that press freedom doesn’t seem to apply any more, if you consider the things that happened in London [when the "Guardian" had to destroy material provided by NSA leaker Edward Snowden]. Feels like my work as a journalist is not protected anymore. That’s much more threatening than hackers or even cybercriminals.

Why do you think do these hackers even talk to journalists about their trade?

Journalists are important amplifiers for their message. Most hackers I met believe in an open and free society, they believe in public domain, they share what they know, to educate and inspire others, to take that knowledge and go ahead, to the next step. It is the opposite attitude to secrecy and protecting your work or your code with force, guns and courts. Really, Journalists and these Hackers are rather similar in one sense: I strongly believe in press freedom, and that journalists have to be protected against interference by the state or other powerful interests. And these guys strongly believe that the net should not be controlled by corporate or national interest, but rather by a free spirit of creativity.

What was the scariest demo hack you saw?

I would not call it “scary”, rather eye-opening or revealing. There has been a number of presentations, demonstrating that everything we use in IT can be manipulated and most likely is – including a piece of hardware. A fake charger can be used to take control of your smart phone and spy on everything you do, from online banking to all your contacts. This is done in seconds. The most impressive demo was the presentation “Out of Control” by Brian Meixell and Eric Former. They demonstrated how a SCADA device on an oil-platform or any other industrial can be exploited, creating serious damage with huge environmental effects. According to their demonstration, it is pretty easy to enter to control of these installations and blow up pipelines and other vulnerable parts. Since their daily work is to install these systems in the field, they really know, what they are talking about.

If you want to analyze the risks, you could say: it’s a combination of old technology still in use for profit reasons combined with today’s connectivity. If you have a local device with a very old protocol, that is easy to read and to change without much IT knowledge and connect this device to a public IP address, that anybody can access via internet, you’re installation is pretty much out of control. This is what has happened in the industrial world. Pumps, vaults, motors, engines, all are run by these SCADA devices, but to save costs, to avoid people having to go out in the field – sometimes in difficult to reach locations or hazardous environments – the companies decide to access these primitive controllers via Internet. It saves huge amounts of money, but comes with a very, very high risk.

Black Hat Conference

Black Hat Conference in Las Vegas, USA

Is there a way to translate these potential threats and vulnerabilities into film?

Of course, such a story has potential to great drama. Like on of these 70′s disaster movies from Hollywood. An airplane out of control or an nuclear plant, the gas and water pipes in a town. These are all potential targets. What we are trying to do in the netwars / out of CTRL documentary is to simulate, to tell the story of such a drama, what could happen if a person with malicious intent gets control? How easy is it to actually access these devices and what would be the “worst case scenario” if you combine these efforts of hacking with the effort of protecting the systems on the other side. You get a race, a race between good and evil, between white and black hat, between an aggressor and a defender. This is great stuff for any film – fiction or factual.

Do you trust the hackers you met to do the right thing and not harm anybody?

I feel people like Brian Meixell and Eric Former who work for the industry would never reveal their findings if they would suspect any harm. This would be their last day in the job. The risks are there and the people with criminal intent know it already. Now it is time to mobilize big and small corporations to take these threats seriously, to wake up stakeholders so they demand security measures, and make any employee or citizen aware of the fact that – as much all the apps and gadgets make our world more entertaining – the web and all these mobile online applications come with a very high risk.

You can compare the situation to let’s say the invention of the automobile: When there were only few around, you could do what you want, you could build your own vehicle the way you liked. Later came more and more safety regulations from the seat belt to shock-absorbing crumple zones. There are tough rules and regulations of automobile traffic today, people have to pass tests and vehicles are tested to be allowed on the road, you’ll see similar certificates, laws and restrictions for devices being connected to the Internet traffic in the future. I feel we need these traffic rules for the net to protect the freedom of movement and information. Otherwise, you’ll have too many accidents.

Would these people blow up a factory in a conflict, say, for the US Army?

Jason Healy, the director of the Cyber Statecraft Initiative of the Atlantic Council has made a clear point: cyber warfare is and will be part of any future conflict. But it will just be one tool, one type of weapon. The answer is “Yes” – any side might blow up any facility at any point, if this is part of a war strategy, if it makes sense. But any serious party in a war will not just blow up stuff because it is technically possibly. I feel, this is the big mistake when we talk about “cyber war”. People like Jason Healy are very careful, talking about “cyber war”. I had similar talks and comments when I interviewed people for the film in Israel. Many strategical analysts doubt that there is such a thing as “cyber war”. There is cyber weapons and possibly cyber warfare. Cyber is an aspect of war, like radio communications, satellite images and so on It will be used, no question. But there has to be a war first and a reason for that war before people are engaging in cyber attacks. And they will never come alone, if it is to be a “real” war. You will have troops on the ground, even if only a bunch of special forces. You’ll have air and sea based and then – in addition – cyber based weapons.

What’s your next shot for the film after Las Vegas?

A group of hackers and a utility in Germany. We’re going to film a simulated attack while the security guys at the utility try to defend themselves.

MarcelKolvenbach

About Marcel Kolvenbach

Marcel Kolvenbach is a documentary film maker who won several international awards and has currently been nominated for the German Grimme Prize. For 20 years he has been filming documentaries for German TV stations like WDR, ZDF and arte. Kolvenbach lived in New York, Brussels and Kampala where he experienced blackouts lasting for days or weeks. The work for “netwars” challenged the author and director to portray an invisible war in pictures and sounds. For that, Kolvenbach, who studied design, used his camera to document empty rooms and how human beings and humanity disappear in them. In his eyes the real threat is the dissolution of the analogue world into the binary system. For him, “cyberwar” is the logical consequence of our world’s virtualisation.

,,,,,,,,,

The director of our netwars documentary visited Las Vegas to gather some material. Marcel Kolvenbach attended two hacker conferences, Black Hat USA and Defcon. We spoke with him about his impressions: How does it feel to be among these dangerous guys? Actually – are there only guys?  Yes, unfortunately there are almost no girls. I […]

Thomas Rid, Reader in War Studies at King's College London

Cyber war will not take place: Professor Thomas Rid

While there is recently a lot of confusion about cyber war, cyber attacks and malware, there are some experts who look at the topic less excited. Thomas Rid is one of them. Born in Germany, he is now a Reader in War Studies at King’s College in London. In his recent book “Cyber War Will Not Take Place”, Rid argues that what we’ve seen so far is espionage, sabotage or subversion – but not war.

Netwars met Thomas Rid and spoke with him about his thesis, the NSA revelations and possible solutions to deal with cyber conflict. Watch the interview here:

War as we know it is violent and causes not only damage but also death. Rid argues that So far we haven’t seen a single casualty caused by a cyber attack. In 1993, a famous article of the RAND Corporation claimed “Cyber War Is Coming”. The article can be read here.

The Economist cover cyberwar
The Economist, 2010

As an academic, Rid looks for evidence. Twenty years later, the most sophisticated attack we have seen so far was Stuxnet. Rid classifies the work of the worm as an act of sabotage, not war. And technically, he is right: Stuxnet didn’t blow up the Iranian nuclear facility, it only sabotaged the enrichment program and stopped Iran from building the bomb. For Rid, the vast majority of attacks serve the interest of espionage.

Rid discussed the topic with New York Times chief correspondent David E. Sanger during a debate at Körber Foundation in Hamburg. One of his points is that a nation cannot build just one cyber weapon and fire it against every nation as it wishes. In fact, cyber attacks have to be very sophisticated, well planned and malware has to be programmed exactly to fit the target. „Cyber weapons are not like conventional weapons“, Rid argues.

“You can’t do a military parade and show your cyber weapons”

Since they have to be tailor-made, a state can’t shoot them at targets as he pleases. This makes it kind of hard to repeat an attack. Rid thinks that politically motivated and sophisticated cyber attacks are likely to take place only in the context of actual political confrontations. And if that happens, there is no reason why the opponents should limit their response to computer attacks like switching off power grids or manipulating bank networks. In order to react as fast as possible, it would in fact be easier to use weapons.

Time cover cyberwar 1995
Time Magazine, 1995

Besides, concerning to Rid there is only one nation that is able to build a sophisticated cyber tool so far: the United States. The ability of the NSA to spread malware into computer networks worldwide is outstanding and technically very sophisticated. The Snowden revelations that made these working methods official demonstrated a capability gap to China.

“Just because China has 600 million Internet users doesn’t mean they are a cyber super power”

When Rid visited the country in autumn 2013, he experienced that the Chinese look up to the US for their cyber capabilities.

Of course, the big amount of cyber attacks originating in China doesn’t mean they are acknowledged from the government. But it’s militant groups and terrorists that get security experts worried. Right now, Rid says those with the capabilities don’t have the intention to attack. And those with the intention don’t have the capabilities.

But once they find out how to break into a system, the situation changes. It’s already really easy to find industrial control systems (SCADA systems) that are connected to the Internet and therefore vulnerable.

Thomas Rid: Cyber War Will Not Take Place

 

Scientists at the Freie Universität Berlin showed in an alarming map how many SCADA systems are connected to the Internet. Some might be connected unbeknownst to the operator. A special search engine can locate industrial plants that are connected to the Internet. In the US, a hacker named pr0f used such a search engine and later broke into the system of a water plant in South Houston. He hacked the plant to protest against the lax security of these facilities. What if someone hacks a water plant for another reason?

Concerning politics Rid has a point: cyber war will not take place – or at least future wars won’t be limited to cyber attacks between two states. But when it comes to criminals, the situation might be different. Why take the risk of sending a conspirator to blow up a power plant when you’re able to take it out with just one click of a mouse?

 

About Thomas Rid:

Rid was born in 1975 in Aach, Germany. He studied social and political science and owned his PhD 2006 at the Humboldt University in Berlin. He conducted his research in war and media, terrorism, deterrence and cyber security at the Institut français des relations internationals (Ifri) in Paris, John Hopkins University and Woodrow Wilson International Center for Scholars in Washington, D.C. Since 2011 he is a Reader at King’s College in London.

,,,,,,,

While there is recently a lot of confusion about cyber war, cyber attacks and malware, there are some experts who look at the topic less excited. Thomas Rid is one of them. Born in Germany, he is now a Reader in War Studies at King’s College in London. In his recent book “Cyber War Will […]

David E. Sanger, chief Washington correspondent for the New York Times

The US are not prepared for a cyber attack: Journalist and author David E. Sanger

Everyone was excited, when Stuxnet attacked numerous computers world wide in summer 2010. Where did this malware come from? Why was is so sophisticated? And who was behind all this?

The man who helped us understand the political background of Stuxnet is David E. Sanger. He is a reporter for the New York Times and is correspondent for the White House. He managed to talk to Insiders and got information on how Stuxnet was prepared by US President George W. Bush and used in the term of President Barack Obama. Sanger wrote a book about his findings: “Confront and conceal. Obama’s secret Wars and surprising use of American power”

Netwars interviewed Sanger about his book, the NSA affair and if the US are prepared for a cyber attack. You can watch the interview here:

Sanger writes that Stuxnet already began under the presidency of George W. Bush who wanted to avoid a military conflict with Iran. Some of his advisors came up with the idea to manipulate their nuclear facilities in a way the Iranians wouldn’t even know they are being attacked. The idea of a cyber attack was born.

Since Sanger investigated so much details about Stuxnet, he helps us understand what the US are capable of when it comes to sophisticated cyber tools. In the future, Sanger thinks, we could see basic cyber weapons like a worm that is being customized to attack nuclear power plants and water plants. He thinks it’s possible that there could be a simultaneous attack on critical infrastructure of a town.

“It is likely that cyber becomes an addition to conventional war as we know it”

Today cyber war is not only a topic for hacker and security experts in the US. The discussion about how vulnerable the most connected society in the world really is, has reached politics.

budget for the US cyber command
Budget for the US Cyber Command

In October 2012 Leon Panetta, former US secretary of defense, warned that a combined military and cyber attack could lead to a “cyber Pearl Harbour”. Panetta wanted to put pressure on the US Congress to assure the law about cybersecurity that allows the bulk collection of personal data. Panetta failed.

But digital arming has already become an essential part of the US budget. Although the government needs to reduce its state spending and therefore reduces the budget of the Pentagon, the budget for the US Cyber Command is rising (see infographic).

Nevertheless, the evidence base for an actual cyber attack that affected critical infrastructure is very small. Sanger worries that future worms could be designed to attack the turbines for an electric power system of a town.

“Just because it hasn’t happened yet doesn’t mean it necessarily won’t happen at all.”

In a way, Stuxnet serves as basis for an attack. When the worm got out of the nuclear facility in Iran and spread throughout the Internet, the code became accessible not only for security experts but also for hackers. When Sanger spoke to insiders in Washington and the White House, they told him that Obama was very worried about the consequences of Stuxnet. He knew that it would backfire.

Sanger_cover

The question is if the US are prepared for an attack themselves. Sanger told netwars, that most of the security experts in the US think they are not as prepared as they should be. In fact, the US held two official cyber defense trainings in the last years. “Cyber Storm 2008” and “Cyber Storm 2010” tested the resistance of the critical infrastructure. The US Homeland Security trained for several incidents in the communication system, transport system and energy system. Metro lines stop, the communication between airports fails, terrorists enter the country without hindrance, the Los Angeles water supply is disrupted. The trainings show that the US couldn’t do much about a cyber attack. Sanger believes that the world’s nations need to have a debate, whether they want to use cyber as a weapon and if they want to use it for offense or defense. “If we’re going to do cyber security, we’re going to need partners.”

About David E. Sanger:

Sanger was born in 1960 in New York and graduated in 1982 from Harvard. He has been writing for the New York Times for more than 30 years. Sanger reported from New York, Tokyo and Washington. His articles cover foreign policy, nuclear proliferation, Asian affairs and the presidency. His book “Confront And Conceal” describes how the US carried out a cyber strike against Iran’s nuclear facility Natanz.

,,,,,,,

Everyone was excited, when Stuxnet attacked numerous computers world wide in summer 2010. Where did this malware come from? Why was is so sophisticated? And who was behind all this? The man who helped us understand the political background of Stuxnet is David E. Sanger. He is a reporter for the New York Times and […]