How to wage cyber warfare: Why we do not take cyber seriously, Part 9

There are a lot of arguments over why cyber warfare and cyber terrorism get so little attention. The attention it gets arrives in waves and departs. There is almost a decade swing between being ignored and being the hottest new thing. The current president says he will make it a priority much like the previous five presidents. Think tanks and experts trot across the stage in front of legislators and people discuss the issues much like they have for forty years. Nearly the exact problems of decades ago exist within the cyber infrastructure today. It is pretty obvious that we as a society do not take cyber conflict seriously despite extensive evidence of the issues. Cyber has changed our society in many negative ways.

Cyber has brought rampant identification theft and losses in the billions of dollars. Cyber has resulted in bank breaches and large-scale theft in the billions of dollars. Cyber has resulted in top-secret information being transmitted to possibly hostile countries on numerous occasions. Cyber is directly responsible for entire industries dropping like flies (newspapers, radio, etc..) .  Cyber has allowed for entire water systems to be poisoned. Cyber has allowed for companies to hide extensive fraudulent activity. Cyber has supported two major boom and bust cycles (80’s PC bust, .bomb). Cyber automated the concept of credit card theft and reduced the barriers to entry into this illicit trade. Cyber has been directly responsible for several major industrial disasters (see Dr. Joseph Weiss testimony). Yet every cyber expert has to say again when testifying “yes there is a problem” and luddite congressman can’t understand what that problem is…

Why does cyber as an issue have to justify itself as an issue? This same problem that can be traced back to Grace Hopper finding a “bug” in a computer, or the MIT model railroad club hacking telephone switches, or Richard M. Stallman fighting for open computing models regardless of time sharing costs or passwords. The reality is that you can’t feel it, taste it, hear it, or eat it. Cyber is truly a meta-world. People argue over whether cyber is a new fighting domain. People argue over whether cyber exists. Like electricity it is invisible when it is working, the results are obvious, a lack of it can be inconvenient, but too much of it can kill you.  People don’t pay much attention to electricity either. People don’t pay much attention to water or sewage. The three being utilities they are ignored until the system breaks down. To add to the carnage of awareness is the constant recycling of cyber as “new” and “fresh”.

People ask how I can predict with some accuracy what government or corporate agencies are going to do. You to can be a cyber expert if you study about ten years of computer history. Regardless of Moores law, advancement in the sciences, new memory, faster processors, wild operating system variances, any window on about ten years worth of time will give you enough of a picture. Take that window find out where you are within the window. Analogize and generalize the behaviors of actors. Find correlations to current day events. Predict with near limitless accuracy the next cycle. History does repeat itself even while being different. There is also way more money to be made in perpetuating the problem than fixing it. Cyber is sexy. Sex sells. Cyber means make more money.

Consider the current media blitz led off by the United States Air Force seeking a substantive and system wide changing method of dealing with cyber conflict. The Navy and the Army already had a pretty good handle on the topic. There existed a joint group that did this task. The media blitz by the USAF followed a series of break-ins and cyber incursions. The reality is that cyber is a direct and substantial issue of national security. Well of course so are many other things too. It is not unusual to see the change and substantial volume of information around cyber this year. As an example of the mass media cyber cycle consider 21 hacker movies and their release dates

TABLE 1 Hacker Movies List from http://netforbeginners.about.com/od/hacking101/a/hackermovies.htm

There is an interesting cycle to these “top” hacker movies if you look at the series. We start out in 1975, see some blips in 1985, and 1990. Then the cycle explodes around Y2K, and settles back down in 2005 with a couple aberrant blips in 2003 (right after 9/11 in movie production time).

FIGURE 1 Hacker Movies

This is NOT expected to be scientific or evidentiary but simply show that there is some preliminary suggestion that cyber is cyclical in public awareness, that cyber has grown substantially in public awareness, and simply looking at mass media we can see that. A better analysis used by many sociologists would be to look at the front page of newspapers (like the New York Times) and see how often cyber is mentioned. If anybody is looking for a thesis or dissertation topic idea let me know the results. I think if we stayed with major studios and looked in the 2007 through known releases in 2010 we might find substantially more mass-market films becoming available. The cycle is compressing currently.

The public rapidly becomes tired of being talked down to and will vote with the television remote. In the infancy of commercialization of the Internet it was not in the best interest to sensationalize cyber criminal or conflict. At several points such as the break up of AT&T and Y2K the Internet could have become a completely different tool than what we see now. Technologies like pay-at-the-pump and ATMs required a larger amount of trust from consumers. Hacker culture and cyber conflict was marginalized as these and many more technologies were integrated into society. As such it is very difficult now to sensationalize without criticism risk when people have been told or ignored the issue for so long. Maybe it is better put that the risk was discussed and ignored so often that late adopters feel little risk with current technologies and their kin. Time doesn’t solve all problems but it can hide them effectively.

If mass media, politicians, and technologists have been unable to solve the problems and even in the face of billions or even trillions of losses are unable to explain that paradigm. How can cyber be taken seriously? Would you expect cyber to be taken seriously? Academic papers published in the 1970s talk about all the same issues we are talking about today. Some of the academic papers are much better written explanations of simple topics and have been collectively ignored by current researchers who stop building bibliographies that are comprised of articles older than five or seven years.  With the convenient excuses technology research is rapidly dated due to Gordon Moores seminal paper often referred to as Moores Law written in 1965.  This often incorrectly equates to we will innovate our way out of problems. Unfortunately what it really means is we can get into trouble twice as fast every two years.

Returning to our entrance we know that cyber is not tangible and hard to understand. Mass media cyclically returns to the topic. Government and industry are not inclined to fix a problem that continues to drive budget dollars and expenditures as a renewable funding source. Researchers falsely ignore much of the history and often return to horrific explanations of what might happen to drive funding dollars. Yet, while all of this occurs there is a slight problem.

Convergence. 10 years ago I carried a pager, a cell phone or two, a music player, and half a dozen other devices. Now I carry my iPhone. I used to commute every day and now I commute when I want to. I can hold meetings on my laptop, pay my bills, order my medications, and this is all a principle of convergence. Television has started to converge to the Internet.  A decade ago the Internet was something that was nice to have. Today it has nearly become a necessity if you want a higher education. Many companies have stopped shipping paper bills and use electronic statements on the Internet. Convergence of social, political, government, and business has been toward Internet technologies. The model of electricity and the substantial hardship being without this basic utility service has snuck into the use of the Internet. Yet none of the safeguards or regulations exists at this time to treat the Internet Service Provider as a utility. We have not come to the conclusion yet that the Internet and cyber space is important enough to regulate. We don’t take the Internet serious because we treat this basic utility like an entertainment source. Regulations are about what you access from Porn to music and movies. Nobody regulates whether the electricity you access is used to watch a Porn movie or listen to an illegal download (yet).

In many ways the Internet and thereby in most peoples minds cyber space is a behavior to be modified rather than a utility to be sustained and made resilient. It is pretty hard to take serious a technology by most people that is considered simply entertainment. What those people are missing and many legislators are missing is that wide scope of cyber space. The breadth of technology mediated communications spectrum for SCADA to porn to email to ATM to command and control of missiles and the Presidents Blackberry. What is missing is the idea that something that facilitates communication and supports commerce might be critically important if it is the primary reason a company can out perform foreign competitors and still pay substantially better wages.