Fuss over cyber war distracts from real threats, security pioneer says
SAN FRANCISCO — There is a lot of talk these days about cyber war, and much of it is misguided if not downright dangerous, said cybersecurity pioneer Marcus Ranum.
“In cyberspace, the rules of war do not apply,” Ranum said. “The best defense is a strong defense. What we should do is defend ourselves as best as we can against hackers, and if we do that we’ll be in better shape.”
The threat of cyber war has been exaggerated, and given the nation’s inadequate defenses our preparations for offensive cyber actions could be counterproductive, he said. It’s like a man in a glass house stockpiling stones. “It’s not a good idea to initiate a response in kind by doing it to someone else.”
The false cries and fog of ‘cyber war’
Why we’re unfit to wage cyber war
Ranum, a self-described “lefty-pacifist anti-statist” and an early innovator in firewalls and other IT security technology, is chief of security at Tenable Security. He is presenting his views on cyber war this week at the RSA Conference.
His primary points are that cyber crime, espionage and hacktivism are carelessly lumped together into cyber war, which us distracts from the real nature of these threats, and that real cyber war — an attack by a nation to destroy or degrade the military capabilities of anther nation — is a lot less likely than it often is portrayed.
“In terms of cyber war, you have to look at the geopolitical situation and see’s what makes sense,” he said.
A real cyberattack makes no sense unless it is part of, or is backed up by, a military attack, because the attacker risks a military response. Right now, no nation appears ready to attack us militarily or to take that risk with a cyberattack, Ranum said. “The truth is, China doesn’t want to do this.”
This does not mean that the nation is not facing real threats, both in the physical world and in cyberspace. But defenses should be focused on the real threats, which include terrorism, crime and espionage, Ranum said. If we protect our systems against hackers, this will protect us against some spies and most terrorists.
“This isn’t going to protect you against nation-state spies, because they are going to look like your network manager,” he said. Real spying by other nations is not a cyber threat, he said. “If I’m a country and I want to get into your system, I’m not going to worry about hackers. One of your employees is going to be my agent.”
The proper venue for protecting against nation-sponsored espionage is the government, not industry, Ranum said. “We can’t do counterintelligence. That’s what we pay taxes for.”
Against the remaining threats, we need to be doing a better job of conventional cybersecurity, using the tools and technology we already have against the threats we understand, Ranum said.
“We are doing a lousy job against hackers,” he said. “We need to defend the hell out of ourselves.”