Cyberthreat "deniers" say cybersecurity experts are crying wolf

On Monday was on Information Week Government’s site posted a report by Elizabeth Montalbano which remarks by Mark Bregman, chief technology officer of security company Symantec, who spoke at the first-ever NASA IT Summit and said the space agency is ideally suited to promote global cooperation among nations on cybersecurity. Given that NASA has worked with other nations on space flights, such as Russia, France, and others, they could also work to collaborate to keep computer networks secure. “There’s an urgent need for diplomacy to kick start international cooperation on cybersecurity,” Bregman said.

Robert Mullins writes in Networkworld that the comments that followed Montalbano’s story belonged to a category of comments that has been with us since the beginning of the Internet age. People who belong in this category argue security experts who warn about cyber threat are only scaring people in order to sell their security products and consulting services.

The comments following Montalbano’s story advanced the same argument. They suggested Bregman was hyping the threat for the sake of Symantec sales. “See, Symantec created the panic so as to sell its products,” wrote one. “If Symantec is not the one starting all the cybersecurity mess, the whole world would be much more peaceful,” wrote another.

Mullins says that these reactions are similar to ones that followed a report he wrote in March about a panel discussion at RSA Conference 2010 about the possibility of the cyberattack equivalent of Pearl Harbor. The reactions included this: “A cyber ‘Pearl Harbor?’ Sounds like the security industry is using hyperbole to try to get some government ‘attention’ (read: public funds),” wrote one reader (Mullins adds, that the preponderance of comments supported the notion that the computer network needs to be better secured).

“I find it puzzling that what you might call ‘cyberthreat deniers’ are downplaying the threats by portraying the people making the warnings as compromised by their financial interests,” Mullins writes. “What comes to mind for me is the post-9/11 adage about guarding against the next terrorist attack: The CIA has to get it right 100 percent of the time, but the terrorists only have to get it right once.”

Bregman’s comments at the NASA forum mirror those of one of the panelists at the RSA panel Mullins covered. Bregman said cooperation between the United States and foreign governments on cybersecurity is “sorely lacking.” Likewise, at RSA, Richard Clarke, a partner in Good Harbor Consulting and former security adviser to both presidents Bush and to President Clinton, called for global collaboration. “You could have an international treaty that puts an obligation on every country to police its own cyberspace,” Clarke said. “We talk to Russia and China about lots of things … but we don’t ever make this a big issue.”

The written record is full of examples of significant security breaches that have happened around the world that maybe did not blow up the Internet entirely, but are rightly cause for concern. Earlier this month, Microsoft issued a rare “out-of-band” security warning about a vulnerability discovered in multiple versions of Windows, including fully-patched Windows 7. Nothing catastrophic happened that we know of, but it is the equivalent of the authorities disrupting a potential terrorist plot before they can strike.

In Clarke’s new book, Cyber War: The Next Threat to National Security and What to Do About It, he describes how in Russia’s 2008 invasion of former Soviet-controlled Georgia, the Russians jammed Georgia’s Internet connections. In 2007 Israel reportedly disrupted Syria’s air defenses electronically prior to an attack on a suspected nuclear facility. In his RSA remarks, Clarke also noted how U.S. electric power grids had been dotted with “logic bombs,” small bits of software that could have been used to execute an attack.

“To be sure, the financial interests of those warning about cybersecurity vulnerability should be disclosed, but their warnings shouldn’t be dismissed either,” mullins writes. “Just because you can still download movies from Netflix or update your Facebook status doesn’t mean everything’s fine.”