back to article Bruce Schneier: 'We're in early years of a cyber arms race'

Security guru Bruce Schneier says there's a kind of cold war now being waged in cyberspace, only the trouble is we don't always know who we're waging it against. Schneier appeared onscreen via Google Hangouts at the LinuxCon/CloudOpen/ContainerCon conference in Seattle on Tuesday to warn attendees that the modern security …

  1. Charles Manning

    We have met the enemy...

    and he is us.

    All the sabre rattling about Russians and Chinese is just the same fear mongering that had USAians dig bomb shelters during the Cold War.

    The biggest threat of all is still the state vs the citizen.

    1. Rusty 1

      Re: We have met the enemy...

      You may have met your enemy, but I'm still waiting to meet the dingbat(s) who pretended Java was realtime, performant, secure, or indeed "write once, run anywhere." When said parties are met (and dealt with), we may rest briefly, safe in the knowledge of what has been done, before resuming with the advancement of mankind.

      1. Donkey Molestor X

        Re: We have met the enemy...

        > You may have met your enemy, but I'm still waiting to meet the dingbat(s) who pretended Java was realtime, performant, secure, or indeed "write once, run anywhere." When said parties are met (and dealt with), we may rest briefly, safe in the knowledge of what has been done, before resuming with the advancement of mankind.

        Oh look, it's yet another poster who doesn't know the difference between enterprise Java and applets from 15 years ago. Yeah if you run Java on the client side and install it from the GUI like some rube then you're going to get the Ask toolbar. At least in Java, strings are a first-class object. Meanwhile in the 21st century, all the so-called REAL programmers using C and C++ still fail to do basic bounds checking on their strings and then shrug as the stack gets smashed.

      2. Destroy All Monsters Silver badge
        Thumb Down

        Re: We have met the enemy...

        who pretended Java was realtime

        Learn2BasicComputerScience. I hope your not in the "industry" and posting from you stuudent account?

        I don't think anyone pretended "Java" (the JVM) was realtime, though there ARE realtime reduced JVMs. Anyway, what has that to do with anything?

    2. Paul Crawford Silver badge

      Re: We have met the enemy...

      We, collectively, are the reason for this because we are happy to accept shitty software because it is shiny and new (e.g. Android) or the established model (e.g. Windows) and we want everything Internet-connected for convenience and to save a little money on not having to make trips to physically visit important sites.

      While some nation state attacks have shown the ability to jump air-gaps using infected USB sticks, etc, the vast majority rely on the simple fact that we put critical stuff on the same machines and networks as we use for external access (web, email) and then get surprised when we find our OS, software and firmware in routers, etc, is full of holes that let the two leak.

      Convenience trumps security, and so far we have not had anything big enough go wrong for the law to come down and enforce stricter practice.

      1. Michael Wojcik Silver badge

        Re: We have met the enemy...

        we are happy to accept shitty software because it is shiny and new (e.g. Android) or the established model (e.g. Windows)

        So, you're saying people will accept lousy software if it is either new or not new?

        That last clause is redundant. People will accept lousy software, full stop.

  2. This post has been deleted by its author

    1. Allan George Dyer
      Mushroom

      "My own personal computers, being highly secured and reliable, coupled with my knowledge of how to use them, would make me personally the equivillent of a nuclear power in a nuclear war."

      So the first sign that the "cyber cold war" is turning hot will be conventional military strikes against 1980s_coder and other IT experts?

      1. Ole Juul

        cyber canary

        So the first sign that the "cyber cold war" is turning hot will be conventional military strikes against 1980s_coder and other IT experts?

        No. The first sign will be the crippling effect on cyberfashionistas - the ones running highly proprietary apps and who don't know, or don't care, what's in the box.

      2. Destroy All Monsters Silver badge
        Holmes

        "My own personal computers, being highly secured and reliable, coupled with my knowledge of how to use them, would make me personally the equivillent of a nuclear power in a nuclear war."

        This is basically the slightly more egocentric "Inna woods with AK-47 and Heintz Beans stash" equivalent of the US-centric zombocalypse.

        1. steeple

          Not Equal To

          "inna deep ocean with trident-equipped submarine" TFTFY, as far as the point being made is...

      3. This post has been deleted by its author

        1. Doctor Syntax Silver badge

          "What sort of power would that put in my hands?"

          Not a lot if the net infrastructure has been taken down.

        2. Trevor_Pott Gold badge

          About as much as a ham radio operator after an earthquake.

    2. amanfromMars 1 Silver badge

      And of course, IT is only just at the the stage of "In the Beginning" with Global Operating Devices

      In a "cyberwarfare" situation, IT's top knowledgable individuals are going to hold a lot of power, that we don't necessarily want or need - what will we do with it?.... 1980s_coder

      Pool it all wisely with others anonymously of the same ilk, 1980s_coder, will extraordinarily render IT a practical and virtually impregnable intelligent foe in the command and control and hands, hearts and minds of absolutely fabulous friends. And the power of those spontaneous unions rises exponentially rather than linearly thus to make just a few extremely quickly, all too powerful to fail.

      1. Anonymous Coward
        Mushroom

        Re: And of course....

        I've missed you of late, amfM1. Perfectly on point. Still, there is the problem of separating the fellow travellers from both the agents of the state and agent-provacateurs who can (and will) be working for any (or several) number of groups.

        In any case, should cyber-armaggedon arrive, I'll start cracking open my secure containers. I'd advise being off the net.

    3. Tony S

      @1980s_coder

      "Or to put it another way - I would be sitting on virtually indestructable and invulnerable computing power that couldn't easily be taken down."

      Until they turn the electricity off.

      1. Eugene Crosser

        Re: @1980s_coder

        > Until they turn the electricity off.

        And leave "them" without the battlefield? They won't, where's the fun in that?

    4. Eugene Crosser

      I think Schneier was mixing with generals and politicians a bit too much lately. All that talk about nation states, military and police... "Cyber-enemy" is border-less. And the defence ought to be border-less. And actually, it already is, in case not everyone noticed. Attempt to bring in national interests and national forces to the discussion is just a desperate attempt by the said generals and politicians to stay relevant.

    5. Salts

      My experience has always been when you think you are safe and can sit back and relax, your about to be rogered and say where the fuck did that come from!

    6. Michael Wojcik Silver badge

      But, in a hyperthetical world where a "war is brewing in cyberspace", and every connected machine becomes a target for attack against a nation, where does that leave people like us?

      Presumably in a post-apocalyptic IT wasteland, scrabbling for resources and fighting off zombie processes.

  3. amanfromMars 1 Silver badge

    Getting IT for Real requires Anonymous Autonomous Handles on Super SMART Virtualisation ‽

    ”Unfortunately, we're in the early years of a cyber arms race. We're seeing a lot of stockpiling cyber weapons, both by the United States and Western countries ... by China, Russia, other countries. A lot of rhetoric about cyberwar," Schneier said. "What concerns me is that we're all going to be in the blast radius."

    Methinks the major primary concern is for those others who are unfortunate enough to believe that they have remote command and control of markets and systems/assets and programs via the gift of indiscriminate wealth/electronic money supply with the facility for its spontaneous disappearance and bailings in for bailings out of corrupted systems.

    You might like to consider, Bruce, in the light of what is known and what you may know about such clumsy command and control systems, that is no bad thing at all and much to be lauded and welcomed for a change of global execution in the right direction for a better alternative way of powering and EMPowering things and the Internet of Things. There a lot going on out there in the Virgin Fields Place of HyperRadioProActive CyberSpace with ITs Deep Pools and Dark Webs of Enlightened Existence and IMPractical Resistance

    amanfromMars [1508191714] ….. sharing on http://thedailybell.com/news-analysis/36484/Trump-Proves-Money-Matters/, the reality that systems are unable to avoid and prevent expanding and exploiting inherent vulnerabilities based on the presumed power of money in all of its guises

    The bigger danger for both parties is that Trump reminds people how little their votes really mean. This can only add to the widespread frustration that is beginning to boil over. Trump is accelerating a process that was already underway. We may not like the consequences. ….. Philippe Gastonne

    Surely the much bigger worry and unfolding opportunity, Philippe, is that they, rather than we, will not like the consequences and thus they think to terrorise with media and with all sorts of news which seeks to show chaos everywhere else but in their neck of the woods. It isn’t working though any more, and now they are desperately seeking safe harbour in a world with worlds which present nowhere to hide and no immunity and protection from increasingly better informed and super active mobs/bots/clones/drones, both real and virtualised.

    And to deny and/or disbelieve it be so, affords and presents an immaculate stealth and perfect defence to all adept APT and ACTive virtual attack forces and sources. And whenever forewarned is forearmed, is the wrong choice of future direction and desperate action and reaction, a direct reflection and indication of a distinct lack of greater necessary intelligence and information in that which is so unfortunate to delude and place itself front and centre and leading into in harm's way.

    1. Anonymous Coward
      Anonymous Coward

      Re: Getting IT for Real requires Anonymous Autonomous Handles on Super SMART Virtualisation ‽

      It isn’t working though any more, and now they are desperately seeking safe harbour in a world with worlds which present nowhere to hide and no immunity and protection from increasingly better informed and super active mobs/bots/clones/drones, both real and virtualised.

      Oh, they get their vulnerabilities to attacks on their wealth (Ukrainian news services hack), prestige/position (any number of attacks revealing elites behaving badly), power (bringing down pet politicians, media attack dogs, &c.). We, the technically "able-bodied" must be contained and since being self-taught is common in IT, everyone must be monitored. To them, we are the potential terrorists, ISIS/ISIL, al Quaida, the Taliban, Boko Haram, not so much. After all a drone strike or nine, no problem.

      What's concerning, at least to my personal health, is our Administration declaring US citizens as valid targets without a legal (farcical) proceeding for a drone strike. And yes, I am thinking hard around that problem.

  4. John Savard

    I know what I would like to see.

    Operating systems, like Microsoft Windows, coming out of the box, before any software updates, with no vulnerabilities whatsoever.

    How can something so complex as a large operating system, with all the features they have now, be written without a single bug - or, rather, a single oversight, since this is not about programs failing to do what is expected with correct input, but about opportunities to exploit invalid input?

    Especially given that checking all input for correctness makes programs a lot slower and more complicated.

    New approaches are needed. I think security is not actually as difficult a problem as getting massively parallel computers to do as much useful work as a uniprocessor the same number of times faster as the number of processors running in parallel. But that could just mean it's extremely difficult instead of impossible.

    1. Michael Wojcik Silver badge

      Operating systems, like Microsoft Windows, coming out of the box, before any software updates, with no vulnerabilities whatsoever.

      A nonsensical criterion, since vulnerabilities can only be defined under a threat model.

      I think security is not actually as difficult a problem as...

      Also nonsensical, for the same reason. Security is not a singular "problem" in the first place, nor an absolute that has the same meaning in every context.

  5. DCLXV

    Time for the old truism

    Knowledge is power. For years the powers have been plotting to turn the internet into a domain for war, they've just been lacking the talent. I suspect anyone who makes an effort of dumbing down penetration testing tools, slapping some idiotproof front-end on it and packaging it as an Android app could make a pretty penny marketing it to the sort of folks that push jarheads around a map.

  6. chivo243 Silver badge
    Headmaster

    Is this new news?

    Haven't I read this before? Like 5 years ago? I thought we should be quaking in our boots because NK and China have lots of cyber resources?

  7. Robigus
    WTF?

    Comedy Budget

    A $20m military budget?

    I understood things to be bad in NK, but that budget's getting them nowhere. Perhaps that's why they touch up their propaganda photos? Then again, they ARE getting nowhere.

    Bless their little fluffy-bunny socks.

  8. Martin Maloney
    Coat

    I just can't help it, folks

    "...If, on the other hand, the attacker is North Korea, then the military should probably get involved..."

    Have they escalated cyber warfare to NORKlear weapons?

    Gettin' me coat...

  9. Loyal Commenter Silver badge

    It's funny...

    I've been reading his newsletter for over a decade, but only now found out what the man actually looks like.

    1. Michael Wojcik Silver badge

      Re: It's funny...

      That's just what he wants you to think he looks like.

  10. amanfromMars 1 Silver badge

    If things were only that simple .........

    Administrations which realise the overwhelming powers which virtual command and controls offer, but which would ignore and try to deny the exercise of a more equitable program of realities with a smarter meritocracy, in favour of their retention of an oppressive status quo oligarchy, will find it impossible to function and preserve an immunity from punitive action/reaction/proaction whenever the simply complex offers made to them for a better resolution regarding the conundrum they are experiencing, and which they might choose unwisely to ignore and/or oppose, are made freely available for all to see/read/hear everywhere and anywhere.

    The problem they, current exclusive executive administrative systems face, is not the spilling of secrets which they would know and hold dear, but the secrets which others who might prefer to ensure they remain relatively unknown, have discovered and would share and which render all regular traditional and irregular conventional former defences and attack protocols, null and void/absolutely useless and very revealing of self-serving hidden selfish motive.

    Methinks enlightened mobs will deal fiercely with that which be no better than ignorant fools in the practice of such arrogant follies.

    1. amanfromMars 1 Silver badge

      Re: If things were only that simple .........

      Oh, and furthermore, purveyors and guardians of that aforementioned problem for dodgy systems administrations can easily sell and be thought to be bought for their wares or even be handsomely provided with everything they may ever have dreamed of to keep schtum for a while just for now.

      Such a sweet prize are such surprises, and just desserts for rabid capitalists anywhere and everywhere.

  11. jarno.limnell

    Empty playbook

    Security in cyber domain is considered as an integral part of National and Alliances´ security nowadays. Today, more than 100 of the world’s militaries have some sort of organization in place for cyberwarfare and over 40 countries worldwide have published their National Cyber Strategy. Cyber threats are also prioritized in many countries´ national threat assessments. For example the latest worldwide threat assessment of the US Intelligence Community states that cyber threats to US national and economic security are increasing in frequency, scale, sophistication, and severity of impact, and Security Strategy of the Czech Republic emphasizes how cyber attacks can cause particular failures of communication, energy and transport networks, transport processes and industrial and financial systems, resulting in considerable material damage. In short, the danger of disruptive and even destructive cyber-attack is estimated to be grown.

    The debate on both the impacts of cyber attacks and how to response to attacks is active but precedents are missing. Strategies and political speeches are always (at least partially) declaratory and vague by nature, and beyond these declarations the practical reality of cyber security as a matter of national security issue is difficult. Obtaining reliable attribution is one of the most frustrating aspects of cyber, deterrence is hard to establish, and because there are no international treaties or norms about how to use digital weapons, there are no rules about how to fight cyber conflict. Also defensive, intelligence or offensive cyber capabilities are difficult to assess, because governments are holding their abilities very secret, and cyber capabilities cannot be calculated in the same way as tanks or fighter planes.

    The Sony Pictures Entertainment case indicated well how it is difficult to even decide if cyber attack should have been called “cyber vandalism”, “act of war” or “cyber terrorism.” It has to be also kept in mind that we are already living in so digital dependent world that a technical glitch can halt trading in New York Stock Exchange and force all flights of the United Airlines to be grounded – on the same day. It is not only the question of national security and how governments should protect private companies, but also how attacked companies are able to deal with cyber attacks. CEO of the Sony Picture Entertainment Michael Lynton has summarized the current challenge well: "There's no playbook for this, so you are in essence trying to look at the situation as it unfolds and make decisions without being able to refer to a lot of experiences you've had in the past or other peoples' experiences. You're on completely new ground."

    Cyber security has evolved from a technical discipline to a strategic concept and conflict in the fifth domain of cyberspace blurs and perhaps enlarges the definition of “war,” to encompass espionage, sabotage, opinion influencing, and intellectual property theft. It gives nations and non-state actors new ways to pursue their political goals on the world’s chessboard. This new theater of operations, where nations must operate proficiently to keep pace with their adversaries, has no military antecedents since there have been no wars between first-class militaries in the cyber era. We are entering a dangerously unstable and suspicious era, and we are doing so without a roadmap of tested command and control fundamentals. The more ominous cyber capabilities grow, the more troubling are the command and control knowledge gaps. There is a great deal still to understand about the escalation patterns and ripple consequences of cyber war, particularly where aggression is likely to cross spheres from the virtual world to the real one. For cyber strategists today, every significant conflict or political event on the planet is a figurative classroom.

    Jarno Limnéll

    Professor, Cybersecurity

    Aalto University

    Finland

    1. amanfromMars 1 Silver badge

      Re: Empty playbook and happy days with ab fab fabless 0days

      That empty playbook, Jarno, is an unbelievable rich canvas upon which greater shared intelligences paint the future to be provided for media presentation and global realisation, which is actually then much more hypervirtualisation,

      And now, a little surfing to see if Aalto University is into supplying such novel future leadership alumni.

      And yes, ye olde established power systems are certainly rightly terrified of what even the most simply competent of cybernauts can practically do with virtually nothing and when it is only intelligence which can mentor and monitor their concerns to mitigate and manipulate all that the future holds as IT unfolds it in all of its glory, is that which is needed plainly identified for top gun hire in meaningful engagements/infinitely smarter programs for more enlightened bodies.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like