back to article We stand on the brink of global cyber war, warns encryption guru

We are in the early years of a cyber war arms race, security guru Bruce Schneier warned delegates at the Infosecurity Europe exhibition on Wednesday. Schneier, CTO of Resilient Systems, said the much publicised Stuxnet attacks on Iran by the US and Israel in 2010, Iran’s attack on Saudi Aramco, China’s apparent role in hacking …

  1. Tomato42 Silver badge
    IT Angle

    Sony hack costing $15 million? I think they counted only the cost of cleaning ladies and detergents, not BOFHs working overtime.

    1. Small Furry Animal

      You missed the last 5 words

      "Schneier claimed that the $15m clean-up costs booked by Sony Pictures in the wake of the attack seem to under-estimate costs and further charges will likely follow"

      The BOFH hasn't submitted his bill yet :-)

    2. Adam 1

      The math looks right to me. Clearly this damage is the same as someone pirating 660 songs.

  2. jake Silver badge

    Anybody who uses the term "cyber" in this context ...

    ... can probably be safely ignored.

    "Cyber" is an irrelevant catch-all, usually meaning "I know nothing about computers and networking".

    1. TonyJ Silver badge

      Re: Anybody who uses the term "cyber" in this context ...

      "...... can probably be safely ignored."

      I bet you said the same thing about Snowden

    2. John H Woods

      Re: Anybody who uses the term "cyber" in this context ...

      I disike the prefix "cyber-", quite possibly for many of the same reasons you do. But it's here and it's going to stay; language evolves, quite often in ways one deprecates, but one has to accept it. And I might even agree that most people using the term "can probably be safely ignored" - but this is Bruce Schneier; so it's unlikely we can so easily consider him a member of that category.

    3. Anonymous Coward
      Anonymous Coward

      Re: Anybody who uses the term "cyber" in this context ...

      Ignore Schneier at your peril

      1. Anonymous Coward
        Anonymous Coward

        Re: Anybody who uses the term "cyber" in this context ...

        Ignore him? I can't even speak his name.

      2. mrvco

        Re: Anybody who uses the term "cyber" in this context ...

        I have to question anyone touting the party line that the DPRK was actually responsible for the Sony "hack".

        1. PrivateCitizen
          Unhappy

          Re: Anybody who uses the term "cyber" in this context ...

          I have to question anyone touting the party line that the DPRK was actually responsible for the Sony "hack".

          Same here. I am a big fan of Bruce (cant spell his surname though) and I count myself as one of the "followers" who regularly read his blog and buy his books.

          However, I am at a loss as to what changed his mind on the Sony hack, other than the fact that the company he now works for (Resilient Systems, once called Co3) does a good line in incident response and the fear of Nasty Norks is better for business than "shit happens and on the interwebz a shit can be a big one."

          I hope this isnt true though.....

          Sadly, nothing in Sanger's NYT article was new, novel or really worth changing your mind over.

          1. Anonymous Coward
            Anonymous Coward

            Re: Anybody who uses the term "cyber" in this context ...

            "However, I am at a loss as to what changed his mind on the Sony hack, other than the fact that the company he now works for (Resilient Systems, once called Co3)..."

            My information is that he gained access to the classified report on the incident, a report generated by the FBI, but sourced from the NSA.

            A report that I also read, when it was first released. Released on the day that Sony admitted that they were hacked.

            There are good points to be had for holding a security clearance. Of course, the bad points are tons and tons of mind numbingly boring reports one isn't even allowed to complain about, as the only people who you could complain to is your own uncleared family.

        2. Anonymous Coward
          Anonymous Coward

          Re: Anybody who uses the term "cyber" in this context ...

          'I have to question anyone touting the party line that the DPRK was actually responsible for the Sony "hack".'

          That you question it is telling, you're a neophyte in the information security biz.

          The DPRK cyber warfare team were trained by their benefactors in the PRC. Those chaps in the PRC are damned good at their jobs!

          To the point that one global corporation has had PRC cyber spooks inside of their network for over two years. When called in to assist in the mess, I remarked that the PRC cyber operatives should be drawing a company paycheck, as they're in the network nearly full time.

          But, I'll admit, their methods are quite inventive, adaptive and occasionally, novel.

          Think of them as China's version of the BOFH, turned spook.

          Still, I have to question the wisdom of that corporation's configuration, where one manages to access the interior network and even protected networks through a DMZ machine.

          The blithering idiots.

  3. Zog_but_not_the_first Silver badge
    Windows

    Just as well...

    Some us have BTI* survival skills.

    * Before the Internet.

    1. James Boag

      Re: Just as well...

      What, You didn't back up the internet just in case !

      1. Anonymous Coward
        Anonymous Coward

        Re: Just as well...

        @James Boag; Don't worry, I'm on it right now!

        Damn, has anyone got a spare floppy?

        Interesting to wonder at what rate new content was being uploaded to the Internet back in the late 90s(?) when that gif came out... and how much more is being added now. Or put another way, what's the minimum connection that would be required simply to keep up with all new content currently being uploaded worldwide?!

        1. Martin

          Re: Just as well...

          That sounds like a question for Randall Munroe...

          https://what-if.xkcd.com/

        2. Wzrd1

          Re: Just as well...

          "Or put another way, what's the minimum connection that would be required simply to keep up with all new content currently being uploaded worldwide?!"

          I don't know, but I have six (!) OC-48 feeds coming into my building at work.

          And we're *not* the NSA or any other government entity.

          1. Anonymous Coward
            Anonymous Coward

            Re: I have six (!) OC-48 feeds coming into my building at work.

            "I have six (!) OC-48 feeds coming into my building at work."

            Marvellous.

            Now, once this Internet feed has been de-duped by your WAN accelerators and your storage magick, and once a top secret gadget has removed everything which some judiciary somewhere regards as pornographic or terrorist-related, will half a dozen boxes of line printer paper a week be enough to print out the useful content in what's left?

            Please call 1-800-PAPER to place your order. Also available: 100MB Zip drives and media. Free limited lifetime warranty.

    2. BobRocket

      Re: Just as well...

      'Before the Internet'

      Ha, Ha, that's a good one, is that one of those tales that old people use to scare the children ? Next you will be telling us that Maccy Ds used to come in styrofoam boxes (like anyone would believe that :)

      1. Tromos

        Re: Just as well...

        I always thought the Styrofoam came between the two bits of bread.

        1. Wzrd1

          Re: Just as well...

          I always thought that slices of bread *were* Styrofoam.

    3. werdsmith Silver badge

      Re: Just as well...

      Before the Internet indeed.

      Protect and Survive - Government Information Film.

      Remove a door from its hinges and lean it against a structural wall.

      Take bin bags and fill them with earth from your garden, and pile them up to cover the door.

      Hide under the door with your family and a battery transistor radio to listen for government information.

      Do all of this in the four minute warning period.

      What happened to all those sirens on pylons and high buildings?

      1. Dan Paul

        Re: Just as well...(You never got the US filmstrip version)

        In the case of a nuclear emergency, please crawl under your desk, kneel on the ground facing away from the windows and cover your eyes (and kiss your ass goodbye).

        Your glowing parents will be over to pick you up as soon as the half life of Plutonium kicks in. You can play a lot of Fallout 5 in the meantime.

        Our sirens are still here but the "shelters" have all been demolished as someone figured out that that many MRVs meant there was no point unless you were in an underground bunker Terminator style.

        1. Wzrd1

          Re: Just as well...(You never got the US filmstrip version)

          "Your glowing parents will be over to pick you up as soon as the half life of Plutonium kicks in."

          I don't know about the plutonium bit, but I'm of the generation that has radioactive bones, courtesy of strontium-90.

          My area also still has plenty of the old CD shelters, aka school, church and older government buildings basements.

          As I said long ago, when working with nuclear field missiles, "Go toward the light, my children!".

          For, afterward shall be much suckage.

      2. P. Lee

        Re: Just as well...

        Now the government wants everyone to use a dab radio and internet companies want us to stream music so after the big one, we'll have no comms and no record of miley cyrus.

        Swings and roundabouts I guess.

      3. Wzrd1

        Re: Just as well...

        "What happened to all those sirens on pylons and high buildings?"

        They figured out that all of those precautions were rubbish.

        If the nuclear attack didn't get you and the firestorm didn't get you, nuclear winter would get you.

    4. RegGuy1

      Before the Internet

      No. That can't be true.

      There can't have been a before the Internet. How would people have survived?

      1. Message From A Self-Destructing Turnip
        Windows

        Re: Before the Internet

        It OK guys we're safe, I've put the big blue 'e' into my recycle bin, if anyone tries to blow up the internet we can just restore it from there.

        1. Wzrd1

          Re: Before the Internet

          "It OK guys we're safe, I've put the big blue 'e' into my recycle bin, if anyone tries to blow up the internet we can just restore it from there."

          Oy!

          The Almighty wanted me to tell you, he can get me out of this mess, but he's pretty sure you're fucked.

          I have the internet backed up on my SAN in the basement, run on a Linux cluster, secured by *BSD and managed from a Solaris box.

    5. allan wallace

      Re: Just as well...

      "BTI Survival Skills"

      - I call them "Books"

  4. Christian Berger

    Luckily defence is comparatively easy

    Just use well designed systems.

    Don't use "smart"-phones which are highly complex and let the GSM baseband chip talk directly to the memory of the CPU.

    Avoid closed source software.

    Try to get your systems as simple as possible.

    Educate your users.

    A side effect of this is that you get much faster and more reliable systems, which are easier to maintain. Also, if you are a nation state, try to build your own computers and computer chips. If a simple CPU can be designed by a small start-up in the 1970s you surely can do it, too. You don't need to do things like video decoding or 3D graphics on your main CPU, those things can be safely separated into separate chips having their own RAM.

    1. Anonymous Coward
      Anonymous Coward

      Re: Luckily defence is comparatively easy

      "Don't use "smart"-phones which are highly complex and let the GSM baseband chip talk directly to the memory of the CPU."

      HAH. Try finding one still in good working order that still operates on usable bands.

      "Avoid closed source software."

      As if Shellshock and Heartbleed would've been found any quicker. Let's face it; if a true spook wanted to pwn an open-source system, they can do it by way of hundreds of tiny pieces coming together in just the right command, and it's highly unlikely any one person would be able to figure out how all the pieces come together.

      "Try to get your systems as simple as possible."

      But then you find that the level of NECESSARY complexity is already too complex to make things easy to fix.

      "Educate your users."

      People these days DON'T WANT to learn.

      "You don't need to do things like video decoding or 3D graphics on your main CPU, those things can be safely separated into separate chips having their own RAM."

      But that entails specialization, which kinda defeats the purpose of "Keep It Simple, Stupid" by putting everything into a general-purpose processor that can do everything.

      1. Wzrd1

        Re: Luckily defence is comparatively easy

        "People these days DON'T WANT to learn."

        Easy. Make the people *want* to learn.

        'If you get infected due to stupidity, which is entirely the IS shop's call, you are terminated for cause and we'll sue you for damages incurred from the remediation'.

        I know of one information security shop that has just that clause in their employment contract.

      2. Anonymous Coward
        Anonymous Coward

        Re: Luckily defence is comparatively easy

        ""Don't use "smart"-phones which are highly complex and let the GSM baseband chip talk directly to the memory of the CPU.""

        "HAH. Try finding one still in good working order that still operates on usable bands."

        AND you are using an old, easily-broken encryption.

    2. Anonymous Coward
      Anonymous Coward

      Re: Luckily defence is comparatively easy

      "If a simple CPU can be designed by a small start-up in the 1970s you surely can do it, too."

      1970s was towards the end of the era of 16bit computers such as PDP11 (on a single chip towards the late 1970s?) and the start of the era of 32bit computers such as VAX (initially in the late 1970s occupying several 19" racks filled with hardware).

      I do appreciate where you're coming from, but what software are you going to run on your 'simple' PDP/VAX era CPU.

      I like RT11. Is there a torrent client for RT11?

      1. Wzrd1

        Re: Luckily defence is comparatively easy

        "1970s was towards the end of the era of 16bit computers such as PDP11..."

        Wow, that brings back memories. My high school had a donated PDP11/03.

  5. Joey M0usepad Silver badge

    sounds like he's touting for business

    1. James Pickett

      "Schneier, CTO of Resilient Systems.."

      Company slogan: "Things are worse than you thought".

      1. Vector

        Tag line (and possibly understatement of the year):

        "...things will get out of hand"

  6. Anonymous Coward
    Anonymous Coward

    This is what spies have always done. I don't see that the back and forth between the Soviets and the West was tremendously different either in the fact that sufficiently well resourced and determined attacks will always succeed or that collateral damage was a regular occurrence.

    Not putting critical assets on the internet seems like a sensible precaution to me, and I still don't understand the obsession with internet enabling anything and everything.

    1. Anonymous Coward
      Anonymous Coward

      "Not putting critical assets on the internet seems like a sensible precaution to me, and I still don't understand the obsession with internet enabling anything and everything."

      Because how else are you going to retrieve anything on a moment's notice when an emergency arises? It's a tradeoff: make things one step removed and you make them harder to retrieve. It's harder for the enemy to get to it, but then it's harder for YOU to get to it, too, especially when Murphy strikes and you need it yesterday.

      1. Anonymous Coward
        Anonymous Coward

        Yeah, I do get that and as someone who VPNs into a corporate network I'm aware that the risk/reward assessment mostly comes up positive for making services securely accessible.

        What I don't understand are 2 things:

        1) when the disaster scenario is sufficiently scary (critical infrastructure and especially nuclear) how on earth can the risks be deemed worth it? Onsite support can't possibly cost so much more that I can see the risks stacking up.

        2) when the rewards are as trivial as turning on a light or many of the other completely meaningless 'benefits' of the IoT revolution even a modest risk seems like a stupid thing to take on.

        1. Wzrd1

          "What I don't understand are 2 things:"

          What I see is someone who has not detected, responded and mitigate an APT incursion.

      2. Anonymous Coward
        Anonymous Coward

        before the internet, after the internet

        "Because how else are you going to retrieve anything on a moment's notice when an emergency arises?"

        Before the Internet, there were private networks. They were used for lots of different things, and they didn't talk to each other or visibly use anyone else's network (whether they did underneath was a different question).

        Along came the Internet and took over the world, largely because it was cheap by comparison with private networks, and beancounters always prefer cheap to robust.

        After the Internet, there will be private networks again.

        Once upon a time, in the early Internet era, I was on a working trip to the US. There was a hurricane which was advertised as quite severe, and indeed the phones and the Internet stopped working. Fortunately X.25 ran over a separate set of kit and cables, and thus survived. I managed to get a message via X.25 from the US to colleagues in the UK, so they could let my worried family know that I was OK.

        The private networks of the future may not look like X.25, but nor will they look like today's public Internet, and the private networks probably won't share many resources with the public internet either.

        Tell that to the young people of today and... sorry, how does that one end?

    2. Anonymous Coward
      Anonymous Coward

      "This is what spies have always done. I don't see that the back and forth between the Soviets and the West was tremendously different either in the fact that sufficiently well resourced and determined attacks will always succeed or that collateral damage was a regular occurrence."

      True enough, but then, every corporation with intellectual property wasn't being spied upon.

      Today, it is. *And* infrastructure is also targeted to learn how to drop it.

      Welcome to the bad new days of Cold War 33 1/3.

  7. This post has been deleted by its author

  8. amanfromMars 1 Silver badge

    Tell us something we don't already know, Bruce.

    Some universities are leading players in the virtual arms race ..... http://www.qub.ac.uk/sites/QUBJobVacancies/FeaturedJobs/CSITCareers/ .... and busy recruiting pioneers.

  9. TeeCee Gold badge
    Alert

    Next week: Sony implicated in assassination of Kim Jong Un.

    World fails to give a shit....

    Eventually the big corporates will grow tired of the failure of their governments to protect them in an environment where international borders mean sod all and take action to solve these problems their own way.

    We're sleepwalking into the demise of national governments as meaningful entities, as pan-national enforcement (regardless of treaties, jurisdiction, diplomacy and other such cruft beloved of politicians) slowly becomes a "must have".

    1. Cubical Drone

      "We're sleepwalking into the demise of national governments as meaningful entities..."

      Thought we were already there.

    2. P. Lee

      >We're sleepwalking into the demise of national governments as meaningful entities,

      Yes, one world government is what we need.

      I'm not sure what you do when you realise you don't like Kim Il Sung as leader though.

    3. Anonymous Coward
      Anonymous Coward

      "Eventually the big corporates will grow tired of the failure of their governments to.."

      Protect them from obscene risks, we're there, kiddo.

      Corporations are protected in the US from failure. Period. If they're in the Fortune Group.

      People be damned, the Corporation will win the day/election/decision and rule.

      Back to the Gilded era.

      Save for a few confounders.

      First and foremost, those who can trivially explain why an inertial confinement system can be improved past 20 shakes and energies reflected properly retain a supercritical assembly until majority of reactants are consumed.

      In short, how to build a modern, multi-part boosted fission device and also how to build a modern thermonuclear device.

      Also, a lot of Special Operations.

      Finally, a group that will remain nameless, lest they be exposed to risk.

      While we're prohibited from joining a militia, we're permitted association.

  10. auburnman

    I suppose if you look at it in a certain light* hacker attacks are sort of a spiritual successor to the commando raids tactics developed in WWII: Get in, do some damage well behind enemy lines, and leave. With the added bonuses of not having to risk lives or physically penetrate enemy territory in the first place.

    *eg maybe after a few pints or a herbal cigarette

  11. Anonymous Coward
    Anonymous Coward

    A little late

    It's a little late to have just woke up and smelled the coffee that has been brewing for the past decade.

  12. Bucky 2

    A Taste of Armageddon

    I, for one, welcome the disintegration booths.

    1. Anonymous Coward
      Anonymous Coward

      Re: A Taste of Armageddon

      Doesn't count; Kirk & Spock "hacked" those computers with phasers.

      1. Brewster's Angle Grinder Silver badge

        Re: A Taste of Armageddon

        "Doesn't count; Kirk & Spock "hacked" those computers with phasers."

        They were optical computers.

  13. zerowaitstate

    Warfare via computer networks isn't soft power.

    This is, I believe l, the most pressing problem with so-called cyberwarfare. States that are involved in it think it merely causes financial damage (I.e., lost productivity), and so routinely conduct attacks without the self reflection they would use prior to actual bombing or othet kinds of military offense. Network attacks are no longer no-harm-no-foul. IoT means network attacks have the potential to actually hurt or kill people if the designer of the malware mistakes a pacemaker or vehicle guidance system for a desktop PC and kills it over the wire. I worry that cyberwarfare, as it is called, will start an actual very deadly war entirely by accident.

    1. Paul Crawford Silver badge

      Re: Warfare via computer networks isn't soft power.

      Sure, eventually something important will be hacked and people will die and, maybe then, will organisations will finally wake up and stop putting critical stuff on the internet at all.

      Hell if you had to audit your whole system and get risk-based insurance for such design-decisions we would hardly see any such risk, as then systems would be properly secured and so take physical access as well as cyber skills to damage.

      Just now there is a sporting chance of a few script kiddies taking a pop at critical stuff because a many years old and unpatched (or unpatchable) system is now exposed to "save money" and "improve productivity" in an important infrastructure or plant somewhere.

  14. Cynic_999 Silver badge

    Surely Sony ...

    ... would simply grab one of those guys we see all the time in the movies who can defeat any virus in a few minutes by furiously typing suspiciously Unix-like commands whilst interpreting reams of hexadecimal digits scrolling past on a VDU at 100 lines per second? (Obviously having a green monochrome screen helps tremendously). Optionally, an assistant can be brought in to plot the real-time movement of an incoming virus attack on a large wall-mounted World map* as it heads towards its target.

    *Or a 3D globe if the path includes satellite links.

  15. Anonymous Coward
    Anonymous Coward

    Makes sense...

    World War III is already underway.

  16. asdf Silver badge

    us military why?

    Considering how vulnerable the US infrastructure is I would think the US military would take the same stance with cyber attacking others as they do with torture, that we are against because we don't want to be the victim of it (they are against at least publicly was the CIA and executive branch that did it). I guess that only applies to the civies though because a lot of the military is already used to living like in the stone age out in the sticks.

    1. Charles 9 Silver badge

      Re: us military why?

      The US military, in spite of the stereotypes, aren't idiots. They face enemies who have never heard of things like the Geneva convention. These enemies are committed to the idea of "Might makes right," "history is written by the winners," and "the end justifies the means." IOW, the US faces enemies who believe in total war with no taboos: no rules. How does one fight an enemy who's not afraid to use ANYTHING in their arsenal (including CHEATING) to get you?

      1. Anonymous Coward
        Anonymous Coward

        Re: us military why?

        "The US military, in spite of the stereotypes, aren't idiots. They face enemies who have never heard of things like the Geneva convention. These enemies are committed to the idea of "Might makes right," "history is written by the winners," and "the end justifies the means." IOW, the US faces enemies who believe in total war with no taboos: no rules. How does one fight an enemy who's not afraid to use ANYTHING in their arsenal (including CHEATING) to get you?"

        Oh dear...where to start?

        Napalm? Agent Orange? Invading foreign soils without just and legal recourse? Did you honestly just use "might is right" outside of the context of the US military? Do you even comprehend WHY the USA are so often despised?

        Cheating? In war? "Oh I say! You shot me with a sniper rifle and didn't let me know you were there!"

        Or how about killing innocent bystanders with drones? Or Nukes?

        Expand outside the military - extraordinary rendition? Torture? Mass surveillance? Treating your own citizens like terrorists 'just in case' ?

        I'm not massively anti-US despite the tone of this post, but the sheer, utter, trolling ridiculousness of your brainwashed idiotic, cretinous post couldn't go unanswered.

        1. Charles 9 Silver badge

          Re: us military why?

          So riddle me this, Batman. How do you fight an enemy for whom Mutual Assured Destruction is an acceptable if not WINNING scenario? There are people and organizations for whom, "If I can't win, I'm taking all of you with me" is literal.

          1. TonyJ Silver badge

            Re: us military why?

            I know it's Friday and all, but are you high? Do you even understand the concept of irony, or are you just trolling?

            "If I can't win, I'm taking all of you with me" is literal.

            From the country that brought us the original nuclear arms race, that has been pretty much the dogma for decades. Hell the only reason I don't want us, the UK, to scrap and not replace Trident is so we're not completely toothless in the face of the world we currently live in, regardless of all the rest of the arguments that get bandied around.

          2. asdf Silver badge

            Re: us military why?

            >"If I can't win, I'm taking all of you with me" is literal.

            ie. the US during the Reagan years. Thank heavens at least the rest of the world realized it.

  17. crayon

    'are committed to the idea of "Might makes right," "history is written by the winners," and "the end justifies the means."'

    This completely describes the US military and US foreign policy. IOW the US faces a familiar enemy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020