Nick Carthew posed the provocative question on Twitter earlier today:
If cyberwarfare is the biggest threat in the 21st century why do we need to renew our nuclear deterrent? http://bit.ly/bNkBXn
There are of course a range of nuances to that question which can’t be squeezed into one tweet, but at its heart is a spot-on observation.
On the one hand, we’re now often told how internet hacking poses one of the biggest threats to our country’s future security and how illegal activities such as the hijacking of computers via bots are widespread and an extremely profitable form of crime.
On the other hand, the idea that the online world now poses a significant security threat and is home to much international criminal activity is only spottily applied.
Take one simple, practical example: how resilient to crime are the products an industry sells?
Both the car and mobile phone industry have moved away from having products that were easy to steal and hard to do anything about once stolen. Whether it is stronger locks on cars or easier disabling of stolen phones, both cars and phones are a far less easy target for criminals than they used to be.
Yet in the IT industry, computers are still often sold without strong firewall and anti-virus software in place. The absence of such measures, however, makes it far easier for the international criminal networks who use bots to take over computers and use them for criminal activities.
Raising standards doesn’t require regulation (indeed, trying to regulate would almost certainly be disastrously counter-productive given the relative speed of security threats and regulation usually) – some well aimed public pressure can be extremely effective.
Without that sort of public pressure the government risks looking like talking up the threats when it wants to justify spending money or expanding powers but not really concerned enough about the threats to be willing to embarrass a few people in the IT industry.
Follow @libdemvoice.org on Bluesky
Like us on Facebook
Subscribe to our feed
Sign-up for our daily email digest
Six council by-elections, spread over two days
Carers remain forgotten in government's welfare overhaul
Steffan Aquarone's Commons debate on coastal communities
Getting things done - Saggar Street - an update #dundeewestend
Loving our neighbours
Getting the basics right
Roland
Joseph Bourke
Stephen Nash
Margot Wilson
9 Comments
“computers are still often sold without strong firewall and anti-virus software in place. The absence of such measures, however, makes it far easier for the international criminal networks who use bots to take over computers and use them for criminal activities.”
Not really. Those things essentially provide an illusion of security, not real security. The main problems are that most home and office computers are running Microsoft Windows, a fundamentally insecure system, that many programs for Microsoft Windows require the user to run in a privileged mode, and that most users have little or no concept of basic security.
Changing any one of those things (moving off Windows, educating users or stopping users from running in privileged mode) improves security *far* more than anti-virus software ever could. Changing *all* of them would eliminate the problem. But the solution isn’t sticking more bloatware on an insecure OS – that’s about as useful as having a burglar alarm but leaving all your doors and windows open.
Oh – ignore their silly games. It’s just a ruse ahead of announcing Defence expenditure won’t be cut as much as public services. Softening the public. It’s all designed to create fear. It’s the same as tanks being sent to Heathrow in Feb 2003 – the day before the massive Stop-the-War march. (As if the Army were going to be firing tank shells across the runways at Heathrow)
Tanks to Heathrow before the peace march. The various ricin scares. The terror plot foiled at the start of huge aid convoy to Palestine. Look at the timing and see what else was in the news. It’s just a load of nonsense..
Meh. More people are going to suffer or die in the UK from diseases like Alzheimer’s, Parkinson’s, strokes, heart attacks or cancer than from terrorist attacks or cyber warfare. Certainly 10,000 times more and probably 100,000 times more. Especially since none have suffered or been killed by terrorism or cyber warfare in the UK since 2005.
Andrew: Agree that those other factors are important, but good design and policy can minimise the chance of people making the errors or omissions which subsequently cause problems. Good design protects us from out mistakes; bad design punishes for them. In the case of computers, supplying them without basic protection falls into the former category and from the security analysis reports I’ve read, the conclusion seems to be that more widespread use of decent firewalls and AV/anti-spyware etc software would make a big difference. There’s no perfect cure of course because criminals will in turn up their own level of sophistication, but as we’ve seen with crime in other areas that doesn’t mean you can’t cut crime. It makes it hard to end it completely, but it can be cut – as we’ve seen so clearly with cars. But have you seen some analysis that points to a different conclusion?
Mark, you’re right about good vs bad design, but the whole point is that Windows *is* bad design. Good design isn’t providing anti-virus software, good design is making anti-virus software uneccessary.
Anti-virus software detects only around 20% of new malware (see e.g. http://www.channelregister.co.uk/2007/12/21/dwindling_antivirus_protection/ ) so in most cases all it can do is remove an already-existing infection once the definitions update – assuming the malware allows it to update the definitions. And it is entirely possible to create viruses that anti-virus software cannot, even theoretically, detect (for example one that gets into the BIOS), or that won’t be found using existing technology (eg using a GPU instead of the CPU to run it).
Most ‘security analysis reports’ are by ‘computer security analysts’ whose job is trying to sell stuff to Windows users. But these things will not protect users who do unsafe things – my parents, for example, had a Windows box at home, which was used by my then-teenage siblings. Even with anti-virus software, two different anti-spyware programs and a firewall, I would literally have to remove *thousands* of pieces of malware from their machine every time I visited ( I remember one visit, after a three month gap, I found 11987 different pieces of adware were on there – I remember the number). When I persuaded them, for a year or two, to switch to a Debian GNU/Linux box, by contrast, they didn’t get *any* – without a change in their behaviour the only change that would work was switching to a secure OS.
Malware is not a problem that exists on its own – it is a problem that *only* occurs on Microsoft Windows, because of very specific problems both with that operating system and with the culture that surrounds it ( a culture of running software from many different arbitrary sources with no real way of checking it does what it claims). Adding on anti-virus software does not protect people from those two things. Run *any* other OS – GNU/Linux, Mac OS X, Android, ChromeOS, FreeBSD, AIX, Solaris, whatever – and these problems don’t apply. Educate Windows users not to execute arbitrary code and these problems apply far less (I know people who’ve run Windows for ten or fifteen years with only signle-digit infections). But if you don’t do either of those then anti-virus software won’t do any good at all…
The bit in this article I found most interesting is the mention of nuclear weapons.
What about cyberattacks on nuclear weapons systems…….. Another argument not to have them.
Darren Reynolds
“Especially since none have suffered or been killed by terrorism or cyber warfare in the UK since 2005”
This test for policy – has it happened recently – does not seem very good. We did not have a bank run for many years.
If a cyber attack takes down a power station, people could well suffer significantly
It’s a bit of silly reasoning, although entertaining.
If you spin the question around:
“If cyberwarfare is the biggest threat in the 21st century why do we need to have a standing army?”
Then it might show the pointlessness a bit better.
Cyberwar nonsense is an excuse to curtail internet freedom, given Twitter joke trial and the like, is not something anyone should ignore.