Debunking the “cyber-security” hype

27

blog Prime Minister Julia Gillard has spent much of yesterday and today talking about the massive threat that so-called “cyber-security” attacks pose to Australia, and highlighting how the Federal Government is throwing billions of dollars at the situation. But is the “cyber” threat really that imminent and dangerous? No, according to Crikey correspondent Bernard Keane. Keane has published an extensive, highly referenced article debunking eleven recent “cyber” attacks. A sample par (we recommend you click here for the full article):

“… it pays to be sceptical whenever politicians, commentators or companies talk about the massive threat cyber warfare poses. To help, Crikey has compiled a reading guide to some of the claims made both about cyber warfare and cybersecurity generally, and to some of the specific incidents that are used by advocates of “cybersecurity” …”

We don’t always agree with everything Keane writes, but we think he’s nailed it in this article. There is no doubt that attention needs to be placed on the IT security of Australia’s critical infrastructure, and that governments and corporations all around Australia should be doing a better job of securing their IT systems. However it’s very unlikely that Australia is on the verge of a hugely dangerous “cyber” attack. Calm down, people. The “cyber” sky isn’t falling.

27 COMMENTS

  1. Can someone in the security industry please take Renai LeMay aside and have a quiet word with him…

      • Haha calm down Ren, Kevin was attempting to be humerous/sarcastic, his comment being directed at the fact that your article runs contrary to Govt & much private security propaganda/publication on the topic (and justifiably so, too – this is exactly the same kind of sky-is-falling fear mongering that generated the ‘Y2k bug’ nonsense that was one of the biggest orchestrated international rorts by an entire industry that the world has ever seen).

        Seems to me that memories are very short & the usual suspects are at play here with the same tired old tricks, but my money’s on them grtting away with it because they always have & the public shows no signs of waking up at this juncture…

        • Offtopic, but Y2k wasn’t a complete Rort. The biggest concern was what would happen when all the devices and especially the heavy machinery type devices that had chips in them that couldn’t go past 99. That was the real issue. Unfortunately in most of those situations because a lot of the gear couldn’t be tested easily(often the work required to be able to test, was harder than just replacing).

          Home pc’s even most business pc’s etc were not a great concern, that was definately hyped out of all proportion.

          As it turns out it all went swimmingly anyway. There were a couple of documented failures due to y2k (HSBC lost all its swipe card access or something) and I have no doubt there were a lot of little glitches that just got managed. Now whether that was because it was a “non issue” or because everyone replaced and “fixed” every system is a question only the gods can answer.

          I actually look on Y2k as a major success. There was an issue, and people did something to prevent it, and lo and behold no issue. If only we were so forward thinking about climate change :-)

  2. I am not in a position to do that. For your benefit, have asked. If it does happen, no promises Renai, you will likely not be able to discuss it in other than the most general terms. However you would have a much better understanding of the challenges we face in the cyber sphere.

    • Do you really work in the ‘cyber’ industry and call it ‘cyber something’?

      “oh what do you do for work?”
      “I cyber”
      “erm…you have online sex?”

    • “in the cyber sphere”

      hey Kevin,

      perhaps it’s time to reveal who you are/where you’re employed? I don’t think anyone who works in IT security would refer to their role as being “in the cyber sphere”.

      Cheers,

      Renai

        • Maybe I should start describing myself as a “cyber-blogger”.

          I can just imagine the reaction that would get every time I called up a government department for a comment.

          • Are you …… no …. you can’t be …..

            A Cyberman?

            I guess the next question is …. who are the Daleks?

            O wait. That’d be Tony Abbott wouldn’t it?

            CALL THE DOCTOR! WE’RE UNDER ATTACK!

    • yep, pretty much, it’s always easier and more convenient to blame those “evil hackers stealing my megabytes” lol… of course those with an interest need to overstate the severity to keep themsleves relevant.

  3. We must fear all cybers. For they will cyber us with their cyber-ey things.

    The FUD and extensive bollocks perpetuated by those in this industry was the reason my time in it was limited. Yes, there are attacks. Yes, people have data stolen or compromised. Yes, both state and non-state actors are involved. Yes, attention needs to be paid and dollars spent.

    But lots of yesterday was hype. As is a significant part of what we hear from government and the media.

    It remains the fact that the greatest risk to corporate and government secrets is the compromised or disaffected insider walking out via the front door with photocopies or a USB stick full of information.

    And, for individuals, low-quality passwords, easily guessable, and overly-linked data are the wide-open front door to messing with your reputation and money. For those unsure, see Wired’s extensive coverage of Mat Honan’s very messy story – http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

      • They are!

        Apparently third-party cookies are unsafe, unless you’re using Safari on OS X, in which case you won’t get your viruses from third-party cookies…

        :|

    • Modern ‘photocopiers’ can be made to prevent the disclosure of sensitive information. Remember it’s just a digital scanner on top of a laser printer, so a second set of ‘eyes’ can “big-brother” anything happening on the device.

      Also, the sensitive government departments use terminal services with USB devices denied access by policy enforcement.

      You would really, really have to go to some lengths to steal that sort of information these days, which beggars belief as to how the whole ‘cable gate’ affair was executed.

      • Dan, what they *can* and do do are two separate things. I’ve worked in highly secure environments in recent times where not only are photocopiers not controlled, they are still rigged as faxes as well, against DSD advice.

        So too, USB. I’ve worked many places where they’re switch off at hardware or hot-glued. Doesn’t stop people invoking Gilmore’s Law when they need to.

        When need meets motivation, shit gets done.

        • I think this highlights a huge problem in IT security worldwide, but is particularly prevalent in Australia – if you want to secure your systems, you need to think and act like someone throwing everything they’ve got at compromising them. The best way to do this is often to employ hackers to do penetration testing, or at the very least developing these skills in-house. Unfortunately Australian law, government and industry prefer to deal with this issue by criminalising any and every part of it (including hacking for ‘legitimate’ purposes) and then burying their heads in the sand in the hope that somehow by ignoring it they have solved the very problem they are avoiding.

          Much like bankruptcy, Australia needs to grow up and embrace ethical hacking as a legitimate and fundamental step in protecting and securing their IT systems. I’d go so far as to suggest thorough penetration testing be a mandatory legal requirement for any company entrusted to securely store customer/citizen records. To do less is to fail in your duty of care to protecting the privacy of your customers.

  4. That person who’s NBN gigabytes were hacked caused this sudden knee jerk reaction didn’t it! :)

  5. I saw a documentary the other day called “Skyfall” and OMG its so scary what is happening in the cyber space!!!
    Julia is right, more money spent on cyber safety will make our lives much better. Also we should start investing in prevention of Y3K bugs. My precise calculation, our whole GDP spend on that will make us totaly safe. :-)

  6. The problem is that anyone who could give accurate advice on the danger would most likely be employed in the Industry, with much to gain from increased spending.

    Having said that… I think that the biggest loss caused by a “cyber attack” last year was the data that Millions of people lost when the United Stated shut down megaupload with no respect for the legitimate data stored there.

    The problem with data, be it photos or business records is that the effort involved in deleting it is so small compared to the effort to create it.

  7. I would suggest this is being pushed by the US. I am in a US company that has in the past few years had some issues that resulted in DHS and FBI getting involved. This company does a certain amount of business with a certain large asian nation.
    We are now going through absolute ridiculous measures in regards to “cyber security”, and it is quite hush hush as to why in the upper echelons. So much so that I have been told not to ask. Which is surprising as whilst communication is a major fail here, if you ask the right people you can find out what you want usually.
    Bearing in mind this company I am in, is not defence or technology related in any way, nor do they do any particular amount of research etc. It is a Primary producer who sells a single product. So any espionage type actions would at most affect the financial well being only. (which could be considered enough in many ways, but still)

Comments are closed.