As 2009 shuffles off its mortal one, so ends Ubiwar’s first full year of operation.  Thanks to the many linkers, commenters and tweeters that continue to support the blog through its often meandering changes of focus and format. The blog is evolving, as is its author, and as long as readers are happy to play along then I’m content to keep experimenting.

And now, a new calendar year hoves into view, honking like a fat duck. How 2010 will play out, who can tell, but it’s sure to be a doozy. It’s also going to be a busy one for me, with some major writing commitments, another thesis, and plenty of other irons in the fire that will ensure inadequate sleep, looming deadlines and a consistent sense of mild panic. Well, it keeps me on my toes.

In closing, here’s to you and yours at New Year. I’m no good at spouting trite pleasantries on such occasions, so just have a good  ‘un, and I look forward to your company for another 12 months.

Cheers all!

Tim

The arrest of the Sargodha 5 led to a quickfire post by John Arquilla at Foreign Policy on 12 December, How to Lose a Cyberwar. In this he made the tired assertion that cyberspace acts as a ‘virtual haven’ for a variety of violent non-state actors, principal amongst them al-Qaeda and their ilk. He rejected the claim that intelligence gathered from the various sites and forums frequented by individuals of varying degrees of dangerousness and dedication was sufficient to  justify leaving them online. Instead, the US (and by extension its allies) should further its campaign against AQ-plus by treating cyberspace as battlespace, across the board.

I made clear my views on this proposal in an op-ed for The Guardian, and in subsequent posts here and at FREErad!cals. I don’t think that the militarisation implicit in Arquilla’s piece should be applied at the level of socio-cultural use of the internet, regardless of the security implications of the minority use of the internet for extremism-related purposes. Given that the military already (and in my view, justifiably) regard cyberspace as battlespace (in times of war), Arquilla’s comments must be read as an extension of this concept into the civil domain. I think that’s unnecessary and unjustifiable, as well as undesirable and potentially counterproductive.

Far be it from me to criticise John Arquilla, one might think. After all, this is the guy who, along with David Ronfeldt (reader of and occasional commenter on this blog) pretty much theorised ‘cyberwar’ in the early 1990s before Johnny-come-latelies like me were even out of college. As one of the deans of institutional thinking on the subject of conflict in and through cyberspace, when Arquilla speaks one should at least listen and digest. I just happen to think that on this occasion he is mistaken in this facet of his views. I have no practical problem with his ‘taking the fight to jihadis in cyberspace’ concept but I do think his perspective betrays a certain institutional mindset which is precisely at odds with the message he was trying to convey. Basically too Cold War at worst, and at least five years behind the times at best.

Whilst I have concentrated more on the ‘cyberspace-as-battlespace’ element of his comments, he has also been taken to task on one of the other pillars of his argument:

Those who do try to keep an eye on terrorism in cyberspace often argue that they learn a lot about enemy networks by monitoring their narratives on jihadi websites. But if this made a real difference, we would have already won the war on terror.

Disingenous in the extreme, but a straw man that could easily have been floated past many an FP reader, I’m sure. Now read the following extract from a piece by Mark Thompson in TIME, Should the US Destroy Jihadist Websites?:

But Arquilla’s logic doesn’t add up, counters Evan Kohlmann of the non-profit NEFA Foundation, created following 9/11 to track Islamic terrorism. Shutting down jihadist web sites ‘would be like firing cruise missiles at our own spy satellites,’ he argues, referring to the intelligence the US and its allies glean from such sites. Besides, it can’t be done. ‘If you shut down one of their websites today, they have a complete copy elsewhere and can put it up on a new server and have it up tomorrow,’ Kohlmann says. Such websites are the only window the rest of the world has into al-Qaeda and other such groups. ‘If you start shutting down the websites,’ he adds, ‘it’s like chopping up a jellyfish — you end up with lots of little pieces that are very difficult to monitor.’ Kohlmann believes that the websites are a treasure trove of valuable intelligence, most of which is being overlooked by the US.

I agree. The TIME article goes on to quote Christopher Boucek’s views recently expressed on the Hill that the US should be engaging online with ‘problematic’ community discourses. They could also have added Jarret Brachman’s testimony in the same session calling for more investment in academic research and cultural understanding. Although I only scratched the surface of the problems inherent in either of these approaches, I do think that transparency, exposure and understanding are more productive than the alternatives that would accrue through a renewed offensive chasing jihadis around the internet.

On this particular issue there is a groundswell of opinion contra Arquilla. When Evan writes in a follow-up piece at Counterterrorism Blog, ‘I don’t believe I’m alone’ with respect to challenging the Arquilla/takedown school of thought, he is correct. Certainly, private conversations with individuals who I won’t name (but will be familiar to many readers) suggest this is the case.

I’m not an expert on the nitty-gritty of online jihadist communities but I know plenty of people who are. The fact that most have rejected the Arquilla/takedown perspective is quite illuminating and – may I be struck down for suggesting it – makes me wonder how well Arquilla understands the environment in which he is recommending his brand of intervention. His ideas are weirdly anachronistic and misrepresentative, as well as crudely militaristic. Strange stuff.

[Cross-posted at Current Intelligence]

News is leaking out that the White House will today appoint Howard Schmidt as Cybersecurity Coordinator. Schmidt is an old industry hand with service experience and a previous stint as a cybersecurity adviser in the Bush administration.

I’ve stayed clear of this issue as it’s rolled along this year. Most of the discussion has revolved around the post being a form of Siege Perilous. Fail to find the Holy Grail of cybersecurity and the chosen one will be put to the sword.

Widely described as a ‘cyber czar’, this misrepresents what is actually needed at this level. Whilst the US (and most of its allies) love a neat hierarchy in which blame and responsibility can be shunted up and down as political circumstance dictate, there is little reason why this post actually requires real ‘power’. It would be a woeful misrepresentation of the cybersecurity ‘problem’ if the US were to adopt a traditional hierarchical structure with executive power concentrated in one man, simply because this is the way it’s always been done.

Forgive me if I’m channelling Mike Tanji a bit in this post but I largely agree with him. Mike was right when he wrote on this subject back in August:

The way to deal with a cyber security emergency on a national level is not consolidation, but distribution. That’s kind of the reason the ‘Net was invented in the first place: to make sure if one node in a network was taken out, information could flow to its intended destination regardless. Centralized management provides the illusion of control, but it doesn’t make things more secure; it just makes things more brittle. When such systems do break – and they will – the damage will be more severe and it will take longer to recover.

Although I do not think that worst-case scenarios should be the driving concepts behind national cybersecurity, Mike’s words apply to the structures states require to be effective in combating the day-to-day, run-of-the-mill cybersecurity issues as much as they do the cyber ‘black swans’ that may or may not occur in the future. It’s far more important that the new co-ordinator deals with improving information assurance, intelligence sharing, security procedures, inter-agency co-operation and multi-sector communication, etc, than it is that he is seen as a knight in shining armour. The lack of a big stick might not be a problem. Schmidt – if he is confirmed today – is an experienced communicator who can hopefully find ways of getting all sectors and stakeholders to pull together in the right direction.

What is the right direction though? It’s time the administration disentangled two issues. Cybersecurity does not necessarily equate to national security, either in cause or effect. Cybersecurity is an element of national security, of course, but the desire for national security should not obscure the fact that most cybersecurity is not a national security matter. That’s a blunt way of saying that cybersecurity should not be viewed purely as a national security issue. It would be far truer to say that cybersecurity is mainly a commercial matter, or a privacy concern, or a consumer issue. That this post is viewed primarily as a national security appointment is clear from its lines of reporting: Schmidt will report to the President through John Brennan, head of counterterrorism on the National Security Council, who also headed the search committee.

The job spec’s been written, and the candidate chosen, so that’s that. Schmidt’s no fool, I’m sure, and he will have his own ideas as to how to harness the skills of those he is charged with co-ordinating. How he balances competing interests remains to be seen. One thing he could usefully keep in mind is that you need a network to compete with a network: the brute force of American government and industry is unlikely on its own to be able to deal with any [correction: many] of the cybersecurity issues facing the US, unless vendor lock-in, over-cost IT projects, and data loss are desirable outcomes.

A day is a long time on the internet, and an hour longer still for those Twitter users temporarily deprived of their favourite web platform for an hour or so yesterday (18 Dec, UK time). As we all know by now, Twitterers were redirected via a DNS hack to a webpage showing a banner proclaiming the arrival of new and mighty actor in cyberspace, the Iranian Cyber Army. I won’t rehash the details, as Praetorian Prefect has them all.

As I said on UK’s Channel 4 News last night (full interview here) we do not yet know who was responsible. My personal experience with the media yesterday suggests they really wanted to hear this was the work either of the Iranian government itself, or of Iranian pro-government hacktivists acting with or without state support. I refused to make such an assertion, or point the finger at anyone in particular.

Since then, Techcrunch (amongst many others) have revealed more details of how the actions were carried out, and there are strong signs that the culprit had legitimate Twitter log-in credentials to the Dyn DNS registry. The implication of the latter is that a Twitter employee’s username and password were used to access the system, allowing ‘whoever’ to amend Twitter’s DNS registration details. Dyn last night disabled access to their ‘e-mail based password reset system, to prevent compromise of customer login credentials via e-mail systems’, which gives some clues as to how this happened.

This doesn’t illuminate the question of ‘who’ much but does allow for the possibility that it was an ‘inside job’. I mention this, not because I think it was, but because insiders are far more likely to cause cybersecurity breaches than are outsiders. Let’s just keep the possibility on the table for now.

Prior to yesterday, the Iranian Cyber Army did not exist in name, not that I’ve been able to discern anyway. This doesn’t mean that this isn’t an individual or group by another name but that this particular manifestation is indeed new. Who they might be will remain disputed, no doubt.

Techcrunch asserts that the incident was definitely ‘part of a concerted effort across the Iranian government and military to take a stronger diplomatic stance against the United States and European Union in the lead up to negotiations on Iran’s nuclear plans.’ Their reasoning is spurious, based on unnamed ’sources’ and a blind confusion between the possible and the probable. Talk about leaping to conclusions.

There is no evidence that this was the work of Iranian intelligence or military, or even of Iranians, in Iran or elsewhere. Sure, the banner was clearly thumbing its nose at the US, and was geared to look like a Shi’a statement, but that does not make it the work of Iran or Iranians. It was occasionally reported that the Arabic on the banner read, ‘Hezbollah will surely be victorious’, or similar. Again, not necessarily true. The line is from a Qur’anic ayat referring to those who belong to and follow the ‘party of God’; far from an explicit reference to Hezbollah, the Lebanese Islamist organisation, even if that too is where they got their name.

In a subsequent segment on the Channel 4 website, anchorman Alex Thomson asked – with a wry chuckle, it has to be said – whether the attacks were the result of ‘CIA dirty tricks’. I personally doubt this is a reasonable explanation either. The irony of using a Gmail address (iranian.cyber.army@gmail.com) would not be lost on Langley, although signing off with ‘Take Care’ might be a humorous step too far. Flippancy aside, this doesn’t feel right to be the work of a US intelligence agency.

Genuine hacktivism, government action, commercial disruption, a prank? We don’t yet know. My personal opinion is that it was pro-Iranian hackers, if only because it’s the most logical explanation at the moment. But I certainly wouldn’t exclude Iranian government involvement somewhere in the mix. The two do not preclude the other, of course, nor of additional economic factors either. As anyone with an interest in such things will tell you, purely linear explanations are losing their currency.

And what is the significance of the incident? Well, it’s somewhat contingent on establishing the ‘whos’ and ‘whys’, but the ‘how’ illustrates how effective this form of DNS hack can be; there will be more. Twitter will reassess their security procedures (again), conduct an internal enquiry, and roll on regardless. Iran will probably say little, if anything – whoever’s responsible, this serves their propagandist purposes well. Most of us will remain in the dark until the full story is told. And that may never happen.

Since April 2008, I’ve been writing Ubiwar pretty much continuously in its current format. It’s been an intensely valuable and fascinating experience from which I’ve gained more than I had ever hoped. The blog’s become more focused in 2009, which has proved useful in terms of circulation and exposure, but I’ve been feeling for some time that the whole thing is too subject to the law of diminishing returns for it to continue as it is.

I’m not the first ‘academic’ blogger to remark that maintaining a blog is somehow deleterious to one’s core business, although the reasons vary from individual to individual. In my case, it seems to be a case of being spread too thinly, whereas what I need is depth. The self-imposed requirement to be on-time and in-time is largely artificial – things aren’t moving that quickly that they don’t deserve rather more reflection and consideration than I’ve sometimes been willing to give them. I also have larger and more important writing projects against which daily blogging has become a distraction and an irritation.

Quality has suffered also. Too many slip-ups and errors, poorly-worded statements, and the occasional sloppy assertion, none of which I consider excusable, and which I would always hope to avoid. So, from now on there will be far fewer posts on this blog, no daily round-ups, less lazy linkage, and more substance to what I write. That doesn’t mean you won’t be getting the skinny on the issues that matter, just that it’s likely to be much less often.

It’s a little early to tell exactly how this is going to pan out. For a start, if the QC elves nix something, it’s going to have to stay unposted – that might mean zero output for a while. Also, I’ve been blogging almost daily at one site or another for three years, and that’s a hard habit to break. The compulsion to write will have to be channelled in other directions, mainly longer-term and more durable projects that will bring greater dividends than the hand-to-mouth existence that is the sole-authored, low-circulation blog.

I can’t promise better content, of course, but please stick around to see if I can deliver. Cheers.

I’ve got a new op-ed on The Guardian’s Comment is Free platform, Don’t Blame the Internet for Extremism, which takes a brief look at the recent arrest in Pakistan of the ‘Sargodha Five’, and the role of the internet. It’s published with the standfirst, ‘Concerns about YouTube users being recruited by jihadis shouldn’t lead us to treat the internet as a ‘battlespace”, which is a little misleading, as that’s not quite what I was arguing. The piece is essentially a rejoinder to John Arquilla’s recent claim in Foreign Policy that jihadis are getting a ‘free ride’ in cyberspace, and that we should therefore treat all cyberspace as battlespace.

Hidden in there is acceptance that this conceptualisation is applicable in times of war. The trouble is, I don’t think that domestic (counter)terrorism warrants that moniker, nor the increased measures that Arquilla seems to want for government. I also don’t think they would do much good either.

Cyberspace is certainly contested, I agree, but militarising civilian cyberspace (yes, I know that cyber-spaces cannot really be defined in such simplistic terms) is not a particularly useful thing to do. Cyberspace certainly can be viewed as battlespace (and militaries do) but I disagree with Arquilla that his is a progressive approach to countering the use of the internet by extremists. I suspect Aaron might disagree with some of this, judging by his post over the weekend on this issue (the tone of which is mostly very similar to mine, the issue of ‘battlespace’ excepted). OK, so cyberspace may be de facto battlespace for some, but there will justifiable civil pushback if this reconceptualisation is pursued as a matter of policy.

Anyway, the basic point is that the internet is but one of many factors in radicalisation, recruitment, etc. Something you’ll have read here before, no doubt. I remain unconvinced that internet crackdowns, increased surveillance, etc, will do anything to counter violent extremism.

Secretary Napolitano Announces Virtual Job Fair to Expand Cyber Workforce – Department of Homeland Security

Resources for Small Group Superempowerment – John Robb, Global Guerrillas

Information Dominance Summary – Bruce Carleton, USCYBERCOM Watch

Sovereignty and Cyber War – Richard Stiennon, ThreatChaos

Russia and US in Secret Talks to Fight Net Crime – Daniel Nasaw & Bobbie Johnson, The Guardian

Thoughts on Critical Infrastructure Protection – Nart Villeneuve

Digital Dangers in a Wired World – Lim Mi-jin & Kim Jeen-kyung, JoongAng Daily

This has been rumoured for a while:

The United States has begun talks with Russia and a United Nations arms control committee about strengthening Internet security and limiting military use of cyberspace.

American and Russian officials have different interpretations of the talks so far, but the mere fact that the United States is participating represents a significant policy shift after years of rejecting Russia’s overtures. Officials familiar with the talks said the Obama administration realized that more nations were developing cyberweapons and that a new approach was needed to blunt an international arms race.

On Nov. 12, a delegation led by Gen. Vladislav P. Sherstyuk, a deputy secretary of the Russian Security Council and the former leader of the Russian equivalent of the National Security Agency, flew to Washington and met with representatives from the National Security Council, State Department, Department of Defense and the Department of Homeland Security. Officials familiar with these talks said the two sides made progress in bridging divisions that had long separated the countries.

Indeed, two weeks later in Geneva, the United States agreed to discuss cyberwarfare and cybersecurity with representatives of the United Nations committee on disarmament and international security. The United States had previously insisted on addressing those issues in the committee on economic issues.

Read the rest at the New York Times.

Past Russian overtures have often been interpreted as a tacit admission of US cyber superiority, and have been rejected on a number of grounds, not least of which has been a lack of trust in either Russian actions or intentions. The irony is that whilst cybersecurity collaboration in its broadest sense may well benefit both countries, the cyberwar element of these talks, i.e. cyber arms limitation, etc, is almost a non-starter, even if it might sound warm and fluffy. It’s nice to agree not to launch cyberattacks at one another but it won’t stop states (and, more to the point, non-state actors) from developing and testing capabilities. It’s already happening, and a nice treaty to prevent their development, transfer and use is unlikely to change that situation much. Prohibitions on first use are worthless unless backed up by international law and even then might have to be shored up by military action. And who would stand up to the US, China, Russia, should they decide to strike first anyway?

I’m not against the principles outlined, I just wonder at their efficacy. I’d rather spend time and money on improving information and network security than turning cyber into another Cold War showdown.

Update: Jeff makes the point that without improved law enforcement co-operation, the whole thing’s worthless anyway.

How to Lose a Cyberwar – John Arquilla, Foreign Policy

Breaking: Terrorists Use the Internet – Jawa Report

Cybersecurity Metrics Coming For Federal Agencies – J. Nicholas Hoover, InformationWeek

The Exceptionally Tough Politics Of Cyber Power – Marc Ambinder, The Atlantic

Researchers Make Significant Advances in Molecular Computing – University of Kent

Military Use of Consumer Technology – The Economist

U.S.-China Internet Forum Highlights Need to Step Up Online Security – ChinaView

Where I Stand on Digital Activism – Patrick Philippe Meier, iRevolution

I find myself in near-total agreement with Mike Tanji’s piece at ThreatsWatch, Burying Nitze, which examines the futility of applying Cold War strategic and operational models to the modern conflict environment:

The problem of course is that it’s a lot easier to attempt to focus on a narrow set of legacy futures rather than to start to develop new ideas. Whether history repeats or rhymes, there is no rule that says we need to mimic the most recent tune on the radio when there is an epic playlist to consider. Rather than spend countless hours and billions of dollars trying to shoe-horn Vint Cerf thinking into a Paul Nitze world, how about looking around for more appropriate metaphors – or considering something original – for the security problems of the actual physical and digital worlds in which we operate?

I say ‘near-total agreement’ because I’m not sure (yet) that cyber deterrence is purely an ‘academic exercise’. That’s mainly because I still have some thinking of my own to do on the subject, although the following (from an as-yet unpublished essay) serves as my interim summary of the future of cyber deterrence.

For a number of reasons, nuclear deterrence does not easily translate to cyber, although theoretical avenues and practical options should continue to be explored. Whilst cyber deterrence is not dead as such, it may be that it becomes a quiet component of strategic deterrence, or a side-effect of a defensive-offensive strategy in cyberspace. Generally, we are beginning to construct a more comprehensive picture of the cyber threat environment than has previously existed, but must remain mindful of Colin Gray’s assertion that, in security terms, the future is never ‘foreseeable’. As we adapt to cope with this ‘new’ realm of operations we have to adopt flexible and adaptable structures and concepts to address the reality of the threat and its evolving nature. This entails moving beyond nuclear-era thinking; there are indications that cyber strategy is doing so, even if an institutional lag currently exists.

What is clear is that an integrated cyber strategy is necessary that incorporates elements not only of military deterrence, but of law, economics, diplomacy and intelligence, without which there is little hope of dissuading or deterring cyber attacks, whatever their source. Cyber deterrence remains, ultimately, a psychological rather than technological project, and carrots may eventually prove more effective than sticks in effecting positive outcomes in cyberspace.

US Cyber Security is Back On the Agenda – Peter Warren, The Guardian

Scientists Promise an End to Web Attacks – David Neal, V3.co.uk

Cyberattacks Against Critical U.S. Networks Rising at a Faster Rate – Jill R. Aitoro, NextGov

Cyber Security Of Defense Forces In India Is Required – ITvoir.com

1 Billion Mobile Internet Devices Seen By 2013 – Antone Gonsalves, InformationWeek

New Tech in Emergencies and Conflicts: Role of Information and Social Networks – Patrick Philippe Meier

Internet Stats – Trefor Davies

Cybersecurity Task Force Established – InfoSecurity

Oh Canada! Quelling Cybersecurity Threats – James Jay Carafano, Washington Times

Yesterday, the House of Lords continued its enquiry into protecting the EU from large-scale cyberattacks (previous posts here, here and here). The committee heard evidence from Ilias Chantzos, Symantec’s director of government relations for Europe and Asia Pacific, and Jose Nazario, manager of security research, Arbor Networks. No surprises here:

• EU has role as facilitator for trust and co-operation
• keep EU’s touch light
• need more co-operation with existing organisations, e.g. FIRST
• industry up-to-speed generally with security threats but vigilance and improvement necessary
• risk management approach necessary / 100% security impossible
• EU must engage with US, Russia, China, etc.
• ‘cyber war’ “follows diplomatic tensions, does not lead them”
• threats increasing year on year
• military (NATO) response and involvement must be proportional
• very unlikely the internet will ‘collapse’
• consumers need to be educated
• ENISA doing a good job, all things considered [and we'll hear from them next week]

This was very much a session in which the Committee heard a lot of corroboration of previous evidence, and in which they must have thought a consensus is developing about the cybersecurity role of the EU, NATO, etc. I would caution against hearing too many more persons from industry, as they’re inevitably going to counsel an anti-regulatory, anti-interventionist approach. That said, I agree with them on that score.

Video of the hearing available here.

Next meeting: 16 December 2009, evidence from Dr. Udo Helmbrecht, Executive Director, and Jeremy Beale, Head of Stakeholder Relations, European Network and Information Security Agency (ENISA)

Three meetings in January 2010, with report delivery ‘by Easter’, according to committee officials.

Lost Naval USB Stick Triggers Investigation – InfoSecurity

Naval Academy to Add Lesson on Cyberwarfare – Brian Witte, Washington Times

The First Decade: Has the Internet Brought Us Together or Driven Us Apart? – Johann Hari, The Independent

Ruggedised Botnets Pushing Out Even More Spam – John Leyden, The Register

Fox News Embraces Cyber-Terrorism to Subvert the Copenhagen Summit – David Fiderer, Huffington Post

Cyber ‘Czar’ Job Description Needs Redefining – Eric Chabrow, GovInfoSecurity

Kaspersky: Cyber Terrorism a Real Threat – Kirsten Doyle, ITWeb

TV News: CBS to Solve More Crimes With Anthony Zuiker’s Cyber Crimes – Kevin Coll, Fused Film

Will 2010 Bring a Wake-up Call for Cybersecurity? – Rutrell Yasin, Government Computer News

New SRI Study Plans to Explore How Players Behave in Virtual Games – Max Burns, Pixels and Policy

Cybercrime is Crime with Different Tactics: Interview with Bruce Schneier – InfoSecurity

OK, so this is actually a little light on numbers, but interesting nonetheless:

Huang Xueping, spokesman of the Ministry of National Defense of the People’s Republic of China (PRC), categorized the military activities in 2009 into four types. Besides military mutual visits, constant breakthroughs have been made in the Sino-foreign joint military exercises and military trainings, and the escort operation conducted by the naval taskforce of the Chinese People’s Liberation Army (PLA) in the waters off the Somali coast has directly developed military cooperation in the non-traditional security field.

On the occasions of the respective 60th anniversaries of the founding of the PRC, the Navy of the Chinese PLA and the Air Force of the Chinese PLA, a number of international officers were invited to attend the celebrations and the Chinese PLA’s peace-loving, open and ready-for-cooperation image is reinforced.

In the analysts’ opinion, what’s underlying the military activities can be detected: with the increasing transparency of the Chinese military, the Chinese PLA strikes a more open and confident posture to the public across the world and it’s also true the other way around.

For instance, regarding information release, the website of the Ministry of National Defense of the PRC was launched in August this year. The website drew wide attention of the public home and abroad in the very beginning and immediately turned into a hot topic in the coverage of various media. The hits at the website of the Ministry of National Defense of the PRC in a single day exceeded 130 million at the highest and the number of hacker attacks amounted to 2.3 million in the first month of the website’s formal operation. The data about visits as well as attacks to the website manifests how much attention the Chinese military is drawing around the world.

Openness means confidence. According to Zhang Zhaozhong, deputy director of the Teaching and Research Department of Military Logistics, Military Science and Technology and Equipment of the National Defense University, the year of 2009 is a year crucial for the Chinese military to demonstrate its military diplomacy of a big country. On the one hand, Chinese economy still enjoys robust growth despite the financial crisis engulfing the world, China’s overall national strength is beefed up, and China gains more and more recognition of other countries. As an integral part of the overall national diplomacy, the military diplomacy should be suitable for the development of the country. On the other hand, with the notable improvement of the Chinese PLA in its strength and ability, the Chinese military diplomacy embodies more and more confidence.

As expected by Zhang Zhaozhong, the Chinese military diplomacy will continue to feature the posture of military diplomacy of a big country and it is a prevailing trend that China will establish transparent military relationship of mutual trust with other countries.

From eng.mod.gov.cn via defpro.

Why No Cybersecurity Coordinator? Melissa Hathaway Gives Her Take on Why the Post Remains Vacant – Eric Chabrow, GovInfoSecurity

Mind Boggling Cybersecurity Numbers – Eric Chabrow, GovInfoSecurity

RBN Servers Support Tehran’s Propaganda Arm, the IRIB – Jeff Carr, IntelFusion

The Technology of 10,000 Years – Alexander Rose, Long Views

Hacker Scalps NASA-run Websites – John Leyden, The Register

Global CIO: The Top 50 Tech Quotes From 2009 – Bob Evans, Information Week

How Authoritarian States Survive the Internet – Shuvra Mahmud, Wanabehuman

Google Chief: Only Miscreants Worry About Net Privacy – Cade Metz, The Register

Is Russia Behind the Climategate Hackers? – Tony Halpin, Times Online

Romania’s Ambassador to Baku to Present NATO’s Vision on Current Security Model – Cybernitions

The resonance of the 68th anniversary of Pearl Harbor has sparked a series of articles debating the likelihood of a cyber/digital/electronic version of 1941’s Japanese attack on US territory. Mike Tanji has weighed in with a forceful rebuttal of such a speculative event:

There is no such thing as an Electronic Pearl Harbor. On a fundamental level, for something to qualify as an EPH, we would have to have been untouched by offensive action by a belligerent adversary. We would have to ignore the glaring warning indicators, both strategic and tactical, that would lead to the destruction and disruption of so much technical capability that our ability to function as a power of any sort would be dramatically diminished for – in information-age terms – an extended period of time.

Yet every year banks get hacked, the government gets pwned, the digital duct tape holding critical infrastructure together loses its grip . . . and the lights are still on, the nation is still in one piece and there is still a balance in everyone’s accounts. Why? Because in a wartime footing people learn to deal with the damage, the destruction, the interruption and – to coin a phrase – soldier on. Stiff upper lip and all that.

“War” might be too strong a word, but if we are going to draw parallels to conflicts past, we are actually engaged in something more akin to the First Battle of the Marne than we are waiting for Pearl Harbor. Make no mistake: we have been engaged in conflicts in the digital realm for forty-plus years. It has steadily grown against enemies both within and outside of our own institutions, both governmental and private. It’s a war of attrition with aspects of terrorism, insurgency, and plain old criminal motivations. The battles rage daily, but you only really hear about the big ones. Like our most recent shooting war, hundreds of millions may have felt it necessary to engage in a fight, but a tiny fraction of those actually have to bloody themselves. The natural consequence is that everyone else forgets there are people fighting, so headlines that talk of concern over a sneak attack still get press.

War, real war, requires that an adversary do much, much more than turn off the lights or cause tertiary deaths. I don’t think for a second that our status as a world power, or our integrity as a nation, is endangered by a digital attack; unless of course we’re the sort that just rolls over when our nose is bloodied.

That last sentence is the really important one. Now read this:

A worst-case scenario has yet to occur, in part due to the diligence of security agencies and industry. We must ask, though, whether the successful prosecution of a cyber attack―for the sake of argument, aimed at severely degrading the critical national infrastructure of a western state―would constitute an attack of strategic import. It can be assumed that there is strategic intent behind an attack, such as by an adversary state or terrorist group attempting to coerce a state into capitulating to their political demands. On the face of it, their chances of success seem highly unlikely. Would the effects of an attack really force a state with the resources and allies of the US or the UK to submit to the political demands of another party? Whether commentators choose to refer to cyber versions of 9/11, Pearl Harbor, or even Hurricane Katrina, none of their historical namesakes resulted in the US being reduced to the status of supplicant at an international negotiating table; if anything, they resulted in a strengthening of American military and civil resolve.

That’s my own take on this form of false reasoning by historical analogy. The comparisons simply don’t stand up, for reasons that Mike and I approach differently but reach the same conclusion. (The extract is from an essay on cyber deterrence I wrote recently that won a respectable 3rd in the RUSI Trench Gascoigne Essay Prize 2009; it will be available for download shortly.)

There are several unfortunate conclusions to be drawn from indiscriminate use of digital 9/11/Pearl Harbor/Katrina discourse:

1. It is wilfully inaccurate use of historically symbolic events in order to inflate certain aspects of what Mike correctly characterises as a ‘war of attrition’.

2. Those who use it are not sufficiently versed in their own national history.

3. It reduces the US to victim status it does not warrant.

4. It loosens constraints on likely response regimes; this is particularly true of the 9/11 analogy.

5. It is dishonest deployment of metaphor.

6. It is not challenged enough by those with the power to do so.

7. Those who do challenge it can be accused of rejecting the broader American historical narrative.

And so on. It’s essentially a very lazy yet inflammatory use of history for political and commercial ends. I don’t know if there’s any focused work on this particular example of rhetoric but I’d be interested to hear about it if there is.

[cross-posted at Current Intelligence]

Is a ‘Digital Pearl Harbor’ in Our Future? – William Jackson, Government Computer News

Boot The Warrior Off Our Internet – GNU/Linux

Technology and Cyber War – Richard Stiennon, ThreatChaos

The Truth about Xinjiang’s Internet Situation – FarWestChina.com

Reality+ and Tribal Layers – John Robb, Global Guerrillas

The new issue of Bruce Hoffman’s Studies in Conflict and Terrorism carries a retraction:

The abstract of the article by Gabriel Weimann and Katharina von Knop titled “Applying the Notion of Noise to Countering Online-Terrorism,” published in vol. 31, no. 10 (October 2008) of Studies in Conflict and Terrorism, pp. 883–902, used language that was nearly identical to the description found on the back cover of the book by Johnny Ryan, Countering Militant Islamist Radicalization on the Internet: A User Driven Strategy to Recover the Web (Dublin: Institute of European Affairs, 2007). The authors wish to acknowledge this regrettable occurrence and note the original source of this description.

The article abstract went as follows:

The growing presence of modern terrorism on the Internet is at the nexus of two key trends: the democratization of communications driven by user-generated content on the Internet; and the growing awareness of modern terrorists of the potential of the Internet for their purposes. How best can the terrorists’ use and abuse of the Internet be countered? As this article argues, the answer to violent radicalization on the Internet lies not in censorship of the Internet, but in a more sophisticated and complicated strategy, relying on the theoretical notion of “noise” in communication process theory.

Johnny’s book blurb:

Violent radicalisation on the Internet is at the nexus of two key trends: the democratisation of communications driven by user generated content on the Internet; and the democratisation of strategic violence driven by mass-casualty non-state terrorism. How best can Europe capitalise on the first trend to counter the second? This book examines this question using primary materials drawn from web forum conversations, al Qaeda documents, texts of leading Islamist thinkers, opinion polls, policy documents and interviews with technology and security specialists. The answer to violent radicalisation on the Internet lies not in censorship of the Internet, but in the “user driven” Internet revolution.

The identical passages are in bold. What a mistaka to maka. Glad they’ve corrected it.

And while we’re on the subject of users being the key to web counter-strategies, read Jarret Brachman’s post, Making Jihobbyists our New Secret Weapon in Combating Jihobbyism.

I somehow missed this session on 2 December 2009. The committee looking into EU policy on protecting Europe from large-scale cyber-attacks heard from Andrea Servida, Deputy Head of Unit, Directorate General Information Society and Media, European Commission. I’m afraid I haven’t yet had time to watch the session but the AV is here if anyone’s interested.

Today’s papers refer to the committee but their stories seem to be based on last week’s hearing. Very confusing, and it looks like Wedneday’s session was advertised incorrectly, or I’ve just completely failed to fathom the workings of Parliament, which is more likely. Both stories imply there was a Lords hearing today, although the house wasn’t sitting. Beats me.

No Line Between Cyber Crime and Cyber War – Dave DeWalt, The Hill

DHS Completes Draft of Plan on How to Respond to a National Cyberattack – Jill R. Aitoro, NextGov

New Study Calls for Cybersecurity Overhaul in U.S. – Grant Gross, ComputerWorld

How Our Brains Build Social Worlds – New Scientist

YouTube War: Fighting in a World of Cameras in Every Cell Phone and Photoshop on Every Computer – Cori E. Dauber, Strategic Studies Institute

Analysis: Certifications Not a Panacea for Cybersecurity Woes – Daniel Castro, CertCities.com

‘Command Posts of the Future’ Readied for Afghan Surge – Noah Shachtman, Danger Room

Cyber Spies are Costing Us Billions – Jonathan Pearlman, Sydney Morning Herald

A Call to Cyber Arms – Maryann Lawlor, SIGNALscape

Ten Most Damaging Data Breaches of 2009 – Laton McCartney, Information Security Resources

Vice Adm. McCullough Confirmed – Bruce Carleton, USCYBERCOM Watch

[h/t Cybernitions]

Questions in the upper house yesterday from Chris Patten to Security Minister Lord West:

Lord Patten: To ask Her Majesty’s Government whether the Office of Cyber Security will be fully operational by March 2010.

The Parliamentary Under-Secretary of State, Home Office (Lord West of Spithead): The Office of Cyber Security was established in September 2009, and is already working in support of delivering the Cyber Security Strategy. Within the strategy it was felt sensible to plan for an initial operational capability – which included being staffed by approximately 20 people from different departments and agencies – by March 2010. They presently have 12 staff but are not waiting for an arbitrary initial operational capability; they are already making progress in their priority work areas. Other staff will be recruited over the remainder of the financial year.

Lord Patten: To ask Her Majesty’s Government what action they have taken or will take through the European Union to improve its cyber security strategies.

Lord West: The UK has contributed valuable input over many years to the improvement of the elements of Cyber Security, both through ENISA (the European Network and Information Security Agency) and other EU fora. This work takes place under the broad Commission headings of Critical Information Infrastructure Protection and Telecommunications Resilience, as well as the European Programme for Critical Infrastructure Protection (known as EPCIP). Actions include collaborative efforts aimed at increasing European co-operation on policy to enhance cyber security, such as developing European priorities, principles and guidelines on long-term internet resilience and stability, as well as enhancing co-operation with industry.

The first answer reveals that OCS has appointed 12 out of ‘c.20‘ staff, which is new. Additionally, I can confirm from other sources that Graham Wright has definitely been appointed to OCS as Deputy Director as reported here before.

The second answer is evidently based on the work of the HoL enquiry on EU cyber policy (here and here), and corroborates the evidence they’ve heard so far.

[South Korean] Cyber Command to be Launched in January – Jung Sung-Ki, Korea Times

Survey Shows Cyberattacks Are Getting More Disruptive – Jill R. Aitoro, NextGov

Wanted: A Smokey Bear for Cybersecurity – Amber Corrin, FederalComputerWeek

‘Inside Cyber Warfare’ Due Out December 8th, 2009 – Jeff Carr, IntelFusion

(Organisational) Culture and Carnage – Ken Payne, Kings of War

Crooks ‘Too Lazy’ for Cybercrime – Chris Williams, The Register

ISAlliance Delivers Cyber Security Report – Anthony M. Freed, Information Security Resources

Cult of Cyberwar (Continued) – Dick Destiny

Complexity and Contradiction in Infrastructure – Kazys Varnelis

Dark Internet Fundamentals – Oliver Marks, ZDNet

Air Force Cybersecurity Unit Prepares Operations – InfoSecurity

Is Your Angry Tweet a Precursor of Aggressive Behavior? – Evgeny Morozov, Net Effect

Israel Defense Forces to Conquer Facebook – Evgeny Morozov, Net Effect

Naval Space and Naval Warfare Briefing Published – Bruce Carleton, USCYBERCOM Watch

I Was Wrong: There Probably Will Be an Electronic Pearl Harbor – Ira Winkler, CSO Online

Open-Source Warfare – Robert N. Charette, IEEE Spectrum

Northrop Grumman Launches Cybersecurity Research Group – Grant Gross, ComputerWorld

Gunslinger, he say, “the next 24 hours (and more) will certainly be a busy time for the blogosphere and punditry in general.” Very true.

On the other hand, I have nothing to say. I give you:

Update: Christian sums it even better: “So, uh … AfPak, Population-Centric COIN, Al Qaeda, something, something, something.” And he has footage of a Britney Spears experience in a Tajik taxi. With local translation. Watch here.

Former Cyber Exec: Spread Cybersecurity Responsibilities – Jill R. Aitoro, NextGov

Recession Slows Cyber-Warfare Bunkers – Newsmax.com

Open Source as a Model for Business Is Elusive – Ashlee Vance, New York Times

Feds to Sharpen Cybersecurity Job Policies – J. Nicholas Hoover, InformationWeek

Rebooting Britain: Teach Kids to See in Four Dimensions – Marcus du Sautoy, Wired UK

Building Real Security with Virtual Worlds – University of Maryland

How to Vote Anonymously Under Ubiquitous Surveillance – Feng Hao, Light Blue Touchpaper