tag:blogger.com,1999:blog-4088979.post5615763746437253597..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Thoughts on "Cyber Weapons"Richard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-4088979.post-35099048855699436522010-10-13T01:55:29.771-04:002010-10-13T01:55:29.771-04:00The problem here is that you can't always draw...The problem here is that you can't always draw pretty lines around ideas that are borrowed from other things.<br /><br />The people on Spanair flight 5022 might have called simple malware a deliberate attack intended on killing people, because it certainly was part of the problem. It didn't have to be a 0-day or developed by a leet hacker to any degree to kill people.<br /><br />I think you should stick to “tool.” A classic example of a weapon can carry out very devastating things all by itself, requiring no medium, except for the person using it. In cyberspace, you need tools to support other tools, where the Internet medium or a physical, digital medium is required.<br /><br />If you HAVE to use the ideology of a weapon in cyberspace, limit it to software that directly inflicts physical damage. I hate it when people take concepts like “war” and “weapons” and apply them to cyber-something. Why do you need to use “cyber weapon” in any context that “offensive cyber tool” wouldn’t be good enough (while being more specific)?<br /><br />As soon as you begin to accept ideas like “cyber war” you will then accept ideas like “cyber weapons” because guns are used in warfare. It’s a slippery slope issue. The notion of a projectile breaking human flesh has no carry over to cyberspace. Seeing a handgun on a presentation about software is disgusting and offensive if not plain delusional. It is not the same.<br /><br />Additionally, I do not agree with the notion that a “cyber weapon” degrades quickly. Take, for instance, class 2 information warfare-- if a company wanted to modify or inject seemingly genuine information to control specific decision making processes in a rival company, it follows suit with your other points. And the fact that it could go undetected for such a long time makes it a non-diminishing—possibly even value-improving—offensive cyber tool.Chr1shttp://yawnbox.netnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-5342501775138389492010-09-24T07:40:22.348-04:002010-09-24T07:40:22.348-04:00I agree with Richard that people must differentiat...I agree with Richard that people must differentiate between tools and cyber weapons. However, my real concern is the sophistication with which cybercriminals can act and destroy an important installation of a nation state. Moreover, in case the attacks are state sponsored, the ramifications can be catastrophic as the affected country is likely to retaliate. Governments and organizations need to be alert and strengthen their defenses against cyber-attacks. We need more cyber warriors such as those trained in certifications such as <a href="http://www.eccouncil.org" rel="nofollow">ceh</a> to deal with the challenges of cybercrime and cyber war.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-77139869681159364922010-09-22T11:16:08.297-04:002010-09-22T11:16:08.297-04:00Richard,
I think you have made a really great argu...Richard,<br />I think you have made a really great argument for the need to differentiate between security tools and actual cyber weaponry.<br />I recently jumped ship on my career as a web/graphic designer so I could pursue my aspirations of working in info sec. I am a student at DeVry University and in one of my classes we recently had a debate over the public availability of tools and frameworks such as Metasploit.<br /><br />In addition I just recently landed my first position in the IT workforce as a help-desk associate and trainer for a law firm here in Austin, TX. While much of my day is not in any way focused on the security side of our business, my manager recognizes my passion for developing myself in this arena and has had me following the recent Adobe 0-Day and Stuxnet worms.<br /><br />I read this morning on Bruce Schneier's blog that Stuxnet is thought to "be the work of state-backed professionals" and it's my opinion that as more of these attacks come into the public's eye, the greater the responsibility there is to educate people on the difference between security tools and cyber weapons.<br /><br />Many people seem to be under the impression that the threat lay with mis-intentioned "hackers" disturbing the peace for educational, mischievous, criminal motives, yet I think that people need to realize that as more and more of our information and infrastrucure becomes digital, the true threat is from governments.<br /><br />I'm worried too that as Stuxnet and other similar threats become popular in the media that the "ban the guns" thought process will run rampant and it will become more difficult, especially for beginners such as myself, to educate ourselves and learn how to be successful information security professionals. <br /><br />It's impossible to learn how to drive a car only by reading the manual.TOOTALLhttps://www.blogger.com/profile/06525404864840165911noreply@blogger.com