01.07.11
They do things different in Estonia
I was recently asked what I thought of a “volunteer cyber-army.”
This was in connection with some news that Estonia was instituting one.
All from an National Public Radio story here.
Sez NPR:
In the years since [a] cyberassault, Estonia has distinguished itself once again: Now it is a model for how a country might defend itself during a cyberwar. The responsibility would fall to a force of programmers, computer scientists and software engineers who make up a Cyber Defense League, a volunteer organization that in wartime would function under a unified military command.
Haw. Indeed. It’s the Watchmen.
The nature of computer security, nationally and globally, is distributed.
Consortia of private sector workers, government people and academics administer it. Sometimes there’s collaboration. Sometimes not.
Over the years — in the US and other western nations — government agencies, some working cooperatively, some not so much, have stood up to handle cybersecurity.
In this they have been infrequently joined, often informally in one way or another, by various entities within the computer security industry, although such cooperation has been hit or miss.
All that work is paid for, not volunteer. Although the people involved often do work beyond the call of duty which goes with the very spirit of volunteer-ism.
Frequently the same business looks like herding cats. You can’t change the nature of it. It’s the way people work and goes to the heart, for example, of the differences between hacker culture, the private sector, and government. The milieu’s vary. That’s immutable.
There are many other factors not addressed. Only two are, (1), that the US government doesn’t control domestic or international ISPs. And, (2), that it has, from time to time, specifically developed national cybersecurity strategies with the direct involvement of the private sector computer security industry.
So the idea that Estonia is doing something unique, in this matter, is fairly laughable.
There’s nothing at all wrong with the idea of collaborative security work between experts. It’s certainly not new.
Where one gets into trouble — and how the question was presented to me — was in the idea of employing a presumably patriotic volunteer cyber-army.
You can find any number of stories referencing patriotic Chinese hackers, for instance.
Here in the US the gentle interpretation of such is that they are nuisances.
And the basis for this Estonia story was an alleged volunteer cyberarmy attack on that country — one which has been cited ad nauseum over the years.
So any volunteer cyberarmy, depending upon where you stand internationally — because of the dynamic of general security hackers — can either be a random menace or a good thing.
I put it this way for a public called Security News Daily:
“A volunteer cyber-army is about the worst idea one can think up,” said George Smith, senior fellow with GlobalSecurity.org.
“History shows us that ‘volunteer cyber-warriors’ — garden variety hackers — are always around. A volunteer cyber-army attacked WikiLeaks. Volunteer cyber-armies retaliated against various U.S. businesses … You see the problems. You’re just legitimizing and green-flagging often random cyberspace vandalism and bullying in the hopes that it will work out in your favor. That’s atrocious. And really stupid.”
For NPR, the opinion differed.
The reporter found someone to proselytize the idea, Stewart Baker — a lawyer at Steptoe & Johnson. .
And he’s pretty shallow on the issue, just repeating the same wishful thinking crap we’ve heard for close to two decades about computer security and how the private sector industry and government ought to have tighter collaboration.
Presumably like Estonia’s grand new volunteer cyber-army.
“That’s a very sensible approach, and I only wish we had the same kind of relationship with our [Information Technology] sector that they obviously have with theirs,” he told NPR.
“When top cybersecurity experts are willing if necessary to put themselves under a single paramilitary command, a country’s computer networks can be defended more efficiently,” asserts National Public Radio, with absolutely nothing to back the claim up.
“The [volunteer cyberarmy] unit is but one division of Estonia’s Total Defense League, an all-volunteer paramilitary force dedicated to maintaining the country’s security and preserving its independence,” reported NPR.
And who are the top cyber-security experts? That’s rhetorical.
I added some more insult at the end. It’s at Security News Daily here.
The homeland security business lawyer wishes we were more like Estonia? Ludicrous.
GDP of Estonia: 6 billion USD.
GDP of Rhode Island: 47 billion USD.
Price Intel paid for McAfee Associates: 7.6 billion USD.