Skip to main content

Don’t Panic. It’s Only the Internet.

International treaties aren't the way to combat cyber sabotage.

The U.S. established a new military brain center in Maryland this year called Cyber Command, the geek soldier's answer to Central Command, where our military hackers work to protect military networks from enemy hackers abroad. Along with this year's "cybersecurity bill" in Congress, the command center belongs to a larger effort to protect the nation from "cyberwar" ... whatever that might mean.

Cyberwar has become one of the "foreign frights of 2010," and not just in the U.S. Some 20 nations have been setting up cyberdefense headquarters to develop new "weapons" and steel their networks against electronic attack. American experts, including former Director of National Intelligence Mike McConnell and the more palatable former government terrorism adviser Richard Clarke, have called up visions of blown gas pipelines and blackened power grids as a result of a hacker assault through our domestic Internet.

There's a broad, hazy difference between American and European philosophy on the cyber threat. Recommendations in Europe — from The Economist, the U.N. and Russia — involve nuclear-style arms treaties to manage the cyber-arms race now under way. These agreements would set rules for international response to cyber-attacks and authorize sanctions against nations that engage in them. But a treaty would be easy to cheat on and tough to enforce; a hacker who can set a logic bomb can also cover his tracks.

Just the same, high-ranking people are sounding the cyberwar alarm and calling for concerted international action.

"A cyberwar would be worse than a tsunami — a catastrophe," warned Hamadoun Touré, a U.N. official who pushed for a global treaty at the World Economic Forum this year. He cited, rather unpersuasively, the Russian attacks on Estonian computer systems in 2007. Estonia fell victim to (perhaps) the first Web-based "war" in history when it displeased Moscow by moving an old Soviet war memorial from the middle of the capital city Tallinn to an outlying graveyard. A mysterious denial-of-service attack disrupted Estonian networks for about three weeks.

No one can quite pin blame on the Kremlin, but the attacks originated in Russia, and it seems clear that Moscow has control over homegrown hacker groups and likes to experiment with online tactics. But it's also clear that "cyberwar," so far, is not worthy of the name. No pipelines have exploded, no trains have derailed, no one has died.

"The risk of an online attack taking down the grid — that's a movie plot," says Ryan Singel, who covers Internet security for Wired News. In a scathing review of Clarke's book Cyberwar, he added, "The Chinese and Russians don't have secret backdoors into the transformer outside your house, and if it blows up, it's more likely a rodent chewing through the casing than a cyberwarrior sitting in an Internet cafe in Shanghai."

Of course, we don't want the power grid or other major infrastructure to be sabotaged, now or in the future. But the best way to prevent such disasters is to keep critical controls well away from the Internet. "The notion that it's unsafe to have the power grid connected to the Internet? That's correct," Singel says. "But you also can't just tell a generator to explode."

Governments know how to separate critical systems from the public Web. No nuclear-armed state has linked its missile-launch systems to anything near a public Internet service provider. The same governments now have to enforce these precautions on private power grids, pipelines and rail systems. Clarke sounds the reasonable warning that American power companies have so far failed to keep a safe distance from the Internet.

But there are hysterical voices on both sides of the Atlantic who want to go beyond infrastructure safeguards to restrict the open Web. Mike McConnell is one. He thinks the Internet needs to be "re-engineered" to make it easier to trace people online. International treaties envisioned by the Russians would call for similar government oversight.

The Economist and the U.N. both argue that the world needs ground rules because the shape of future cyberweapons is so hard to predict. Both want commitments from all governments not to launch attacks or harbor cyberterrorists — commitments that again would need more domestic surveillance and more mutual oversight. The New York Times pointed out last year that such treaties could also provide cover for totalitarian regimes that want to censor their own citizens. The very fact that Russia wants a treaty to prevent the sort of chaos it seems bent on learning to cause should make everyone a little skeptical.

Real protection from electronic apocalypse is much simpler. Governments need to make sure major control systems and backup servers are not connected to the public Web.

That's right. Once upon a time it was all disconnected, and if it's important enough, it still is. The right precautions now will need some government oversight, but at least they won't require endless, impossible, high-tech espionage or treaties to excuse governments for gathering ever more data on their own people.