So John C Dvorak (I’ll call him John Dvorak because he hates it–John Dvorak John Dvorak John Dvorak) says that cyber warfare, like Y2K, is a bunch of hooey.
I lived through Y2K, and I’m fighting the cyber war. He’s wrong on both counts.
First, the thing he (and everyone else) is conveniently forgetting is that in 1999, industrial systems weren’t running on PCs running Windows. Windows NT, the first version of Windows that was stable enough to even consider such a thing, didn’t appear until 1994, and Windows NT 4.0, which was the first version that had enough driver support that you could actually use it for something, appeared in 1996. Industrial systems ran on Unix, which never had a Y2K problem–it has a Y2038 problem. I fully expect Y2038 to be the last crisis of my career. I won’t be old enough to retire then, but I’ll be one of the few people left in the industry old enough to remember how we dealt with Y2K, which was a good dress rehearsal for Y2038.
Y2K was overblown for precisely that reason–and I was saying that as loudly as I could to anyone who was willing to listen to a guy fresh out of college–but overblown doesn’t mean nonexistant. It just means that people overestimated the impact, and they overestimated the number of non-compliant systems people would fail to find before 1 January 2000. I lost count of the number of systems I examined in 1998 and 1999 looking for potential Y2K problems. Few had problems, but some required some patching. What would have happened if we hadn’t patched those systems, I’ll never know. Management decided it was cheaper to patch and/or replace systems than to find out. Risk management is a big part of IT management.
But in the case of Y2K, it was better to overestimate the impact and overcompensate than to underestimate it and do nothing. I didn’t think anything would happen, but on the evening of December 31, 1999 I still filled up my bathtub, just to be on the safe side. It was a cheap way to ensure I would have a small supply of water on hand if something did happen to the water system. I didn’t hoard batteries and canned goods and guns and gold, though, because I knew the world wasn’t going to end if a few minor glitches did happen, and I knew they’d be corrected relatively quickly.
Which brings us to the topic of cyberwar.
Dvorak is right, that the countries most able to attack us would be stupid to do so. The Chinese government would be stupid to launch a cyberattack on its largest trading partner. Yet I know from my own experience that people with Chinese IP addresses are hacking into systems. In the 2005-2006 timeframe, they were actively hacking into one of my former employers’ systems–I know this from the unfortunate DBA who had to spend all his waking moments fighting them off–and while they were hacking in there, they were also hacking into my then-current employer’s systems. I don’t know if their motivation was practice or something else. It doesn’t really matter. They wanted something to hack, those systems were hackable, and they hacked into them.
Cyber war with China might forever be a cold war, like our standoff with the Soviets that lasted nearly a half-decade. But I know from what I watched seven years ago that if we make it easy for them, it won’t be a cold war.
But nation-states aren’t who we need to concern ourselves with.
When I started my career in the 1990s, malicious hackers were thrill-seekers. They wanted to do something and see what they did make headlines. And it didn’t take a tremendous amount of skill to do something that would get people talking on CNN.
Then, sometime after Loveletter, people figured out that hacking could be immensely profitable. For around a decade or so, the primary motivation of malicious hacking–which I’ll define with a broad brush as being anything from writing viruses to accessing computer systems that aren’t your own–was making money. Usually fraudulently.
Security experts say we’ve cycled again. The primary motivation of malicious hacking today is activism. Banks got hacked because of the mortgage crisis. Sony got hacked because of its policies regarding the Playstation 3. Government agencies got hacked by people who didn’t like the Bush administration. Then when Obama was elected, the same agencies got hacked by people who didn’t like the Obama administration. Or they got hacked by people who just don’t like the United States.
It doesn’t matter who you are–there’s someone who disagrees with you. Twenty years ago, there frequently was nothing they could do about it. Today, everyone has a computer, so you can hack the people who disagree with you. Some people do.
If you think there aren’t Islamic fundamentalists trying to hack into U.S. computer systems just because they have a U.S. IP address, you’re not paying attention. And the nice thing about blowing up computers is that digital warriors can do it without blowing themselves up, so they live to blow up something else. We can try to catch them and we can make systems harder to get into, but it’s an enemy that’s not likely to go away–short of finding an easier way for these guys to get girlfriends.
It’s not a war like World War II, or even Vietnam, which might be why John Dvorak is confused. But the threat isn’t going to go away just because John Dvorak doesn’t understand it.