June 11, 2006:
The Cyber War battlefield is changing. Since most of the major Cyber War players, especially China, are increasingly dependent on the web, vulnerability has become as important as your ability to carry out attacks. In the race to reduce vulnerability, the United States is moving faster than everyone else. You won't hear about this in the news, because good news isn't news. You will hear announcements about new attacks that are about to take place. What isn't reported is that, in the last year, most of those attacks have turned out to be false alarms, or attacks that were launched, but that fizzled in the face of better defenses. That is also not news. You know, the good news thing again.
In the last five years, corporations, and individuals have responded to the growing threat of web based attacks, by fighting back. Last year, for example, 93 percent of major corporations had problems with computer viruses. Currently, only 75 percent report problems, and the severity of those problems is way down. Spam is, for those who use available defenses, no longer a problem. Spam still comprises most of the email traffic, which is a problem for the Internet as a whole, but that is now a legal, law enforcement and diplomatic problem. Most of the increased protection from web based attacks was accomplished by the use of more and more protective software. But this has revealed the growing threat of another vulnerability: people. Currently, about 70 percent of the time, it's human error, or cooperation, that is the cause of a computer system being compromised.
Moreover, it's well to remember that there's no such thing as a "computer problem." Computers, both hardware and software, are made by people. Any flaws are manmade. Cyber criminals, who are a growing presence on the web, are most successful when they employ a combination of software tools, and "human engineering" to get into systems and do their damage. This approach works less well for military attacks, which depend more on hitting many targets all at once. "Human engineering" also depends on operatives being familiar with the local culture. Thus it's difficult for a lot of Chinese Cyber War operatives to get on the phone to the United States and pull off "human engineering" scams. But that doesn't prevent Chinese, or even North Korean or al Qaeda operatives from gathering useful information ahead of time for a future attack. Thus more emphasis has been placed on building defenses against "human engineering" attacks. That's more difficult than creating new defensive software, as it involves training people. When you are dealing with people, you are dealing with far more unpredictability and unreliability than with software.