It seems the threat is more subtle, though. China wouldn't bring down America informational infrastucture because no one wants to exchange nukes. But what if it's a kid from Peru? It's important to remember, within all the promise of technology: The key to the gates of heaven, is also the key to the gates of hell.
Think of it. We are blessed with technology that would be indescribable to our forefathers. We have the wherewithal, the know-it-all to feed everybody, clothe everybody, give every human on earth a chance. We know now what we could never have known before – that we now have an option for all humanity to “make it” successfully on this planet in this lifetime. Whether it will be Utopia or Oblivion will be a touch-and-go relay race right up to the final moment.
> China wouldn't bring down America informational infrastucture because no one wants to exchange nukes.
What if (say) Iran did it, and made it look like China. They don't care if both China and the USA are destroyed, in fact they might see it as getting two enemies to destroy each other.
"...partner Marc Andreessen (the founder of Netscape and author of the first commercial web browser on the Internet)..."
Just to be correct: The founder of Netscape was Jim Clark. He hired Marc as first (or one of the first) employees. Marc did not write Netscape himself. It was the effort of a large team.
Don't distort reality!
Whoever did not read Jim Clarks book about Netscape (Netscape time): drop whats in your hand, buy it and read. You will have a good time!
This seems like a crazy 180 degree turn in comparison to Steve's previous 2 posts - which talked about the reasons we are in a tech bubble.
This third article starts out by saying "tech companies are expensive again" and then goes and talks in-depth about network and communication based warfare.
Is it me or is this not addressing the topic at all? Very interesting read, but seemingly random when compared to the rest of the series.
Ben's challenge was to name the date of the collapse of the bubble, and suggested that without that, there was no meaning to the phrase that we're in a bubble. Steve gave a large range (5-10 years) and changed the subject.
Ben's point was that if the bubble burst is 10 years out, then right now, the right thing to do was to invest -- that there was still a lot of real growth coming before over-exuberance set in, and I think that Steve is implicitly agreeing with him.
Ben's argument is a bit odd, because you can't predict the end of the bubble.
If you say 10 years, people start pulling out 9.5 years in. But, knowing that, smarter people will pull out 9 years in, hoping to beat out the people pulling out 9.5 years in. Then...well, you get it. Game theory. And that's how bubbles become unraveled.
I think his point is that saying we're in a bubble should mean that the right thing to do now is divest, because you can't precisely pick the date that it will end. It might not be immediate -- you might want to ride the bubble a little -- but you should be basically assuming that at any point, the over-valued companies are going to pop, and look to getting out of them.
If the right move now is to continue to invest -- then that means that the valuations are not bubbly.
So, 10 years to a burst is way too far out to cause you to divest right now, if we are going to have 10 years of growth before then. Even 5 doesn't mean we're in a bubble now, so Steve saying 5-10 years is the same as saying, "we're not in a bubble" (according to what I think Ben means). I think Steve understands that too -- and that's why he changes the subject.
Does any company rely on the internet to run a national power grid or other non-internet utilities? If they do, they're idiots. Use packet based control systems, but not the internet. There are some idiots, like life support systems using Amazon cloud.
If facebook and twitter break, it won't bring down banks, governments or corps, it'll just bring down facebook inc. and twitter inc. This is y2k level hysteria.
Even if everything Steve speculates actually happens (and that is HUGE if) it will be very, very, very inconvenient, super inconvenient. But nope, nothing nearly as bad as a real war.
Imagine all your electronic savings gone... that leaves you with all your skills, health, your physical assets, what ever IOU you and everyone else can agree on the day after all banks information is wiped.... all hugely stressful and super inconvenient, but nothing like getting shot or bombed and killed.
I agree that it's a huge IF, but the repercussions are much worse than "inconvenience." You have to follow the scenario a few steps further to figure out the full magnitude of things. "Civilization" is, in a sense, a massive and highly complex life-support system. You don't really need it to live in a small town, but the populace of a city or even a large town can't survive without it. There's a saying, "Any city is only three days away from a riot." Without a massive and sophisticated logistical system constantly bringing new supplies in and waste out, food and other critical supplies will run out very quickly, and then things get ugly fast.
After the financial system is zeroized, how do you get paid? The company you work for has no money with which to pay you. They have no way to make money, because none of their customers have money to pay them with. If you're not getting paid, what's your incentive to show up to work? Everybody would be in that conundrum, so commerce would grind to a halt and cities would start to starve. The government would order law enforcement and the military to keep working even without pay, and they could probably force workers in key industries like power companies to keep going to work, but they couldn't do that for everyone. Even if you had cash to buy groceries with, the grocery store probably wouldn't have groceries to sell to you because they would have no money with which to buy them.
The government could magically set account balances, putting money into everyone's pocket based on some sort of guesstimate, but that wouldn't really work, either. Fiat money is based on trust: the assumption that if you accept a dollar in exchange for goods, you will be able to turn around and exchange that dollar for a comparable quantity of other goods. If the financial system is zeroized, that trust is broken. People would rather have tangible assets instead of money of dubious origin that has demonstrated the capacity to literally vanish overnight. Hoarding and hyper-inflation would ensue.
The punchline of all of this is that millions of people would starve to death in the cities within a matter of weeks. Millions more would pour out into the countryside, looting and pillaging. Law and order would break down completely in all but the most remote places. Remote places would probably degrade much more gracefully to lower levels of technology, and bounce back quickly as well after the dust settled, but the cities and suburbs would literally be wiped out. An event like this would probably result in a death toll comparable to a widespread nuclear strike, and would equally destroy the nation as a functioning political and social entity.
Millions more would pour out into the countryside, looting and pillaging.
While we're on the subject of apocalyptic scenarios, it's important to remember that there is an abundance of guns in the countryside, so any of us "city folk" hoping to loot some tasty country cooking are in for a different sort of treat.
An event like this would probably result in a death toll comparable to a widespread nuclear strike, and would equally destroy the nation as a functioning political and social entity.
I'd like to think that a new system of logistics would evolve very quickly after a total financial disaster, so long as the food supplies didn't get so low that peoples' low blood sugar diminishes their ability to control their anger.
>While we're on the subject of apocalyptic scenarios, it's important to remember that there is an abundance of guns in the countryside, so any of us "city folk" hoping to loot some tasty country cooking are in for a different sort of treat.
While the ratio of guns/people is much higher in the countryside, the absolute number of guns in a big city is orders of magnitude higher than the absolute number of guns in any rural county. Even if there were no guns in the city, a mob of desparate people will charge a smaller number of better-armed people if starvation is the only other alternative. Also, rural populations are, by definition, spread out, making it easy for large mobs of looters to pick them off one homestead at a time. Those well-armed country folk aren't going to fare so well unless they are really far from the nearest big city.
>I'd like to think that a new system of logistics would evolve very quickly after a total financial disaster, so long as the food supplies didn't get so low that peoples' low blood sugar diminishes their ability to control their anger.
I'd like to think so, too. In areas with lower population density, it will probably work out that way, in large measure because it is possible in a small enough community to know almost everyone, making trust and barter a lot easier. In cities, where trade relies on cash because there are too many strangers, and where the logistical system is much more complex, I don't think it's likely for a viable alternative to evolve quickly enough to prevent mass starvation and the accompanying violence.
On its own this would not bring down civilisation.
Now imagine your electronic savings gone, the supermarkets' delivery computers gone (so they don't know what food to send where), the oil refineries gone (so fuel has run out), the power stations down, and above everything else, the communications net down so people can't co-ordinate to get everything up and running.
the supermarkets' delivery computers gone (so they don't know what food to send where)
Oh no, they'd have to use the phone and or maybe messenger pigeons, or just guess - roughly that much food. How did all of this work in the early 1900s and earlier - magic? We couldn't possibly fall back to that, could we!
the oil refineries gone
All of them? They all had centrifuges or what not, connected to the Internet, and all of them were destroyed by a stuxnet style of attack, all at the same time?
the power stations down All of them too? Really? How likely is all of this to happen at the same time, in such a totality?
NY lost power for 48 hours in the middle of summer not that long ago, almost all of the North East did - no riots.
If all of what you describe happens, we might see a lot of food riots. But I don't think millions would die, people would feverishly work to bring the power plants and refineries back up.
But ALL of what you describe happening at the same time is an extremely unlikely scenario, and I mean extremely unlikely.
the communications net down so people can't co-ordinate to get everything up and running.
Short wave radio too? Really? Absolutely no way to communicate, let me throw some ideas out - Morse code and mirrors?
Dug is absolutely right in saying that our present difficulties in computer security lie not with brute-force flooding of pipes (i.e., DDoS), but rather with targeted, strategic attacks on smaller subsets of systems (think Stux).
However, I would disagree with the statement “users are the new target”. Indeed, it is far easier to gain access to resources by attacking the users who control those resources. But I think it is far more damaging (and therefore lucrative to the adversaries) to attack infrastructure systems on a wide-scale. People may be the initial entry point of the attack, but I still think the greater target is technology behind our infrastructure.
Steve, you have addressed the very important point that much of our infrastructure (economic, transportation, military, …) is based on on solid systems operating securely and reliably. Let us call these critical systems. These are the ones that are vulnerable to crippling cyberattacks.
I posit that our infrastructure should not be based on these systems at all.
Any critical system should have no connection to the Internet. In fact, it should have no concept of the Internet. One might go so far as to say that any critical system should have no I/O with the rest of the world. (Recall that Stuxnet was thought to be propagated initially by USB.) This would help ensure that infrastructure-crippling cyberattacks do not propagate. Though preventing a system from communicating with the outside world will drastically reduce its value in controlling our infrastructure. This is the unfortunate nature of the security-versus-usability problem.
How do we secure ourselves? Let us hope that we will simply enjoy a “new spring”.
It's an argument for internet-offline utilities. Didn't Stuxnet prove that's not good enough? Windows outside, linux controlling computer, and custom (Siemens, etc) utility machine controllers, all unable to talk to each other, including USBs - then we might be safe.
The Internet is used to control the military's: "logistics to command and control systems, weapons systems and targeting systems"
I know Steve read all the top secret manuals when he worked for a military contractor, but is this true? Specifically the part about weapons systems? Doesn't the military have a proprietary satellite communication system for that stuff?
Probably. I think part of his point is that these days it's very hard to have networks completely isolated from the internet. If there is only one host connected to both the internet (or a network that connects to it) and that proprietary network, it can act as gateway when compromised and unleash mayhem.
The difference is that in the movie, it is a single bad guy (well, a small team of bad guys anyway). The story is different when it is a country orchestrating the attacks. Do we launch nukes in retaliation? Do they follow up their cyper attack with a nuclear attack? Or even just a coup? I'm a lot less worried about loosing all my money to some crook than I am to the US being overthrown (even if the government is just full of crooks)
I'm a lot less worried about loosing all my money to some crook than I am to the US being overthrown
I'm a lot more worried about the US overreacting to a cyber attack, or reacting to a forged country of origin. That seems much more likely than overthrow of the government. The day the US government said that cyberattacks could be considered an act of war, I'm sure there were numerous smaller countries and non-state actors scheming ways to make it look like Russia and/or China wiped out the US financial, government, military, and SCADA computer systems, triggering a physical war. It's kind of like the supposed automated USSR doomsday retaliation scenario, except anyone can pull the trigger.
Down votes for referencing a movie?? My point was, if even Hollywood has already covered this then it is a long long way from a new idea and not exactly 'news'...
The killing comes from the disruption of the food supply that occurs when Internet logistics fail.
However, I'm more worried about an EMP attack than a devastating Internet attack. A couple of well-placed EMPs could take the US back to the Victorian period very quickly. One Second After is a great read on the subject.
The killing comes from the disruption of the food supply that occurs when Internet logistics fail.
Really? You can't imagine that people would fall back on their word and paper? And that after a huge shock we would shake it off and get back to work?
Imagine a trucker. All the "logistics" went poof on Monday, it's Wednesday. Imagine the trucker decided to drive anyway, stops at a gas station he frequents a lot, him and the manager agree on a handshake and he fills up, and truck on. Makes his delivery, the local store clerks are still working despite now knowing how or if they'd get paid and for how many hours. Imagine that despite the huge confusion and uncertainty and everything taking 100 times longer, life still goes on. Can you imagine that?
Or alternatively, OMG the internet's down, everybody starve to death!
Or perhaps the trucker, the gas station attendant, or both get nabbed by crazed mobs of people wanting to loot the contents of the truck and the gas station. Watch some videos of, say, the LA Riots. Here's a video of truck driver Reginald Denny getting beat by a mob. http://www.youtube.com/watch?v=Wc_SgpyJWRY During the LA Riots there was a lot less reason for people to loot and go crazy than there would be in a food and money disruption situation. I admire your confidence in believing in the best in people, but personally I'm skeptical about that.
You know, we have every indication a lot of companies and individuals are vulnerable, but the NSA seems to be pretty on top of things, and the closest thing to a sensitive gov't organization being compromised that I remember recently is the defacing of the CIA website- and heavens, that's just a plain old website.
> Logic bombs planted on those systems will delete all the backups once they’re brought on-line. All of it gone. Forever.
I am wondering how this is going to work, considering most financial institutions have cold-standby back up systems, often off-site or in another country and you cannot just overwrite backups like that.
This sounds way too much like SciFi FUD bla-bla and anyone using "logic bomb" as an argument is automatically suspicious. One of the beauties of the digital world is that given sufficient precautions, you can wipe all financial data as often as you like, you can always get it back from backups and those messages don't just exist at one point-of-failure but at a lot of nodes, very likely around the world. Data that took a whole department years to gather can be erased, transferred and made available again in a matter of seconds.
Banks have existed LONG before the interwebs and have only started to use network infrastructure during the last maybe 20 or so years - and though very limited, they would still be able to function without it by simply switching back to pen and paper like they did 40 years ago.
Contrast this to blowing up major infrastructure nodes like bridges, airports etc. which literally took years to build.
> At the same time, all cloud-based assets, all companies applications and customer data will be attacked and deleted. All of it gone. Forever.
It will be a grievous day... without petabytes of porn readily accessible at the click of my mouse, without news on LuLzSec and without the ground-noise of twitter and facebook updates about pets, lunch or bowl movements but I daresay I will survive that, thank you very much.
And companies storing that kind of critical information only in "the cloud"? They deserve to be gone. Forever.
Imagine applying STUXNET style cracking to this -- they would not explode "logic bombs" immediately. Instead you might have months or years of penetration into the live systems, the backups, the recovery systems, etc.
Maybe they figure out a way to affect the paper systems too -- FAX machine infiltration, etc.
He's positing professional warfare and extreme secrecy of results -- not the lulz style hacks.
Furthermore, a determined adversary with a well-funded and well-prepared attack wouldn't just attack the financial services industry, they'd attack other key industries.
So for example, their are 9 major oil refineries in the UK. If they could all be put out of action with Stuxnet-style attacks (or maybe with precision cruise missiles), then 2 weeks later the UK runs out of fuel and supermarkets run out of food.
Or consider an attack on the internet infrastructure itself. Since we're envisaging an attack in the future, when TV, radio and telephones are just services that run on the internet, bringing down the net will destroy communications. And the end-pints -- computers in homes and offices -- will themselves be down.
Societies are only going to get more dependent on computers, and computers are only going to get more complicated (making logic bombs harder to find). The damage that a cyberspace attack could do, and the ease of pulling it off, will therefore both only increase.
One more thing about this... you can use about the same kind of explosives on buildings and bridges just varying amounts and methods of application.
Whereas screwing over the whole banking system of north USA like that requires the kind of cracking you described but against maybe a few hundred different targets, likely all running different systems and posing different challenges - not un-do-able - but ultimately to not that great avail. So you have a lot of effort actually pulling the attack off to even make a dent and then it is probably going to be not much more than a scary headline in the newspaper.
Banks and governments are not the internet or in the internet. They are offering their services ALSO over the internet but not exclusively. And the really important backups need to be kept for years and years, off site. I doubt it is as easy and efficient to launch "cyber war" on the USA and then just "cyber nuke them back to the stone age" which is something this article subtly suggests.
Also, how many power plants, reactors, flood gates and traffic systems are controllable over the internet like that? At least here in Europe I have honestly no idea but strongly doubt they work like that.
Of course, you could equally well just sow doubt with a few precise surgical strikes. If random customers lose all their money often enough, the rest of the customers will withdraw theirs to have it in physical assets.
Which is enough to cause tremendous damage. And a way more likely scenario.
My point was: you cannot simply just like that loose money without any trace of what happened... it's not like you can just "DELETE FROM accounts" and it is totally un-tracably gone.
I would trust more in the people who design our SWIFT and other transaction systems.
I wouldn't. After seeing such tremendous security accumen from CitiGroup, I wonder how you can blindly trust.
But the larger point is, even if you can mostly undo the damage, you have a much harder time restoring trust. The money doesn't need to be lost. If you create enough of a panic to trigger a run on banks, you've achieved your goal, too.
I mostly agree with your points, but "They are offering their services ALSO over the internet but not exclusively." is irrelevant. The attacks being discussed are not about the public-facing services but about their internal internet usage for interbank transactions and linking branches of the same bank.
All of it gone. Forever. Boy, he sure does like that phrase!
You're right. These attacks can only be destructive if there are relatively few points of failure. I think our financial institutions can learn a lot from distributed systems like Bitcoin. I don't have a clue how it would work, but I can envision a distributed bank opening up one day, where all transactions and balances were distributed so that it would be impossible to destroy all that data, or any of it with enough redundancy.
Steve Blank is the ultimate tech orator, telling the story from all angles no matter the topic. If you read the book Super Sad True Love Story it does not discuss a hacker war, but it does discuss a world where nothing is accomplished offline. I don't see any country building a security infrastructure that can protect it's citizens from such attacks.
Think of it. We are blessed with technology that would be indescribable to our forefathers. We have the wherewithal, the know-it-all to feed everybody, clothe everybody, give every human on earth a chance. We know now what we could never have known before – that we now have an option for all humanity to “make it” successfully on this planet in this lifetime. Whether it will be Utopia or Oblivion will be a touch-and-go relay race right up to the final moment.
--Buckminster Fuller, 1980