I wrote up the following response to Rob Graham's cyberwar blog post. I'm posting here because it is too large for his comment system:
I think the problem here is that the question of whether or not cyberwar is real is being conflated with the question of what the right response ought to be.
There is no question that the powers that be are over hyping this issue in an attempt to grab power. Our new Secretary of State John Kerry referred to "cyber weapons" as a "the modern day, 21st century nuclear weapons equivalent." Thats just silly.
I think that a lot of people in the computer security "scene" have responded to that overhyping by swinging the pendulum too far in the other direction. Are they taking that position because there really is no problem, or are they taking that position because they don't like the solutions that men like John Kerry have on offer?
The computer security "scene," such as it is, is incredibly guilty of claiming to be, as Dan Holden says, "holier then though." A lot of these people are primarily motivated by a desire to feel smarter than the establishment. Its a good feeling, but sometimes it is a self-delusion.
Take Advanced Persistent Threat. Its a real problem and its very difficult to manage. But you get this constant counterpoint being offered by people in the "scene."
Here you argue that spear phishing isn't an "Advanced" technique. These people are not trying to get a talk accepted at Blackhat. They are trying to break into computer networks. They will use whatever technique is effective, no matter whether or not people in the "scene" think it deserves to be called "Advanced." They have the capability to do things that are very sophisticated. They use that capability when they need to. Often, they don't.
Computer based espionage is real. Its a hard problem. Comparing it to "basic teenager attacks" comes dangerously close to confirming all the BS marketing out of the vendors at RSA this year. "Just buy my product and it will block all the APTs at your perimeter." If it were easy, those claims would have merit. Just press the "easy" button, problem solved!
Denial of Service attacks are real. Computer based sabotage of physical infrastructure is real. Yes, it fits into a greater geopolitical context. No, I don't have lots of information about the kind of stuff the NSA has cooked up in the lab, but I can imagine, and I'll bet they've shown John Kerry some pretty wicked software in a classified briefing somewhere.
The question is, what do we do about it?
Overregulation presents a risk of tying people down and preventing them from effectively defending themselves. For example, the original draft of the big cybersecurity bill required people who defend critical infrastructure networks to carry professional certifications with a variety of rigid requirements that have no relationship at all to whether or not someone is knowledgeable and effective at that role. This was a stupid idea being promoted by groups who saw their own personal financial interests in a certification regime.
On the other hand, there are people who run things like power plants who have been ignoring presentations such as your own about the vulnerabilities in their systems for years, under the mindset that pen tests don't count. I want these people to listen to you. I want them to take steps to address the vulnerability of their systems, because you and I both know that there are real risks associated with them.
I face a negative externality associated with their unwillingness to protect their infrastructure. If it fails because they did not protect it adequately, I bare costs. The rebalance of negative externalities is an appropriate use of government regulation. I wish we had a way of doing that without all of the rent seeking and hangers on, but that is a bigger problem than even cyberwar.
The bottom line is that cyberwar and cyberespionage are real. We need to be talking about the solutions that WE think people should be pursuing, as well as the "solutions" we think will do more harm than good. After all, we're the experts.
Errata Security: Cyberwar: you lack imagination