This is true up to a point. The rules are in place to keep those things from becoming so excessive that they turn into abuse. That said, easy and informal working relationships - within the bounds of law - also positively influence regulated environments by reducing misunderstandings, enhancing willingness to work through issues, assuring that the regulated and regulators start from much more similar conceptual pages, and improving the overall effectiveness and applicability of future regulations. It's an issue with mixed values; coming down on the overly formal and legalistic side of it can be just as damaging as the opposite to the ultimate objective of regulation - safer, fairer, more effective industries.

That article and the sources it references fatally misunderstand both the nature of cybersecurity as a large scale problem space and the paths to improve the situation.

First, cybersecurity is inherently a business management problem - how the business itself operates is what introduces vulnerable systems (whether through purchasing decisions, operating maturity, development, HR, market timing, financial trade-offs, user awareness and responsibility management etc.). Even if the rate at which those vulnerabilities are introduced by the business remains constant, increasingly connected and complex systems assure that the vulnerable space will increase is the overall business - not just the dedicated cybersecurity functions & capabilities are improved. It will become, if it hasn't already, functionally impossible to resource cybersecurity in a way that keeps risk down to limits we find acceptable. In other words, train up all the security people you want and create all the security specific standards you can - unless you standardize and base business environments into predictable patterns, those security efforts will continue to fail.

Second, because of the deeply embedded business nature of the problem (only the symptoms of which are really technical), any external organization that comes in to try and help "fix it" will face substantial challenges - telling an independent organization that it must change the way it makes money fundamentally in order to meet theoretical and apparently-to-non-security-folks abstract risks doesn't go far quickly and involving government in any way assures that the conversation will stay as log jammed as it has been. There has to be a DEEP culture change that involves planning for long term business maturity, and that is almost antithetical to the culture in the U.S.

Third, there ARE organizations and programs that are and have been attempting this. This stuff isn't "new", just the reporting on it is - journalists rarely investigate this stuff beyond what it takes to write a succulent story. (I work for one of those organizations.)

Fourth, for all of the talk about all the "attacks against the grid" as opposed to other attacks, there is almost no information provided of useful analytical value. How much are other sectors looking? What kind of attacks are these? Real? Automated? A function of being on the internet at large? Etc. etc.

Finally, for all you "air gap" people - get with reality. There are no air gaps. Anywhere. Data moves across systems - whether they are connected by technology or not. If you're someone who is seriously attempting to interfere with critical infrastructure operations, you know this, know how to exploit it, and have the time/resources to do so.

It's been awhile since Bruce really has said anything that hadn't already been thought through, discussed, and agreed on by a large part of the industry. Bruce leads from the middle of the pack these days - so who cares if the NSA has compromised him?

The releasing of that many indicators and this information a)Puts Mandiant as a business and as individual employees at risk of retaliation and b)Means that the Chinese will change their tactics away from the indicators that have been released, so Mandiant and their clients will have *less* visibility than they had before. The report was released for the common good, IMO.

Territory control is only a side effect of most wars. Most of the time, territory is gained for resources or to take away resources. There are other resources to take away or gain that are not geographically based - clear threat to financial stability is a simplistic example. That will certainly, through force, have the other side closer to suing for peace.

Air only (or officially air only) wars are a great counter example. You're not really taking territory, but controlling it. Why are you controlling it? To influence the enemy: Deny them freedom to move, to cause casualties, to damage production capability, etc, etc, etc in order to achieve a political objective. All of those are accomplishable almost exclusively in the cyber domain for some set of possible objectives.

Choosing to define something out of existence by using a purist definition defies how things work. More often, domains and tactics are blended together (air, sea, land, space, cyber) to achieve, by force, political objectives. Sabotage is part of war, as is espionage, as is subversion.

If the point was "there are no cyber-only wars", I don't believe it, but it's tenable (as is "there are no air only wars" - there is always ground support and/or ground effect). But that's not what the point of "carrot for those selling the stick" is. Whatever your definition of "war" is, several facts remain:

You can achieve kinetic, financial, and political effect using cyber only means; There is activity by nation states to use force in the cyber domain; Military organizations have already used cyber attacks in kinetic conflicts to help them achieve their aims against other military organizations.

You don't have to call any of these (or the sum of their implied possibilities) "cyberwar", but that doesn't mean the threats, vulnerabilities, or consequences are being hyped up either.

Not believing in cyber war is like not believing in air war, sear war, land war, or space war.

Computers have tangible effects on our culture, our economics, our politics, and our military. We all know this.

Computer systems are broken into regularly, we all know this (go google a list of known data breaches, for example).

"Someone" (for this purpose it doesnt matter who) has used code to manipulate physical controls of industrial equipment (possibly for politics/military reasons). We all can see this (see: Stuxnet)

Cyber attacks have their own logical benefits that don't really need proof, they exist by definition (can be executed, remotely, relatively difficult to attribute, can reach multiple geographically separate locations at once, etc).

So, to deny "cyber warfare" here is a lot like saying "I know the enemy can reach out assets this way, I know they can impact us this way, Ive seen lesser versions of it in action so I know it could work if there was political will....but I havent actually SEEN anyone use ballistic nuclear weapons so the threat must not be there".

(And this is assuming there isnt any evidence for it, which is itself debatable. But if you can prove the likelihood and possibility given the right motivations, the difference in position if there is/isnt evidence of it *currently* going on doesn't amount to much. Defensive and offensive pre-positioning should be the same.)

Sure, but that's not specific to this particular mess. And, as this doc clearly wasn't analysis of the general impact of worms and malware on control systems in general, they didnt need to say it here.

is here: http://www.us-cert.gov/control_systems/pdf/ICSA-10-238-01B%20-%20Stuxnet%20Mitigation.pdf Probably a little more accurate than crappy media reporting.

You can't change the Siemens passwords in this case (and have things keep working).

Actually, you are factually incorrect here. The methodologies youre describing do make it more difficult, but we have plenty of insight into what's been happening - it's just either close hold or not making the news. Just because -you- don't know, don't assume "we" don't know.

I fully expect /. to be blocked by TSA there
Ionno - No one gave a crap that I looked at Slashdot when I worked there. Good job taking a poorly worded bureaucratic ass-covering and attributing Dan Brown levels of +eleventy-billion conspiracy powers to it. And feel free to jump to my website, resume, art site, whatever for a pretty decent counter-example to your a$$-hattery here.

//God, some people, they do need babysitters and soft walls.

Heh. That would be "most of them". There's a reason there're all these bills going before congress about critical infrastructure and cyber security.