Cory Doctorow makes the case.

Related: I think there’s some kind of Golden Rule of INFOSEC PowerPoints that states at least one slide must be devoted to some kind of chart rating threat sources by a nebulous ascending scale of severity. This generally has something like “script kiddies” on the bottom, followed by “hactivists” and “cyber-criminals” in some order depending on what happens to be newsworthy on any one day.

Right at the top of the list (or the very right of the chart, depending on the visualisation) is “nation states”, also known as “cyberweapons” and/or “APTs”, depending on the Jargon At the Time.

I don’t like these graphs; I think they’re some of the most invidious FUD in the industry, and they also show, I think, the immaturity of INFOSEC as a discipline.

The wording of the term “cyberwar” is the key. Yes, it’s a buzzword, but it’s a buzzword that describes countries going to war against each other not with tanks and bombs but with malware.

Stuff you’ve seen in the movies doesn’t tell the half of it. Crashing the banking sector or screwing with traffic lights? Please. Try destabilising power plants, causing meltdowns and explosions capable of levelling half a city. That’s the kind of “weapon” we’re talking about. I’ve sat in rooms with INFOSEC engineers who talk about writing the code and watching the fireballs, their eyes glittering like a nuclear physicist from the 1940s.

Cyberwar is coming, and some of the first weapons are already circulating in the wild. (Stuxnet, anyone?)

Any organisation who thinks a few Cisco firewalls and a subscription to Symantec is enough of a counter-defence is fucking kidding itself.

This is what I mean about the discipline being immature. Businesses don’t install anti-aircraft missiles on their buildings; the assumption is that, when the jet fighters come, the national military will do something about it. So should it be in the electronic space.

We’re not there yet. And, sadly, I think the only thing that will get us over the line is all-out war.