Cybersecurity & cyberwar

Cyberwar: Conflating Threats (confusing ourselves, not the enemy)

Summary:  When cyberwar proponents talk about our vulnerability to attacks, they play on our fears by freely mixing things that are obvious and likely – such as malware and online crime, with things that are highly unlikely — such as an entire country being brought to its knees by an electronic attack.  The third in a series about cyberwar by guest author Marcus J. Ranum.

Contents

  1. Introduction
  2. What does this have to do with cyberwar?
  3. Conclusion
  4. About the author, including links to other posts in this series
  5. For more information

(1)  Introduction

We should all be deeply concerned about Afghani insurgents attacking and taking over New York City. Why? Because they have shown that, in parts of Afghanistan, they are capable of engaging in successful offensive operations, and — therefore by extension — are capable of engaging in much larger successful offensive operations.

But that sounds absurd, right? It sounds absurd because it is! What I’ve just demonstrated is one of the basic tropes of the cyberwar proponent: you point out that the enemy is capable of one thing, and argue therefore that they are capable of something unimaginably larger. This tactic works because most of the people who it’s used against are either:

  • in line to make a lot of money helping defend against cyberwar,
  • high tech illiterate,
  • propagandized by “fear sell” to the point where they will support radical action against anything that is presented to them as scary.

We saw this same tactic used with great success during the cold war:

.

  1. the Soviets are capable of making nuclear explosions and hiding how many missiles they have,
  2. therefore we should assume that they have far more missiles than they appear to,
  3. so we should spend a gigantic amount of money trying to fill a {non-existent} “missile gap” between their imaginary and our real capability.

Recently, Joel Brenner wrote an article which is a perfect example of how to bait and switch one basic computer security fact for another, to produce a dramatically enlarged threat of cyberwar: “The Calm Before the Storm“, Joel Brenner, Foreign Policy, 6 September 2011 — “Cyberwar is already happening — and it’s about to get much, much worse. A veteran cyberwarrior explains how America can prepare itself.”

For the purposes of illustration we will refer to Brenner’s article as a framework for understanding the cyberwar “bait and switch” arguments. Brenner’s offering is only the latest spoonful in a mound of nonsense dating back to early 2010, when the “cyberwar industrial complex” first began to trumpet its fears to the media; it’s simply a good, recent example. As with the missile gap in the 1950s, we see officials quoting other officials quoting officials regarding hypotheticals — and, indeed, anything is possible. But, as Rich Rosen used to say back in the USENET days: “Anything is possible, but only a few things actually happen.” (see his Wikipedia entry) As we take a more sober look at cyberwar, ask yourself “what are the geopolitical rationales for a State to do such a thing?”

Brenner begins with the classic set-up for cyberwar bait-and-switch: massive data heists are happening, personal information is leaking out of large companies, cybercriminals are making lots of money, malware is everyplace creating massive bot-nets, and the majority of the internet’s traffic is spam. This is all true, but what is Brenner actually illustrating? He’s telling us that the state of computer security is poor and that cybercrime is a big success.

But we should be thinking how this state of affairs might affect another power’s ability to remote-control our systems. In fact, if you think about it for a few minutes, you’ll realize that cybercriminals and their botnets, etc, are interfering with a hypothetical enemy’s remote-control capability: what if the target is trying to eradicate a spam-sending botnet and ‘accidentally’ blocks a cyberspy’s command/control data channel? Indeed, if there were no cybercriminals, most organizations would be vastly more vulnerable to espionage and state-sponsored attack, because they’d be more likely to blow off security as a concern.

So now that we’re good and scared about the weaknesses everywhere, Brennan drops the scary news: “The U.S. military’s secret network is penetrated.” Oh, and intellectual property is being stolen from corporations and our power grid is dangerously insecure. By throwing down these three scary facts together, Brennan encourages us to “connect the dots” between them. But, in fact, there’s no linkage between those scary facts at all! Indeed, our “secret network” (presumably he means SIPRNet) is penetrated — with at least 300,000 authorized users you’re a fool if you think Bradley Manning is the only data leak. [1][2] There are severe problems (I’ve been complaining about them for decades) but they’re not the result of enemy action — they are the direct consequence of lack of management vision, de-skilling of the federal IT workforce, over-dependence on contractors, and a breakdown in data management resulting in a “kitchen sink” approach to data access control.

What about intellectual property theft? Is that a new problem? Has the internet magnified it? I don’t want to minimize the problem of intellectual property theft, but it’s been a part of doing business since the early industrial age {Eli Whitney made almost nothing on the Cotten Gin} — if you’ve got secrets, you are a fool not to protect them. More to the point, intellectual property theft is a completely collateral problem to cyberwar — and the numbers regarding that threat are impossibly inflated. For example, the FBI likes to quote the damage from intellectual property theft as including media companies’ estimates of losses due to file-sharing. I bet you didn’t know that all those kids stealing music off YouTube are cyberwarriors! [3]

Joking aside, there are very real problems with industrial and technical secrets being disseminated — and it’s mostly happening at the boardroom level, such as when Microsoft gave the government of China source code for Windows in order to overcome protectionist threats, or 3Com established partnerships with Huawei in China to compete with Cisco. It’s farcical to complain about intellectual property theft when virtually every technology that we have in the USA is built elsewhere.  Does anyone imagine that the Chinese don’t know how an iPod works? They’ve built at least 140 million of them!  The global economy has been telling us for years that everything is interconnected; cooperation and competition are joined at the hip.

Now, finally, to the power grid: yes, the power grid has security problems. Back when the smart grids were first being built, my peers and I pointed out that private data links, firewalls, encryption, and good design are important for mission-critical systems, but the cost-cutters won the argument. It’s not that the people who built it were incompetent — though I’d say some of them were — the decision-making process that allowed that to happen was also badly broken.

(2)  What does this have to do with cyberwar?

When cyberwar pundits talk about power-grid weaknesses, it’s in the context that “someone could turn out the lights, there would be panic, people would die”.  But nobody can tie that to a geopolitical agenda that makes a great deal of sense. I suppose that destabilizing the US’ power grid would make sense if you were going to invade and it was 1914 and we didn’t have a massive navy (which, in case nobody noticed, is “off the grid”) and nuclear deterrent (also off the grid), etc. Sure, there’s a danger to our power grid, and it’s most likely going to be some goofy teenager flexing his cybermuscles than an enemy power. Because, right now, there is no enemy power that would usefully exploit such an attack. Non-state actors, such as terrorists, might – but if you want to broaden the discussion to fears of terrorism then I think we need to look at a much broader picture than just cyberspace.

Brenner then goes on to conflate another scary thing into cyberwar: espionage. He describes how:

In one remote attack on the Pentagon’s information systems about 10 years ago, the Chinese hauled away up to 20 terabytes of information. If the information had been on paper, they’d have needed a line of moving vans stretching from the Pentagon to freighters docked 50 miles away in Baltimore harbor just to haul it away. Had they done so, the military district of Washington would’ve become an active theater of operations for the first time since 1865, and the Navy would’ve blockaded the Chesapeake Bay. But the Chinese did it electronically, so who noticed?

Well, obviously someone noticed! But there’s a telling point that Brenner either ignores or was not aware of: 20 terabytes of data did not leave over the internet 10 years ago. Because, with data rates, at that time, it would still be in the process of leaving. No, the data in question was carried out on magnetic media. By an insider. And, in ~2000, a 10Gb hard drive was the norm, so it was probably a box of magnetic tapes or a small pallet-load of hard drives. Just because something is electronic does not automatically make it implausibly more efficient or invisible. What Brenner is probably referring to is the compromise of the Joint Strike Fighter [4] plans, which may have happened between Lockheed and one of the other international partners that was involved in the program. Personally, I suspect it was a deliberate leak – attempting to bankrupt the Chinese economy by getting them to build $156 million-dollar per plane hangar queens.

A great deal of the cyberwar fear boils down to espionage, fear of espionage, and fear that our poorly protected information assets are going to leak out. But throwing “cyber-” onto espionage doesn’t really change the dynamics of strategic spying very much. We should not allow the “cyber-” fear to blind us to the fact that, historically and even today the biggest espionage threats remain insiders: Fuchs, Walker, Ames, Boyce/Lee, Hanssen, etc. I suppose you could add Manning to that list though he was a bit of a piker compared to the cold war-era spies. What we’ve seen thanks to the Joint Strike Fighter leak and Bradley Manning is that the way that classified information is disseminated today is magnifying a problem that was already out of control late in the cold war. Strategic espionage is a serious problem, folks, and when someone is trying to sweep the entire intelligence battlefield under the carpet while they just point at cyber-espionage, you have to conclude they don’t understand the problem, or are trying to manipulate public perceptions.

Economic espionage, on the other hand, is just part of doing business; the fledgling US industrial revolution was largely built on stolen British (Scottish) and French technology. The big “secret” to economic success is to innovate constantly and to keep your innovations secret until you’re ready to dominate your market.

Brenner then segues into the final bait-and-switch of the cyberwar proponents: terrorism. From scaring everyone with the threat of professional espionage operations run by nation-state actors, we are jumped with:

Seized al Qaeda computers contain details of U.S. industrial control systems. In 2003, a group affiliated with the Pakistani terrorist organization Lashkar-e-Taiba — the same gang that engineered the 2008 terrorist assaults in Mumbai — plotted to attack the Australian grid. Other groups conspired to attack the British grid in 2004, 2006, and 2009. Yet the owners and operators of the North American grid continue willy-nilly to expose their control systems to the Internet instead of isolating and hardening it. This is folly of a high order.

If, in 2003, there was a plot to attack smart-grid systems and it’s now 2011 — it certainly has been a long time brewing. Or, as is more likely the case, terrorists thought about launching an attack and decided it was impractical, then did something else. With all of these conspiracies to attack smart-grid systems that Brenner mentions, why are we even alive today? This reminds me of the hype around Y2K — we were all going to die horribly when the lights went out and society collapsed, except that it didn’t. Yes, there are problems with SCADA systems and smart-grid systems and yes, they need to be fixed, but consultants banging the drums of doom and gloom are pretty obvious when they do.

(3)  Conclusion

Let us conclude by dissecting the one part of Brenner’s article that is both scary and accurate:

Companies that wait for the government to “solve” their own security problems do so at their peril. The government is broke and the IT backbone is 85% private, so the government doesn’t control it.

This is true. As a former counterintelligence head for NSA, and an intelligence community insider of long standing, Brenner was one of the people who were part of the government’s efforts to “solve” security problems on our behalf. The reason that we have an intelligence community and agencies like the NSA is because our private sector is not equipped — nor should it be — to engage in counterintelligence against the Chinese or other nation states. It’s not Google’s job to fight off Chinese spies: that’s NSA and CIA’s job.

If what Brenner is saying is that, at his former position, they did not earn their keep, I can only agree with him. We’ve been being treated to a tremendous flood of cyberwar “fear, uncertainty, and doubt” from ex-government officials who were involved in what they claim to be a disaster — only now they want billions more of the taxpayers’ dollars in order to remedy the situation. My experience is that if you give more money to people like that, you don’t get a solution — you get a bigger, fancier, more expensive disaster.

The comment that is accurate is the part about the IT backbone being 85 percent private. During the watch of folks like Brennan we saw an unparalleled shift from in-house IT to operations being outsourced to massive consulting organizations. With security critical data, that makes as much sense as Apple outsourcing assembly of its iPods to Inventec in China, then complaining that its intellectual property is “vulnerable.” Yes, I suppose so, but that’s beside the point, isn’t it?

In my next column, I will write about Stuxnet. Stuxnet is the great game-changer in the cyberwar landscape.  Is it?

Notes

  1. WikiLeaks accused Bradley Manning ‘should never have been sent to Iraq’“, Guardian, 27 May 2011 — “Virtually no computer and intelligence security at Manning’s station in Iraq, Forward Operating Base Hammer”
  2. One Year after Collateral Murder Release, DOD’s Networks Are Still Glaring Security Problem, by emptywheel, Fire Dog Lake, 28 May 2011
  3. FBI Intellectual Property Theft Page
  4. Computer Spies Breach Fighter-Jet Project“, Wall Street Journal, 21 April 2009

(4)  About the author

See the About the Authors page for information about Marcus J. Ranum

Other publications:

The series Cyberwar: a Whole New Quagmire, by Marcus J. Ranum:

  1. The Pentagon Cyberstrategy, 2 September 2011
  2. “Do as I say, not as I do” shall be the whole of the law, 11 September 2011
  3. Conflating Threats, 14 September 2011
  4. About Stuxnet‏, the next generation of warfare?, 29 September 2011
  5. When the Drones Come To Roost, 8 October 2011
  6. About Attribution (identifying your attacker), 21 October 2011

(5)  For more information about cyberwar

  1. “Assessing the Risks of Cyber Terrorism, Cyber War and Other Cyber Threats“, James A. Lewis, Center for Strategic and International Studies, December 2002
  2. Meet Your New Commander-in-Geek“, Katherine Mangu-Ward, Reason, 26 May 2010 — “U.S. Cyber Command has no idea why it exists.”  But their fear-mongering PR is first-rate.
  3. China’s Emerging Cyber War Doctrine“, Gurmeet Kanwal, Journal of Defense Studies (Institute for Defense Studies and Analysis), July 2009
  4. They cyber war threat has been grossly exaggerated, NPR, 8 June 2010 — Audio here.
  5. Tehran’s Lost Connection“, Geneive Abdo, Foreign Policy, 10 June 2010 — “Is the Iranian regime’s cyberwar with the United States real, or a paranoid delusion?” — Abdo expects to know if the US waged cyberwar against Iran, ignoring our long history of covert offensive operations.
  6. Reducing Systemic Cybersecurity Risk”, Peter Sommer (London School of Economics) and Ian Brown (Oxford), OECD, 14 January 2011
  7. Cyberwar an exaggerated threat“, UPI, 17 January 2011 — Says Peter Sommer, now of the London School of Economics and author of the Hacker’s Handbook (1985) under the pseudonym Hugo Cornwall.
  8. Cyber war threat exaggerated claims security expert“, BBC, 16 February 2011 — Says Bruce Schneier, chief security officer for British Telecom.
  9. Don’t Believe Scare Stories about Cyber War“, John Horgan, Scientific American, 3 June 2011

.

.

Advertisements

13 replies »

  1. As someone who’s just getting their feet wet in the security community, it strikes me that this state of affairs isn’t helped by the media’s propensity to shout “cyberwarfare!” and “hacker!” indiscriminately. In 99% of cases, the ‘hackers’ in news articles are merely the end users of off-the-shelf malware, and many ‘cyber-attacks’ reported in the news seem to have more in common with sit-ins than warfare (I am, of course, referring to the distributed denial of service attacks performed by cyber-activists such as Lulzsec or Anonymous).

    It seems to me that the risk of cyberwarfare is systematically overestimated due to a number of factors:

    1. Cyberwarfare is a novel threat.
    2. Vulnerability to cyber-attack cannot be easily reduced without expert knowledge.
    3. There is no way to prevent attempted attacks on the system if it ‘faces the net’.
    4. The consequences of a successful attack on our infrastructure may be severe.
    5. Few people possess the expert knowledge requisite to make a balanced assessment.

    The reason that we have an intelligence community and agencies like the NSA is because our private sector is not equipped — nor should it be — to engage in counterintelligence against the Chinese or other nation states. It’s not Google’s job to fight off Chinese spies: that’s NSA and CIA’s job.

    Many companies, particularly smaller ones, do not adequately secure their data against common cybercrime attacks. A lot of websites are still vulnerable to basic SQL injection, and I suspect even larger companies may be vulnerable to sophisticated attacks (see Lockheed-Martin and the RSA debacle).

    How accurate are my perceptions?

    Like

    • I’d say your perceptions are pretty accurate.

      The media’s reaction (conflating hackers/malware/cybercrime with cyberwar) is as if someone tried to blur the safety history of commercial airlines with that of the space shuttle – “OMG! 1 in 1000 crash!” The reason we humans use analogies is to clarify problems by searching for illustrative similarities; the media does not do this – it searches for scary similarities in order to magnify the drama of real life.

      Many small companies do not adequately protect themselves against run-of-the-mill cyber attack and crime. Our overall reaction to that should be “so what?” and, as customers, to make sure that their foolish business decisions don’t hit us in the pocketbook. But in the case of larger organizations, their interest is to conceal their incompetence rather than address it (mostly that’s what’s going on with all the “cyberwar scare” in SCADA and smart grid systems) so when we have a large breach it attracts disproportionate attention. Because even technologically unsophisticated users are able to put 2+2 together and ask questions like “WTF? you connected WHAT to the internet?!”

      Existing security technologies are sufficient to achieve tremendous reliability against tampering. For example, a pair of wire-cutters applied to the internet connection of a smart-grid system will instantly make it much much more secure. :) At the cost of removing alot of the “smart”.

      But that’s the problem. There is no super-duper military-grade firewall that Google should have that would somehow help them. The problem is that the more connected you are, the larger your “attack surface” is and, unless you have your act together, the greater the chance that something will go wrong.

      That’s why the big companies are running scared — they’ve connected everything together into vast networks and then connected those to the internet and now they’re going “waah waah protect us!” But the problem is that they made a big mistake and didn’t really think things through until it was too late. That’s why things like the DoD’s SIPRNet are such a disaster: let’s put 300,000+ users onto a network that assumes that anyone who is an “authorized user” is OK and can access ginormous amounts of information. Sound dumb to you? That’s because it is.

      Remember back in the early cold war days when you got access to a compartmented piece of information based on “need to know” and the size of the population with access to the secret was tightly controlled (and more importantly: enumerated) – that was terribly inconvenient and expensive to track and maintain – but it was the right way to protect information. What’s going on today is that the wrong way to protect information has been attempted, is failing, and the people responsible for those bad decisions are now blaming everyone but themselves. It’d be as if a bunch of mechanical engineers screwed up a design and then sat around trying to blame gravity and friction.

      Like

  2. I’ve also made the conceptual connection between “Cyber foo” and Y2K as blanket excuses for wild IT spending; the big difference, of course, is that the former doesn’t come with the inconvenience of a built-in fixed end date. “Oceania and Eurasia have always been at war”, quoth Orwell.

    The point about the Govt backbone being 85% private-owned is very well made. I think that’s a fact I’ll be remembering. Also, rather than go to the trouble of busting a bunch of (yes, very) vulnerable SCADA systems – which are likely to be difficult to characterise in real-world context by an attacker – I suspect Johnny home-grown Terrorist would view it as being far easier to have a good look at the mains electricity distribution network (conveniently detailed by the Ordnance Survey on their maps) and topple a few choice unguarded pylons – and I haven’t heard of them trying this, either…

    Like

    • The 85% figure was Bennet’s not mine. I suspect it’s more than 85%. Bennet’s article contains several factual errors (which is odd, since this stuff was supposedly his job!) or disputable figures and that’s one of them.

      Don’t get me wrong about the SCADA systems. They utterly suck. The people who built them will eventually hear the flapping wings of a million lawyers coming to perch and wait for their chance to grab a slice of meat. The SCADA system manufacturers did an OK job of covering their butts: the remote controls can have passwords set, they say in the documentation that the stuff should be on isolated networks, etc. The guys who built out the SCADA systems and ignored those recommendations are the guys who are now running around clutching their temples saying “OMG! The Chineeeze!”

      If I were a ‘domestic terrorist’ I’d get a small team together and have them all apply for jobs at backup/data recovery companies, the IRS, and the outsourcer that does the IRS’ networking. Then we’d figure out how to transparently corrupt the backup media, leave that in place for 5 years, scramble the lot, wipe the databases, and hop on airplanes for places without extradition treaties. OK, that’s my scenario. Now, consider: how does outsourcing facilitate such an attack? How are any of the initiatives that the DoD – which is target-fixated on the myth of a foreign power “attack” going to help against that? Best of all, you can collect a decent salary from your target while you penetrate and destroy them…

      The important thing I’m trying to illustrate with that example is how EASY it is to come up with plausible-sounding threat scenarios. Fiction is nice, that way. Sorting out “what is likely to happen” from “all the possible things that could happen” is what security practitioners are supposed to do, and in the best situations we can offer solid advice so that they can prepare to withstand the right threats, rather than thrashing around trying to do everything poorly. That’s one of the reasons I am so upset by the whole cyberwar-fear-uncertainty-doubt sell-a-thon: the advisors who are banging the drums about this threat are often the same people who oversaw the process of putting ourselves at increased risk and NOW they are saying “be afraid, give us more money, be afraid, give us more money.” I don’t trust them and neither should you.

      Like

  3. Summer of lulz: The empire strikes back“, New Scientist, 14 September 2011 — Subscription only. “‘Hacktivists’ have exposed lax security at many of the world’s most powerful organisations. Their actions could change the internet forever.” Excerpt:

    … Hacktivists’ role in internet history could be much bigger than they had ever imagined, and very different too.

    Hacktivism traces its roots back to the late 1990s, when a hacker collective called Electronic Disturbance Theater (EDT) protested against Mexican government policies that it considered oppressive by staging online versions of sit-ins.

    … That culture began to change in 2008, when the Anonymous collective was established. Like EDT, many of Anonymous’s fluid membership see their activities as functionally no different from conventional activism.

    … The satisfaction of exposing the arguably flawed personal security practices of cybersecurity company staff motivated Sabu and five other Anonymous members to form an aggressive splinter cell focused on a new goal. Not long after Lulz Security – more commonly known as LulzSec – had set up its Twitter feed, the group breached the websites of popular culture, video game and media corporations, publicly posting the names, phone numbers, emails and passwords of the sites’ members.

    In short order, LulzSec wreaked havoc on major companies and agencies which had the means to make their websites more robust, if not impregnable: Sony, the US Public Broadcasting Service, The Sun newspaper in the UK and even government agencies like the FBI, the CIA and the UK’s Serious Organised Crime Agency.

    “From a single line of code, we accessed everything,” the group said after one attack. “Why do you put such faith in a company that allows itself to become open to these simple attacks?”

    Through gritted teeth, many security professionals admit that LulzSec had a point. “The state of security is pretty poor,” says Chris Hadnagy, a consultant at cybersecurity firm Offensive Security, whose employees impersonate malicious hackers in order to find vulnerabilities in corporate websites. If Lulzsec could access your information, it meant the information had been available to criminals all along. When it comes to cybersecurity, companies tend to comply as minimally as they can with regulations, he says, begrudgingly admitting that LulzSec and Anonymous are likely to force companies to take responsibility for their customers’ information.

    … But just when it seems that Anonymous’s peculiar brand of tough love is sparking some necessary changes, some worry that there could be unintended consequences.

    … A government’s logical response to a cyber-threat is to make more laws, and that is exactly what’s coming, warns Marcus Rogers. Rogers is a forensic psychologist and digital forensics specialist at Purdue University in West Lafayette, Indiana, and he thinks that we have already hit a point at which the internet’s inherent lack of security has stopped being a boon and could become a fatal roadblock to innovation. As a result, he thinks an increase in regulation is inevitable and necessary. “I’m not a fan of it,” he says. That’s because he thinks such legislation is subject to missteps and overreaching, a danger that can be seen in three recently proposed laws. The proposals range from the benign to the draconian.

    … A third law goes perhaps the furthest to prevent data breaches, but in so doing, would also intrude significantly on the privacy of everyday internet users. Under the US’s ISP Data Retention Bill, which took a crucial step towards becoming law in July, internet service providers (ISPs) would be required to retain every single piece of data about every single move a person has made online for 12 months. Crucially, the law would not require the usual legal hurdles, such as a subpoena, to release your personal information; officials merely need to ask for it.

    Like

    • LulzSec and their attacks provide a great example of the kind of conflation I’m talking about. We can see that a handful of highly skilled motivated attackers can cut through many organizations’ existing security like it’s so much cheese. And, from that, we are expected to extrapolate to their being a gigantic potential threat – “what if LulzSec were 10,000 elite hackers and they set themselves to attacking our economy?”

      Well, yes, “what if” – but that’s not the case. Asking that question (which, I realize, you didn’t) is the same as asking “what if there were 10,000 Timothy McVeighs who coordinated attacks around the US?” Well, obviously, that would be bad, too.

      Perhaps if ‘our’ government continues along its current trajectory toward a police-state, more and more individuals will be motivated to act as LulzSec and, indeed, McVeigh did. I am convinced that that’s the real dialogue playing itself out underneath the “cyberwar” frenzy: they aren’t afraid of the “cyberwar” they are afraid of the “cyberinsurgency”

      While there’s probably a dim level of awareness in the halls of Versailles on The Potomac that China is not going to try a massive “cyberwar” attack against us, they’re realizing that disgusted and irritated citizens may begin an insurgency. All that we’re lacking right now, between Anonymous and LulzSec and Wikileaks is a cogent anti-authoritarian ideology and a justificational moral philosophy. A philosophical Stuxnet, if you will. And I know for a fact that it’s being worked on right now, though I don’t know when/if it will be released.

      Like

  4. Alexander Cites Need for Greater Cyber Defenses“, Armed Forces Press Service, 13 September 2011 — Opening:

    Citing the high rate of intrusions against Defense Department networks, the commander of U.S. Cyber Command today said his biggest concern is the threat of destructive attacks yet to be seen.

    A destructive attack from cyberspace “is coming, in my opinion,” Army Gen. Keith B. Alexander told military, government, industry and academic professionals at a conference here called “Maneuvering in Cyberspace.” “It is a question of time,” he said. “What we don’t know is how far out it is,” and whether it will target commercial infrastructure, government networks or mobile platforms.

    Alexander, who also serves as director of the National Security Agency, recognized both the “tremendous opportunities and tremendous vulnerabilities” created through network-enabled technologies. Just as the United States has been on the leading edge in developing many of these capabilities, Alexander said it also needs to be a leader in defending against cyber threats.

    “We were the country that developed the Internet, the iPhone, the iPad [and] some of these other great technologies,” he said. “We ought to be the first to secure it.”

    Like

  5. The Threat of Cyberwar Has Been Grossly Exaggerated“, Bruce Schneier (author of several books about computer security), 7 July 2010 — Opening (links not shown):

    There’s a power struggle going on in the U.S. government right now. It’s about who is in charge of cyber security, and how much control the government will exert over civilian networks. And by beating the drums of war, the military is coming out on top.

    “The United States is fighting a cyberwar today, and we are losing,” said former NSA director — and current cyberwar contractor — Mike McConnell. “Cyber 9/11 has happened over the last ten years, but it happened slowly so we don’t see it,” said former National Cyber Security Division director Amit Yoran. Richard Clarke, whom Yoran replaced, wrote an entire book hyping the threat of cyberwar.

    General Keith Alexander, the current commander of the U.S. Cyber Command, hypes it every chance he gets. This isn’t just rhetoric of a few over-eager government officials and headline writers; the entire national debate on cyberwar is plagued with exaggerations and hyperbole.
    Googling those names and terms — as well as “cyber Pearl Harbor,” “cyber Katrina,” and even “cyber Armageddon” — gives some idea how pervasive these memes are. Prefix “cyber” to something scary, and you end up with something really scary.

    Like

  6. Update: see the following post for an update on this story.

    Foreign hackers targeted U.S. water plant in apparent malicious cyber attack, expert says“, Washington Post, 18 November 2011 — Excerpt:

    Foreign hackers caused a pump at an Illinois water plant to fail last week, according to a preliminary state report. Experts said the cyber-attack, if confirmed, would be the first known to have damaged one of the systems that supply Americans with water, electricity and other essentials of modern life.

    Companies and government agencies that rely on the Internet have for years been routine targets of hackers, but most incidents have resulted from attempts to steal information or interrupt the functioning of Web sites. The incident in Springfield, Ill., would mark a departure because it apparently caused physical destruction.

    Federal officials confirmed that the FBI and the Department of Homeland Security were investigating damage to the water plant but cautioned against concluding that it was necessarily a cyber-attack before all the facts could be learned. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety,” said DHS spokesman Peter Boogaard.

    … News of the incident became public after Joe Weiss, an industry security expert, obtained a report dated Nov. 10 and collected by an Illinois state intelligence center that monitors security threats. The original source of the information was unknown and impossible to immediately verify.

    The report, which Weiss read to The Washington Post, describes how a series of minor glitches with a water pump gradually escalated to the point where the pump motor was being turned on and off frequently. It soon burned out, according to the report.

    The report blamed the damage on the actions of somebody using a computer registered to an Internet address in Russia. “It is believed that hackers had acquired unauthorized access to the software company’s database” and used this information to penetrate the control system for the water pump.

    Experts cautioned that it is difficult to trace the origin of a cyber-attack, and that false addresses often are used to confuse investigations. Yet they also agreed that the incident was a major new development in cyber-security. …

    Like

    • All Wiess has to do is publish the report. \

      Attributing the attack to an “IP address in Russia” is extremely bogus. Anyone who as ever heard of “remote desktop” – a capability that is inherent in Microsoft Windows – ought to understand how easy it is to use another system as a jumpoff point for action.

      Like

    • The “expert” reporting this attack is not a credible source; reports such as he describes are never unattributed – if the report is real he would be able to reference it (e.g.: “a report authored by mumble mumble of the department of so-and-so on january such-and-such”) leaving it open for a FOIA. As long as he’s reporting it so vaguely, it shouldn’t be treated as more than unsubstantiated rumor.

      It’s very unfortunate that even “experts” are engaging in self-promotional fear-mongering. It damages the credibility of the security practitioners and SCADA engineers alike.

      Like

Leave a comment & share your thoughts...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s