BP has had another agonizing failure as it tries to stop the massive oil deep under the Gulf of Mexico. The President, meanwhile, is taking heat for the disaster and his apparent paralysis in the face of crisis. The consequences of the spill are devastating, and compensation is well beyond the resources of BP, even if the whole company is seized. The crisis deserves to be the proper focus for every resource the President can bring to bear. The problem is that, while he’s got resources, none of them really know enough about BP’s business to do anything useful.
So all the President can really offer BP is cheerleading, coffee, and veiled threats of indictment.
If that sounds like schadenfreude, that’s not my intent. Rather, the BP crisis is giving me a sense of what cyberwar will be like. If it happens, and I think that’s likely, it will be pretty ugly. As I say in Skating on Stilts,
“It’s not just that you could lose your life savings. Your country could lose its next war. And not just the way we’re used to losing – where we get tired of being unpopular in some third-world country and go home. I mean losing losing: Attacked at home and forced to give up cherished principles or loyal allies to save ourselves.”
Hostile nations are probably already seeding our privately owned infrastructure with logic bombs and malware designed to shut down critical services — power, telecom, Internet, banks, water and sewage. Each private company has a private, and unique, network design. Each private company has a private, and unique, set of defenses and recovery plans.
So when an attack occurs, if it’s successful, some of those defenses will fail. Some citizens will spend days, weeks, maybe months, without power or phones or water or access to their bank. We’ll be at war, under attack, hurting. We’ll look to the Commander in Chief.
And he’ll look pretty much the way President Obama does today.
Helpless.
He won’t be able to send troops to protect, say, Verizon’s network. His troops mostly don’t have the skills, and if they do have the skills, they don’t know the network. Even if a company has screwed up badly, failing to adopt basic backup and malware protections, he’ll have to defer to the idiots who got us into the mess until they find a way to get us out.
Of course, by the time they do, the war may be more or less over.
So, if we expect a replay of the BP experience in the event of cyberwar, can we learn something from the current experience? Maybe. Here are a few ideas that occur to me. First, it’s often the case that private companies can quite confidently get us into trouble that they then can’t fix; when that’s true, we ought to be very dubious about their confident assertions that regulation is excessive or unneeded.
Second, the government needs to be much more involved in understanding the problems that companies may face in the event of a surprising crisis — as well as the solutions. Maybe that means insisting on seeing their crisis response plans — and evaluating and testing them. Or having a corps of private, public, or half-of-each (think Marine Corps Reserve) experts who actually can supplement company resources capably in a crisis.
Finally, perhaps we should be developing well-protected, cyberstupid government networks that can be used for critical private functions in a crisis.
As the BP tragedy plays out, I hope we’ll learn more. Americans will forgive the President for being surprised and helpless this time, I think. But not the next time.
Or we could say what the hell, trust the industry reps, and keep going pretty much the way we’re going now.
Then, all we’ll need when war comes is a warehouse full of pom-poms and coffee beans.
(The lawyers, at least, we don’t need to stockpile.)
Ken Mitchell says:
Jerry Pournelle has had some thoughts on what we ought to have done – 30 years ago – in preparation for the inevitable oil drilling rig disaster. We’ve been lucky for a long time, but “luck” has a way of running out.
Perhaps we ought to get a few modern SF authors to propose some things that ought to be done in preparation for the next cyber-war – which will almost certainly be launched by the Chinese.
May 29, 2010, 9:45 pmGene Hoffman says:
Stuart,
The first major attack you speak of was already launched after Christmas last year. All of those “brain dead” private companies actually did quite well repelling it. China has less Google thanks to it.
There is a role of co-ordination and communication to tie the private security teams together in a way they can trust. Other than that, government is not the solution to cyber war. We’re back to the militia – just this time the weapon looks like:
[root@router01 /etc]#
-Gene
May 29, 2010, 9:47 pmSally says:
What a frightening post. Not the thought of cyber-war but the solution proposed. The government should get more intimately involved in private company’s crisis planning? That might work if there were anyone in government who actually had a clue about anything but of course they don’t. We’re talking bureaucrats here, mostly people really good at pushing paper and putting in the time towards their cushy government pensions. They’re isn’t a lot of creativity or ingenuity in government. Those kind of people go into private enterprise.
Maybe the real solution lies in MAD, mutually assured destruction, that is. Let’s hope that all those brilliant minds in government have our own secret cyber warfare plan ready to deploy in targeting the enemy who plans to attack us this way.
I might also point that from everything I’ve read the government WAS involved in BP’s business from the standpoint of certain regulatory requirements, etc., that might have made a difference here if the bureaucrats had been just a tad more competent.
May 29, 2010, 10:08 pmMac says:
Not too worry. If it happens, it will be “All Bush’s Fault” as now and as since January 09.
May 29, 2010, 10:09 pmll says:
“All Bush’s Fault” as now and as since January 09.
Since January 2001
May 29, 2010, 10:14 pmAnonSecurityExpert says:
I can’t believe I find myself agreeing with Stewart Baker, but… whaddya know, I think he has a good point.
That said, I don’t see an urgent need to regulate or oversee private industry crisis response across the board. I would start with one narrow industry area: the electrical power grid. Nobody who can talk publicly really knows much about how secure the electrical grid is against nation-state-level attacks, but the rumors whispered in the bars after a few beers aren’t encouraging. From what I’m hearing, the security at electrical companies is concerning and not up to standards in the rest of the software industry. And the electrical power grid is one of the few infrastructures that seems truly critical: if we lose power for an extended duration (a week, a month), we lose a bunch of other important infrastructure: life would really suck.
May 29, 2010, 10:18 pmBrandon Combs says:
While everyone’s worried about bits and bytes, major components of our infrastructure remain quite vulnerable to physical attack. When the lights go out, the real work gets done. When they come back on, it won’t really matter.
May 29, 2010, 10:35 pmSecond Amendment Sister says:
You mean like these cyberstupid government networks used for critical functions?
May 29, 2010, 10:42 pmMonty says:
“It’s not just that you could lose your life savings. Your country could lose its next war. And not just the way we’re used to losing – where we get tired of being unpopular in some third-world country and go home. I mean losing losing: Attacked at home and forced to give up cherished principles or loyal allies to save ourselves.”
Think worst case scenario, some enemy manages to knock out a huge portion of US critical infrastructure temporarily. Say they manage to destroy a large number of power generators as some people theorize would be possible. The nation is without power, water systems are shutdown. The parts not permanently damaged will be back up in a couple days, weeks on the long end. Blown out generators could take a year or more to replace. Its a massive economic disruption, and there would be loss of life. But what then? We have been attacked, but how would the attacker capitalize on the damage done? Our physical defense infrastructure will still be largely functional, how is anyone going to force us to give up our ‘cherished principals or loyal allies’? We would need to be in a MAJOR armed conflict before an attack on our civilian infrastructure would be a decisive factor wouldn’t we? It would be a digital Pearl Harbor, but would we really loose the war (assuming we knew who attacked us)?
May 29, 2010, 10:43 pmRandy says:
Monty: ” how is anyone going to force us to give up our ‘cherished principles or loyal allies’?”
They won’t force us — we will do so willingly. We gave up several cherished principals in the past ten years, like abiding by law (conducting torture in violation of our treaties), and throwing away loyal allies such as France, Italy and Germany in favor of the “new europe.” And there were plenty of people saying that we didn’t go far enough in jettisoning our principles or dissing our allies.
Privacy will be the first thing to go. We will beg the government to read our emails and listen in to our phone calls. After all, if you have nothing to hide, why should you mind if the gov’t knows every detail about you? And if the small inconvenience saves just a few American lives, then it’s worth it, right? Are you going to argue that your computer is more important than my life?
What’s more important — the constitution, or food on the table? and that is exactly how people will frame the issue. They already do. After all the constitution isn’t a suicide pact.
That’s just the start. I shudder to think where it will all lead.
May 29, 2010, 11:01 pmCareless says:
He wrote, in 2010, Yes, we’ve known people will shred the Constitution when they think it’s very important for a very long time now.
May 29, 2010, 11:12 pmAllan Walstad says:
I second Monty’s and Randy’s comments, but it’s also not clear to me just how much the oil spill has to do with cyber war in the first place. It almost sounds like Prof. Baker has just been waiting for some excuse to bring up the latter. Nor am I convinced that more government regulation is the answer, in the absence of any demonstration that pols and bureaucrats are generally more competent or diligent than private actors. The largest danger may lie precisely in a general, uncritical reliance on government.
May 29, 2010, 11:15 pmSk says:
My God! You mean if there is a cyber attack, we may not like the French? I too shudder at such a thought…
Sk
May 29, 2010, 11:19 pmStewart Baker says:
Monty,
When was the last war we fought where home-front war weariness was *not* a factor in our decision to take something less than victory? And that was without serious domestic disruption. How many (unattributed) electric power outages would it take before we decided that maintaining the web of US bases in Asia, or protecting Taiwan or South Korea or Slovakia from domination by a neighbor, just wasn’t worth it? I’d call that losing.
Stewart
May 29, 2010, 11:19 pmgrog says:
From what I’m hearing, the security at electrical companies is concerning and not up to standards in the rest of the software industry.
Which is frightening, if you know what goes on even at infrastructure-level software companies.
I, too, find it odd to be agreeing with Baker. Electricity, shipping, oil, banking – these are all areas where real oversight can make a material difference. Without getting to arguments about the proper role of government in a perfect world (and I lean libertarian, especially in that I disagree with other libertarians a lot), we live here now. And without getting into political point scoring, even if you disagree with how and how much regulation is needed, I would hope that coked up orgies between regulators and regulatees would look out of bounds to you, _especially_ when it deals with critical infrastructure that the government cannot simply manage itself in a crisis. (I know this inverts a typical libertarian argument, but when we’re talking electricity, I care less if those regulating massage therapists are getting a happy ending.)
I think we need tiger teams for critical infrastructure. The question is how to (1) define the role narrowly enough to be effective and (2) insulate them from $pressure de jure while (3) avoiding capture by industry.
And I know I just described the problem of good governance.
May 29, 2010, 11:21 pmSally says:
I think the point is supposed to be that our government was singularly unprepared to deal with this catastrophe and is forced to rely on BP to do something about it and so we should consider what will happen when the cyber-war hits. The government is also unprepared to deal with that and will again have to depend on private enterprise to fix things which may work just about as well as BP’s efforts to cap the leak and then we’ll all be royally screwed but in an even more serious way.
So the Professor thinks that government should get more involved in private business and help coordinate and direct the cyber-war disaster planning and response. Because they’re so good at that sort of thing.
May 29, 2010, 11:23 pmThe Unbeliever says:
Maybe I’m a little behind catching up on oil spill news stories, but I was under the impression this is backwards. Last I read, the government has some knowledge (mostly from absorbing oil industry executives into regulatory positions), but they lack the resources to do anything: skilled driller labor, technology to stop deep water leaks, some of the actual material, etc.
Actually, if he really did provide them coffee, that would be a good step; keeping the workers awake while working longer hours is always a plus.
But if the last 20 years of disaster management proved anything, it’s that looking for creative solutions from the government is the most foolish of fool’s errands. You’re more likely to get cheerleading one day, threats of indictments and investigations the next, and the obligatory useless site tour photo ops.
Show of (virtual) hands: when discussing the oil spill over the past few weeks, where do you think the Obama Administration spent more of its time on: technical engineering solutions… or press releases?
May 29, 2010, 11:28 pmpop says:
The last thing we need if we are to defend against the kind of electronic attack described is more regulation, more homogenous systems. The very unique architecture described as a weakness in restoring systems after an attack, the fact that every company has a different set of defenses, is a benefit. If everyone in a population is susceptible to the same kind of attack, then they all go down.
May 29, 2010, 11:44 pmef says:
This seems to rely on the assumption that the only response that is appropriate to a cyber attack is a counter cyber attack, or even less, just restoring networks.
If a nation launches a coordinated attack on our infrastructure, the President has a tremendous number of assets available. Some of them are painted green and go BANG!, some are gray and are called USS something, others are black and you don’t see them coming.
An attack is an attack, and I see no reason why a military response would not be appropriate, if not outright necessary in this case. What we need to worry about then isn’t the President’s resources, but the President.
May 29, 2010, 11:55 pmrpt says:
Earth calling Sally! Gov. Jindal ridiculed the idea of government funding for volcano monitoring, and now he, and the rest of the anti-government, anti-”nanny state” crowd complain that government is not adequately funded or prepared to fix a problem that was created and aggravated by anti-regulation private actors. Classic Catch-22. This is a problem the private actors created. How would you expect the feds to know what technology BP was using and have the equipment to fix it when BP and the rest of the industry is incapable of and/or unwilling to clean up their own mess. But of course they are lobbying full blast to keep the liability cap which means complete tax-payer bailout. Do you support a taxpayer bailout of $5B/quarter profits BP and the rest of the industry. If not, stop the kibitzing.
May 30, 2010, 12:00 amSteven Appelget says:
Don’t worry folks!
Somin will be by shortly to let you know how businesses that let this happen will be at a competitive disadvantage and that if the government would just let them do business as they will, everything will be fine.
Plus, rainbows and ponies.
May 30, 2010, 12:01 amrpt says:
P.S. What is wrong with relying on BP to fix the problem BP created? What’s with this “you broke it, I bought it” mentality? You broke it, you fix it.
May 30, 2010, 12:02 amrpt says:
I believe that BP has spent more of its time on press releases. What do you think?
May 30, 2010, 12:07 amGil says:
What of low-tech solutions for hi-tech terrorists? At Cracked.com we’re informed that much of the Internet relies on international cables. Cables that can be easily cut and their locations are on Wiki for all to see. The article even pointed out that one cable got severed during an earthquake and sea anchor accidently cut through four cables.
“B’oh!”
http://www.cracked.com/article_18453_5-reasons-internet-could-die-at-any-moment.html
May 30, 2010, 12:13 amSally says:
Actually I think what Jindal has been complaining about is the slow pace of the federal response to his requests for permission to do certain things to try and protect the coastline, marshland areas and so on, efforts that his state is prepared to undertake but first need the Feds to sign off on. I haven’t heard him say anything about volcanos. There’s a volcano in the Gulf? And I haven’t heard him say anything about lack of funding or needing a nanny. I must have missed one of those press releases others have talked about.
You seem to be missing the point. I’m one of the people who doesn’t think the federal government could be doing anything more than what BP is already doing. The Feds don’t have the know-how, the equipment, the wherewithal to do much more than talk about energy reform and how BP is going to have to pay for all of this. Oh and fly Obama in for a 3 hour photo op. Because that’s what the Feds do in a crisis, think of ways to tax and regulate for the next crisis, never with a plan for the current one. But if there’s a whole crowd of Bruce Willis types just hunkered down in the Dept of the Interior simply waiting to be unleashed, then by all means bring ‘em on. I’ll happily admit error.
May 30, 2010, 12:19 amAndy says:
A fascinating post. Thank you.
May 30, 2010, 12:21 amChrisTS says:
Exactly how popular is that narrative?
May 30, 2010, 12:25 amrpt says:
Sally:
You don’t address your whitewashing of BP’s responsibility. Jindal’s 2009 response to an Obama address to Congress ridiculed the notion of government funding of disaster prevention. Why do you expect the taxpayers to pay for this mess? Is BP too big to fail?
May 30, 2010, 12:25 amSally says:
“You don’t address your whitewashing of BP’s responsibility. Jindal’s 2009 response to an Obama address to Congress ridiculed the notion of government funding of disaster prevention. Why do you expect the taxpayers to pay for this mess? Is BP too big to fail?”
I haven’t addressed BP’s responsibility at all. From what I can tell it’s BP that’s out there in the Gulf right now trying to stop the leak. Because there’s nobody else. And from what I can tell BP is fully aware that it’s on the hook for all this. But again you may be wired into BP in some way and know of their secret plans to avoid paying for it.
As far as Jindal ridiculing the notion of government funding of disaster prevention, can’t say I’m familiar with that particular speech but if I’m to take your point apparently you believe that Obama has failed to get disaster prevention legislation passed that would have prevented the leak, in which case you should really take that up with the President and his super Democratic majority Congress.
May 30, 2010, 12:32 amDave N. says:
Ah, the Democratic response, courtesy of RPT is that a) it is all BP’s fault; and b) if there’s a politician to blame for Washington’s failure to act it’s the Governor of Louisiana and not the President of the United States.
Harry Truman had a famous plaque on his desk that read, “The Buck Stops Here.” With RPT and his Democratic talking points, it doesn’t stop at the White House. Heck, it doesn’t even slow down to ask for directions.
May 30, 2010, 12:42 amjosh bornstein says:
What will be fascinating (at least to me, a political junkie) will be if the BP affair results in a sea-change in governmental regulation. I think the Republicans have been far more successful in promoting the general idea that less oversight is (usually) better, and that the free market will result in better solutions.
As others have noted, it’s completely unrealistic to expect our government to resolve this spill, since the oil companies have the equipment and expertise. And deep-down, Republicans know this as much as do Dems. It seems to me that the best thing to do in the future is to have massive oversight. A relatively simple calculation. If a problem will be able to be solved easily and inexpensively, then we don’t need too much governmental oversight. For deep-water drilling, (nuclear power, etc.), I’d think that we could do with a bit less mutual hand-jobs between Big Oil and those making the laws.
All things have political consequences (and thank God for that, or some issues might never get resolved). I presume that, at this moment, Democrat and (moderate) Republican operatives are busy cutting commercials to be used in the fall campaigns (and maybe in 2012), inter-cutting rabid choruses of, “Drill, baby, drill!” with scenes of oil-drenched dead birds, and with ominous statistics about loss of income to the region, likelihood of increased birth defects down-the-road, and so on (with the obligatory ominous music playing in the background, natch). It may be that those Dems and Repubs who have attached themselves to Big Oil will not do as well as had been expected come November.
This is what makes politics interesting. You just never know what events will pop up unexpectedly. Man plans, God laughs.
May 30, 2010, 12:44 amBaseballhead says:
AnonSecurityExpert:
I think so, too, but I have to believe that if Obama actually did everything he suggests here, this site would explode with anger, as would half the population. If we just use the BP example, what do you think the critical reaction would have been of Obama had come out last year and demanded that higher, harder standards for drilling safety be instituted? What would have been the reaction if Obama had demanded greater oversight powers for the federal government? We know the answer to those questions already.
There are some things a government like ours are very good at. Instituting sweeping industry-wide changes with an iron fist isn’t one of them.
May 30, 2010, 12:56 amChrisIowa says:
The higher up a chain of command a crisis has to go before a response can be initiated, the more time it takes to respond, and correspondingly, the less effective the response. The response to a crisis must be managed by someone close to the crisis, and who has the technical knowledge to know what is going on. Preferably someone who has been able to practice beforehand. The higher up in the chain, the less likely the chance to practice. With the number of possible crises, there is no way someone far above the local level can effectively manage a crisis response. They cannot have the breadth of knowledge needed for all those scenarios or time to practice that many responses.
The higher the response has to go up a chain of command, the more likely you are to having someone who does not know how to dig anything as deep as a fence post hole thinking they have what it takes to manage the response to a crisis in an oil well.
May 30, 2010, 1:04 amzuch says:
“Be afraid. Be verrrryyyy afrrraaaiiiiddd….”
I’ve done lots of work with various telcos and ISPs, and they generally do a very good job of keeping their systems secure and monitored. If there are weaknesses, it would quite likely be more from inside people.
Which would make it less likely that they all could or would be taken out by one type of attack. Making them all the same, OTOH…..
Oh. You mean like a power outage or a hurricane? Wow. Good think those things never happen.
Reminds me of the “Y2K” scam. I had to be “ready” (i.e. on call if something blew up) that evening because of paranoids and fear-mongers like Baker, but let me assure you that I didn’t refrain from a bit of partying that night. Not at all concerned for our stuff, and if all the stuff around the world written in COBOL went all to sh*te that night, the world would probably be better for it….
Speak for yourself, Mr. Baker. I can’t cure idiocy, but I don’t have to sign on to it.
Why would he? That would be a very silly thing to do. Verizon can take care of themselves, I assure you. Verizon has redundant, geographically dispersed, fail-safe and backup systems, as do the other major carriers,
Mr. Baker: You should try to limit yourself to talking about things you know about.
Cheers,
May 30, 2010, 1:17 amCurlyDave says:
May 30, 2010, 1:20 amAngus says:
I used to live in Louisiana, and had a close up view of Jindal’s rise, and that’s his standard M.O.: he’ll tear and rip and shred with budget cuts, then when crisis hits and government is unable to deal with it, he exploits the resulting chaos for political gain.
He nearly destroyed the U. of Louisiana system when he was in charge of it, then ran for governor the first time pledging to “fix it.”
He did manage to destroy Louisiana’s mental health system when he was in charge of it, then ran for governor the second time saying how awful the system was and that it needed to be fixed.
For all of Jindal’s personal charisma, I’m not sure he’s achieved a net positive result in any position he’s held so far.
May 30, 2010, 1:21 amgrog says:
And deep-down, Republicans know this as much as do Dems. [...] For deep-water drilling, (nuclear power, etc.), I’d think that we could do with a bit less mutual hand-jobs between Big Oil and those making the laws.
Well, I would like to think so. But I can’t look into people’s hearts. I just keep hearing, “drill, baby, drill!”, and seeing (mostly) votes that match rhetoric.
In your view, what is a reasonable takeaway from this fact?
– The U.S. cannot support itself, from an energy standpoint, from its own extractive industry.
– Military supplemental aid towards influencing nations with extractive industry that can support us is at best a mixed, short-term solution; it is extremely costly, damages other interests, and we’re running into geopolitical situations wherein the costs go up.
– Politically, we cannot move far from blind optimism that everything will somehow be OK.
– Something like 1/2M gallons of oil are leaking into the Gulf right now, and BP’s failed twice to stop it.
– Finger pointing aside (while important), if Cheney were President, he couldn’t fix this, either.
What to do?
And back to Baker’s point, what’s next?
May 30, 2010, 1:27 amConstantin says:
If the Drill, Baby, Drill crowd had anything close to its way, we’d be drilling in the middle of nowhere in Alaska, not two miles under an ocean that’s the focus of an entire region’s way of life.
But that would make too much sense. Now we won’t be drilling anywhere. So you hippies better hurry up with those windmills, or maybe Doc Brown can get cracking on the hoverboards finally. Either that or we’re all learning Arabic.
May 30, 2010, 1:37 amConstantin says:
Well if that’s true, and precedent since about 1993 means anything, he’ll be President within a few years.
May 30, 2010, 1:40 amCatCube says:
As much as I detest Obama’s policies, he probably can’t do anything other than what he’s doing. If he couldn’t have done anything to prevent this to begin with (and I don’t think that “don’t drill” is a reasonable solution, given that I like lights and heat in my house), then he really bears little fault for this.
I’d bet that BP is doing literally everything possible to stop this, and hiring every single company that could cap that well. PR problems aside, they are literally dumping the thing that they sell into the ocean. The only thing the President could do is federalize the process and…hire the same companies to try the same things.
There’s probably no will to pay the money necessary to keep a government team on standby for something like this year in and year out. It might actually be more expensive and less effective, anyway, since unlike something like the Nuclear Emergency Search Teams that would be used to look for a terrorist nuke, there’s a worldwide civilian demand for stopping well blowouts. A government team would piddle around in a training area until the wheels came off of a U.S. well, while a private contractor would be doing real situations around the world on a much more regular basis and probably be a lot better at it.
It’s similar to all the shrieking and crying about KBR contracts in the wars in Southwest Asia. The two options for the government are 1: keep government employees (or Soldiers for SWA) on the payroll to do this, at moderate-to-high expense every year, or 2: pay vast sums of money to a private firm with the knowledge and skill to do these kinds of things when they are needed for the duration, then fire them all after the crisis or war is over. Like the LOGCAP process that hired KBR (though I think DynCorp has it now), the government has settled on having a solution that’s lower on the year-to-year budget.
May 30, 2010, 2:26 amRobert David Graham says:
As a cybersecurity expert, I’d have to disagree with this post.
May 30, 2010, 3:11 amIt is based on fear of the unknown. The less people understand hackers, the more they are afraid of them. The idea that hostile nations are seeding our private networks with viruses to cause a black out is a fictional scenario you see in movies, and far different from the reality.
There are reasons why government regulation is unwelcome, and it’s not because it’s “excessive” or “unneeded”.
The first is that government regulators don’t understand the problem. Regulators end up favoring the politically connected rather than addressing the problem. Government networks are far less secure than corporate networks — there are few in government with any meaningful cybersecurity expertise.
The second is that government places ideology above reason. Phrases like “you can never be too secure” make a fine speech, but it’s wrong. You can be too secure. When the marginal costs of additional security exceed the marginal benefits, then you are too secure. Moreover, ideologues exaggerate the benefits of security, and ignore the costs – they will gladly take away human rights and crush innovation in the of the Almighty Security. Government ideologues are a greater danger to the Internet than Islamic ideologues.
Lee says:
Chernobyl comes to mind.
I haven’t see any evidence to support the notion that catastrophic technical disasters are best prevented with more intense government regulation. Accountability is the one thing that prevents disasters. If a private organization knows that it risks suicide when it takes unnecessary risks, it will self-regulate with a level of effectiveness that bureaucrats can’t even imagine.
Think post-9/11 airport security…a joke. Compare that with the effectiveness of airport security we could expect to see if Airlines knew they could be sued to oblvion for a successful terrorist attack.
With regard to cyberwar, I fear that imposition of government mandated security measures would only create a more uniform pattern of weaknesses that would make our systems comparitively weaker than they would otherwise be. Decentralized security solutions create a heterogeneous pattern of strengths and weaknesses that would be more difficult to target.
A successful EMP attack is probably one of the most serious doomsday scenarios we face. Very little has been written about that topic.
May 30, 2010, 3:26 amBrian, follower of Deornoth says:
How did it go in that very fine film…
Mayor: “And what are the police doing about this?”
May 30, 2010, 5:31 amHarry Callahan: “Well, for the last 45 minutes I’ve been sat on my ass in your outer office.”
haha rimshot says:
That has never stopped you though.
Cheers,
May 30, 2010, 7:57 amrpt says:
Typical Republican/Conservative/Libertarian accountability avoidance. Blame the cops for the crooks. Expect the government to fix everything. Had Obama purged the MMS last year, as we agree he should have done, you and the rest of the oil bailout crowd would have been screaming about “over-regulation”, etc. Now you blame him, forget about BP and the MMS crooks for a problem which he did not create.
May 30, 2010, 9:43 amBen Arjay says:
I struggle with the statements from cybersecurity “experts” that hackers – whether private or state-supported – are not capable of causing massive disruption in communications or energy networks.
It is hard to reconcile that viewpoint with any number of incidents that have occurred over the past few years, including:
1. The massive DDOS (distributed denial of service attack) launched against Estonia in the autumn of 2007. Estonians could not use their online banking, their newspapers’ websites or their government’s electronic services. Hundreds of key websites were hit week after week, unable to get back up.
2.
May 30, 2010, 9:45 amrpt says:
P.S. Dave: What “Washington failure”? Exactly how did “Washington” fail here? Please explain.
May 30, 2010, 9:45 amCaseyL says:
“The middle of nowhere” to you; not to the animals and people who live there. Leaving wilderness untouched obviously has no meaning to people who believe humans are automatically entitled to consume everything, everywhere until there’s nothing left but a polluted wasteland but fortunately not everyone feels that way.
Blame, guilt, culpability and liability for this catastrophe is can be laid directly on BP. The technology to prevent the catastrophe exists; BP chose not to use it.
BP refused to install an acoustically triggered device on the wellhead because that would’ve cost half a million dollars. The shut-off would have capped the well. The same device is required in other countries, and used by other oil companies.
The technology to prevent this catastrophe exists. BP fought for over a decade to make sure regulations were lax enough it wasn’t required to install the technology.
Maybe if this gets repeated often enough, it’ll sink in.
But probably not.
May 30, 2010, 10:13 amThe Drill SGT says:
As an earlier poster said, we are already skirmishing with cyber attackers on an hourly basis. The major problem with using asymmetric forces in response (e.g. bomb the piss out of the attacker) is that the creator of the attack and the launch site are often different.
Hypothetically, a group of Chinese hackers can take over a 1,000 PC’s in Russia or the UK, then from that location attack a US entity. Who do we attack? The place where the attack comes from or the potential country that masterminded the attack? If we can guess that?
The attacks can take various forms from classic DDOS attacks to data destruction or even physical distruction attacks. (altering bank accounts or stock trades for example)
In the next few years, the American public is going to learn more than it wants to know about SCADA devices (supervisory control and data acquisition). Those utilitarian electro-mechanical control devices that either monitor the status of systems (your home thermostat (though perhaps not precisely SCADA) would be an example, or remotely turn things on/off. Think in-ground sprinklers.
Among the many things SCADA are used for are our electrical grid, oil pipelines, and chemical plants.
Consider the mayhem if all of the valves at oil refinery or a big Dow plant all of a sudden start opening.
May 30, 2010, 10:45 amThe River Temoc, in Winter says:
Chernobyl comes to mind. I haven’t see any evidence to support the notion that catastrophic technical disasters are best prevented with more intense government regulation.
There is a very good book entitled UNCOVERING SOVIET DISASTERS by a space policy expert named James Oberg. It presents many examples of catastrophic technical disasters in planned economies, such as an anthrax outbreak in Sverdlovsk (now Yekatrinburg) in the 1960s and another less well-publicized nuclear accident.
Over the past few years, Putin’s Russia, which embraces a form of state capitalism has seen quite a few catastrophic technical disasters, including the Kursk sinking, a gas explosion in Kazan in 2008, several mining accidents, and the destruction of a hydroelectric plant at Shushenskaya in 2009.
Now, we can discuss the appropriate place of regulation in addressing market failures, including the failure of private industry to adequately invest in safety (a public good). Though few seem to want to bring it up in their zeal to bash the TSA, airline security was much more lax pre-9/11 and was conducted by minimum wage employees — this is because the airlines were responsible for security themselves and systematically underinvested in it.
But the notion that government regulation, by itself, dramatically improves safety is questionable.
May 30, 2010, 11:02 amStelman says:
I don’t think most people can imagine government with the expertise or equipment to drill deep sea wells or to cap deep sea wells.
As for cyber security, it makes sense to me for the government to build and maintain a redundant secure network.
May 30, 2010, 11:48 amMike P Wagner says:
As a software developer, it intrigues me that folks who use software everyday – posters on VC – and whom I therefore presume to be cognizant of the difficulty of developing and delivering high quality code, nonetheless assume superhuman powers to the developers of malicious software. Not only are superhuman powers asserted, but it multi-OS distributed applications, including many embedded systems – a pretty challenging environment.
It takes an enormous amount of effort to get applications to look more or less alike on OS X and Windows NT. But these superhuman hackers will be able to throw together codes that run in supercomputers at DOD/NSA and embedded systems like the thermostats in you own home?
It took MS billions of dollars and decades to fix MS Word so it can stay up for more than a few hours, but these hackers can write code in a couple of years that will realiably work the first time it is executed in a distributed environment?
The big question I have is that if such super coders do exist, why aren’t they working in private industry right now?
The reality is that if you look at any of the “hacker” code out there, it’s generally pretty poor quality code – and mostly derivative. Yes, it can be annoying.
But from the first “Internet worm” in 1990 (or os?), to any of the more recent stuff, it’s been pretty pedantic stuff. Morris – the author of the 1990 worm – was told about the UNIX mail test facility by his dad. Big genius move there.
Then he didn’t even consider the message propagation issues that first occurred to most grad students when we read the code. It wasn’t very designed or coded.
The genius was so brilliant that he hacked his way into a mostly open network where people liked to share resources. If he were a safe cracker, he would be famous for breaking into a screen porch.
The various buffer overflow attacks and MS Mail “active whatever” attacks are annoying, but that’s about it.
Are there weak spots? Yes. Should companies do more? Yes.
Are companies doing more than they ever have done before? Yes.
Having spent nearly two decades in the industry (albeit not as a security consultant), the time when virus attacks were a major threat to corporates networks is over. The most recent outrage that bit me was in fact, an incorrect virus definition file.
I am not arguing that all systems are perfectly secure – that would be foolish. But the assertion that hackers have super human powers belongs in comic books.
The new reality is the cybersecurity experts are very good – they reached parity with the hackers a decade ago. The fat guy living in the basement of his mom’s house drinking Jolt and eating doritos who can “hack” into any computer in the nation is a myth and has been for a whole.
It is true that companies need to be vigilant, but there is a maturing cybersecurity industry that I believe to be more than a match for these superhuman hackers.
User error – “Oops I shouldn’t deleted that file!” – is much more of an issue than malware or virus attacks in the last ten years.
The other advantage is that the cybersecurity experts debug code constantly – it doesn’t have to run the first time.
I believe vigilance is in order, but I don’t buy the scare tactics.
May 30, 2010, 11:52 amAdam Maas says:
The fundamental difference between the BP spill and a cyberwar attack is that the latter is just that, an attack.
As long as the culprit can be traced, the US can strike back with conventional means. Your nifty cyberwar attack that took down the grid in the US looks pretty stupid once the Arc Light strike shows up over your capital. Congrats, you inconvenienced a bunch of people for a few days while killing a small number, in return you got a city flattened and thousands of your own citizens killed.
Cyberwar is and will remain a spoiling attack. It’s what you do to slow down the major power’s response to something else, not a primary strike. Too little critical infrastructure is actually vulnerable to it (really only power and civilian communications).
Oh, and @Randy: The idea that France, Germany and Italy were loyal allies of the US that the US abandoned for New Europe is absurd. France has never once been a loyal ally of the US and has always played realpolitik to a ridiculous degree, you simply cannot trust France to do anything other tahn what is best for France in the short term. There’s a reason they pulled out of NATO in 1967 and didn’t rejoin until after the wall came down. Italy has backed the stronger horse and switched sides in living memory (WW2 being the biggest example). Germany has been a steady ally of the US and remains so even today. But the allies in New Europe have all proved far more willing to go to the wall for the US than any of the Western European states except the UK because New Europe remembers why they aren’t the Warsaw Pact anymore.
May 30, 2010, 11:54 amStelman says:
Really? Either, this statement is deluded, or you don’t think your readers know what drill baby drill means.
May 30, 2010, 12:24 pmpc says:
Beyond the super-hacker nonsense, I like how some people easily buy into the idea that communist governments are so much more efficient than democratic governments and private businesses. “The Chinese have super hackers and the US and private businesses are too inefficient to respond!”
May 30, 2010, 12:37 pmvejadu says:
Very interesting what the cultural biases above reflect. Not one poster in 50 suggested acknowledging that whomever strikes first “wins” – so why not hire a bunch of black hats thru cutouts to launch a deniable first strike against the bad guys de jour? After all, it’s not technically an act of war, so . . .
May 30, 2010, 12:44 pmzuch says:
Nor you, it seems.
But FWIW, it so happens that I have, at the very least, done quite a bit of work with the likes of Verizon and do have at least a passing familiarity with their networks and security.
Cheers,
May 30, 2010, 12:54 pmRandy says:
” Verizon has redundant, geographically dispersed, fail-safe and backup systems, as do the other major carriers,”
Rats. I secretly harbor a hope that someday, someone will hack into the credit card companies and mortgage companies and destroy their networks, and thereby erase all their files. Then poof! My debt disappears!
I guess we’ll have to get to the dysfunctional level of one of those awful Kevin Costner movies before I can wipe the slate clean.
May 30, 2010, 1:04 pmConstantin says:
Yes. Really.
May 30, 2010, 1:08 pmBob from Ohio says:
The horror!
A cyber attack reminds me of the Underpants Gnome.
Disrupt US domestic systems.
????
Profit
What is the benefit to an enemy?
Unless you let us take Taiwan, we’ll keep it up? That would pinpoint the culprit so would be kinda stupid of China.
You must stop protecting Israel so our crack Arab armies will once again beat them? The second does not follow.
What cherished principle could be surrendered that would actualy matter?
I concede that our economy could be hurt but that would hurt everyone else.
May 30, 2010, 1:45 pmJohn S. says:
MAD does not work in asymmetric warfare, nor when the attacker does not value their own life, nor when the attacker is willing to sacrifice their own children for furthering their cause.
As to the cyber warfare plan, counter-attacking non-government actors has no impact aside from the joy of retribution; even counter-attacking state sponsored actors is semi-productive unless they are near-peer threats (not likely.) The only way to protect is to plan in advance; using super redundant and resilient systems. Interestingly, the US government is the world leader in creating secure and super redundant computer systems. McAfee and the like, not so much.
May 30, 2010, 2:37 pmburpeeseedless says:
“Americans will forgive the President for being surprised and helpless this time, I think. But not the next time.”
You are a laughable partisan hack.
May 30, 2010, 2:40 pmGeorge B says:
Stewart, the lesson I relearn from the BP oil spill is the civilian parts of the federal government are often worse than useless while military parts like the Coast Guard are fairly competent. In the effort to stop the oil leak I don’t think government lawyers would be useful even if you cut them into pieces and used them in a junk shot to plug the well. Why would I suddenly expect competent bureaucracy and enlightened regulation to keep us safe from the threat of cyberwar? If we are facing a clear external national security threat, we should have some branch of the military working on the problem and our military response.
The other lesson relearned from the BP oil spill is that accidents happen and resilient systems have a backup plan to recover from the accident. While more could be done, electric power utilities experience fairly frequent weather related power outages and get regular practice restoring electric power. Preparation and practice can go a long way towards limiting the size of a disaster.
May 30, 2010, 2:43 pmChris Travers says:
There are a couple of major differences that Mr Baker glosses over. The first is that all networks are already under constant attack, but it’s not likely that people are going around sabotaging oil rigs. This means that most medium to large businesses have competent security folks on staff who know the network. This includes particularly those businesses which are required to have good security plans (medical, financial, infrastructure, etc).
Secondly, the constant attack means that there’s a concerted effort to find problems before the bad guys do. Compromising networks is thus far harder than it appears at first if your attempt is to disrupt them, bringing them down. My own business does both critical application development (phone systems, financial programs, etc) and security consulting. In general, disrupting networks is harder than it seems it should be on paper.
That doesn’t mean it can’t be done. Targetted attacks on key backbone networks could cause tremendous problems, but they wouldn’t shut down utilities, access to bank accounts, etc (they might shut down ACH processing, however).
Even in the event of a single widespread and drastic attack, we’ve already been through a surprisingly bad malware attack. Back in 2003, the SQL Slammer work hit the internet. Unlike most past works, it used a UDP-based attack which allowed it to spread extremely fast, compromising a large number of critical systems (it infected MS SQL Server database management systems). In some cases, financial services were disrupted briefly, and there were reports of traffic light failures.
It’s estimated that early on, the worm was doubling in effect every 8-9 seconds, faster than any previous worm (probably due to the fact that it used UDP instead of TCP as an attack vector).
Despite the fact that this worm caused a large number of networks to collapse, the impact was remarkably short-lived.
The simple fact today is that companies have to prepare against internal sabotage, external attack, and malware, and that failure to do this properly results in problems that will come up long before a major attempt to shut us down.
May 30, 2010, 2:57 pmseguin says:
Good question. I think it disappeared somewhere between TARP and the Stimulus.
May 30, 2010, 2:58 pmrosignol says:
Seconded. Talk to some people who actually work in the industry, and no, I don’t mean Richard Clarke. That guy has been talking about a “digital pearl harbor” for over a decade now, and how the solution is to create a new cybersecurity agency (with him in charge) despite a complete lack of evidence that any foreign power is planting logic bombs or backdoors in anything.
May 30, 2010, 3:19 pmChris Travers says:
I’d be much more concerned about the US government making a deal with Microsoft, etc. to have backdoors. We still don’t have a full idea what the NSAKEY variable in a Microsoft service pack was intended to do.
May 30, 2010, 3:45 pmToday's Tom Sawyer says:
Thirded. I think the Storm Worm or Conficker would make Baker shit his pants if he actually realized what he was talking about. But, botnets are nothing new, and the world hasn’t collapsed because of it yet. As for finding solutions to viruses and hacking, the private sector has been infinitely more responsive and helpful in those regards. Looking back at 1989, the government had to rely on Clifford Stoll, a Berkeley astronomer who noticed an unauthorized user, to actually trap and track a hacker….and the history of such measures is always some company or programmer fixing a problem, and then sending out the fix to others. You look at major advances like honeypots and and HoneyMonkeys, and they either come from private for-profit or non-profits (Shadowserver is a great example), not the FBI/CIA/NSA/Military. Of course, those organizations helping would probably lead to uncomfortable questions about how they know so much about a virus (Carnivore anyone?), and much like an episode of NCIS, would withhold information until something very bad happens. Additionally, no one wants to give the government any more info than necessary because they can’t seem to keep their blackhat ops out of whitehat projects.
May 30, 2010, 3:54 pmChris Travers says:
The NSA has given us SE-Linux….
May 30, 2010, 3:58 pmSun Tzu's Nephew says:
What an appalingly bad idea. Putting (or letting) Government, which does nothing at all efficiently, in any way or shape involved with disaster response?
Brilliant! The Government that couldn’t respond (due to federal regulations) to a Hurricane with 4 days notice, the government that took 4 days to respond to an earthquake (Northridge, CA), that can’t “plug the hole”, the government that has 4x the number of people doing the job that private industry has, that has layers and layers upon more layers of CYA bureaucrats playing ‘pass the buck’ and ‘better kick that upstairs for a decision’, the government who’s leaders go on rafting trips…..
Here’s a better idea: Tell private industry they have to fund an insurance/response company and that this company is responsible for securing/responding. Not a government-owned enterprise like Freddie or Fanny, a private business. And if they want to do business with the government (which includes the defense, auto, health care industries, among others) they have to play.
Oh, and the officers of the company (corporation) will be held strictly liable, with jail terms included, for their failures. OTOH, they get to set their own premiums and make as much money as they want, and no moron elected to federal or state office will be able to tell them they’re doing it wrong.
May 30, 2010, 4:12 pmChris Travers says:
I think that’s a bad idea. It’s far better to have diversity in thought and approach than to mandate a single-player system. A much better approach is to let private industry approach the problem themselves. The PCI-DSS compliance industry is a great example of a success in this area.
The current approach works surprisingly well, as security breaches are not uncommon and companies are held financially accountable very often if they don’t take adequate steps.
May 30, 2010, 4:20 pmThe River Temoc, In Winter says:
The Government that couldn’t respond (due to federal regulations) to a Hurricane with 4 days notice, the government that took 4 days to respond to an earthquake (Northridge, CA), that can’t “plug the hole”, the government that has 4x the number of people doing the job that private industry has, that has layers and layers upon more layers of CYA bureaucrats playing ‘pass the buck’ and ‘better kick that upstairs for a decision’, the government who’s leaders go on rafting trips…..
Do you contend that none of these things happen in private industry?
May 30, 2010, 4:21 pmchristy says:
Y2K worked as a major wake-up call to the power utilities. During that review other vulnerabilities were recognized. I was on a team that, as Y2K work wound down, began looking across our utility at infrastructure, security systems, and computer networks. Certain computer applications were always kept isolated, btw, even in the dark ages of analog.
I’m of the belief that generally government is more the problem than the answer. The real vulnerability of the power industry is transmission, however, and the only solutions to that NIMBY dilemma are political.
May 30, 2010, 4:53 pmToday's Tom Sawyer says:
Just look at the SELinux wikipedia entry to see the precedential value of that contribution lol
May 30, 2010, 4:58 pmMike P Wagner says:
Mr. Travers appears to me to be correct. I am not a security expert, but I am a long time software developer, and I feel pretty confident that three things are true:
1) The skill/intelligence of people working on cyber security is at least a parity with those trying to defeat cyber security.
The industry is long past the “security through obscurity” phase – the new security analyses and mechanisms use pretty sophisticated models that do no rely on obscurity of code so much as understanding as roles an capabilities.
The mechanisms that protect against accidents and/or malicious employees are also going to be robust against outside attacks.
Mr. Travers and other experts work very hard to ensure that a boneheaded (but trusted) employee can’t take down a facility – many of those same techniques work against a rogue employee or program.
2) The security protection programs get tested a lot – and by the “gold standard” of testing- lots of users in the real world. The programs designed to thwart security are not as well tested.
3) There are security defects in lot of OS’s and apps, but the race is now between the good guys (protecting security), and the bad guys (thwarting it). The bad guys have to spot security defect, and develop and deploy a program to exploit it before the good guys close the door. The good guy are now searching as hard as the bad guys, and posting the issues pretty quickly.
4) Developing the kind of software that shows up in movies – push one button, and take over all the natural gas distribution in the northeast (with an MS popup nonetheless) is a very difficult task.
When you add in multiple OS’s and geographical distribution, it’s daunting.
Developing such a program without a long test cycle – it has to work the first time it executes – looks to me to be nearly impossible.
Overall, the good guys seem to have a big advantage.
May 30, 2010, 5:22 pmChris Travers says:
Just tempering Mike’s analysis a bit :-)
I will also say that the whitehat and red-team hackers I have worked with have been THE most talented programmers I have ever worked with. You wouldn’t believe the amount of effort given to questions like methods of code injection, privilege escalation, and the like. This is especially true of critical applications (like web interfaces to accounting tools) where security is remarkably difficult. I have learned a lot from working with these folks (to the point where I feel comfortable doing some of that sort of work).
I still don’t consider myself close to top of the line, though.
I will say thought that, while it’s true that systems have become FAR more secure over the last decade generally, it’s also true that the forms of attack have become far more sophisticated. When you start looking at newish web app vulnerabilities such as XSRF and clickjacking…. Some of these just don’t have generally accepted countermeasures (XSRF does, but clickjacking thus far looks to be a problem which inherently cannot be solved in a perfect way).
There’s now even talk of mouseover-jacking which could be quite a problem for some web apps.
OTOH, the sorts of attacks possible against a more standard application have not advanced as quickly. These are far easier to audit.
One thing to keep in mind is that security is a series of compromises, judgement calls, and balancing acts. Perfectly secure systems are also perfectly unusable. And furthermore, folks generally worry FAR more about rogue employees or programs than about honest mistakes (though in financial software which is what I do most of the time, honest mistakes are co-equal problems).
This is true to a large extent if the program is widely enough used to attract sufficient attention. If not, it’s a crapshoot.
I will point out though that there’s a lot of really insecure software out there by today’s standards. I have seen boneheaded engineering decisions that are just inexcusable, and some of these render some pieces of software fundamentally insecure. (My views are publicly known about this and the security record speaks for itself, but SQL-Ledger(R), by DWS Systems, comes to mind as a program which is dangerous to use in any way, and quite frankly that’s putting things politely.)
The good news however, is that the vulnerable software is usually niche software. Software usually cannot grow out if a niche market without people paying more attention to security and liking what they see. Also this software is generally such that it’s not network infrastructure, nor is it critical software (air traffic control, power plant control, etc) that would be audited due to regulatory reasons.
That’s quite an oversimplification. Most network security design is going to be done on the assumption that all software is vulnerable and could be compromised. Therefore the goals aren’t just to keep an attacker out, but to keep a successful attack from being any more disruptive than it has to be. Honestly, the strategy is a lot like securing a physical space and all of the physical-space security strategies apply to cyberspace (defence in depth, perimeter control, etc).
So there are two elements to this:
1) How do we try to make software as secure as possible?
2) How do we contain a successful attack?
Most successful attacks these days are fairly contained. One might be able to attack a system indirectly connected to a public network and be able to, say, retrieve a list of credit card numbers (a good reason not to store credit card numbers), or get malware installed on a system to log keystrokes of a phone support agent or software developer, but generally speaking, what we don’t typically see are attacks which brings down an entire enterprise.
That part’s well-neigh impossible without a pretty good test network to test it on first and then one would still run into problems. However, there are more specific sorts of attacks that could be made. DDoS attacks could saturate network links cutting some users off from others, Web sites and VPN’s can be taken down through DoS attacks (VPN’s are especially vulnerable to this for reasons relating to secure application design), and it might even be possible to disrupt regional sections of the internet.
However, I think we’d see fast response to this, and the impact would be surprisingly short-lived.
Even with insiders installing logic bombs, it’s not clear to me that one would generally get very far in critical areas. Most of these have regulatory reasons why code in critical areas MUST be reviewed by third parties before it is put into production. Indeed that’s becoming a requirement for any software that touches credit card numbers…..
So my thinking is that an attack would be moderately inconvenient, disruptive for a few folks, but of short-lived impact and reasonably well contained.
May 30, 2010, 6:32 pmAnonSecurityExpert says:
Unfortunately, tracking cyber-attacks is very difficult. I suspect it is unlikely that we’d be able to attribute the real source of a sophisticated cyber-attack.
Agreed. Unfortunately, if the electric power grid goes down for an extended period of time — something that one could imagine a cyberattack might be able to cause — that could cause real harm. It’d be a pretty nasty spoiler, wouldn’t it?
May 30, 2010, 7:05 pmAnonSecurityExpert says:
Agreed. In my view, the telcos and the ISPs are not the weak point here.
The electric power infrastructure, on the other hand…
May 30, 2010, 7:07 pmEngineer-Poet says:
No, not making them all the same. Making sure they’re as secure as possible.
This is important, because these systems aren’t all parallel and independent. Taking out one part of a SCADA system might interrupt communications between neighboring parts, disrupting them even though they weren’t hacked. In that vein, The Drill SGT is exactly correct. Hacking the internet-connected monitoring and control systems in newer elevators could effectively deny physical access to many large office towers. These are just a couple of many, many possibilities.
If you take down power alone, refrigerated food is gone within a few tens of hours. Water systems fail. People can’t pump fuel for emergency generators because the gas stations’ POS systems don’t work. You get into cascading failures, like the health crisis from lack of food and clean water meeting hospitals with no power.
It’s obvious that a lot of people here have no grasp of the issues here. I suggest reading a back volume of the RISKS Digest, or maybe two.
Last, it’s true that many networks are configured to localize failures and limit the extent of damage. However, some very important networks are not well-designed in this fashion, as we learned on 14 August 2003. An attacker who knows how to control something to make it (or the wider system of which it’s a part) fail can do a lot more damage with a hack than someone simply aiming to crash the control system. We can assume that a sophisticated military cyber-warfare unit will be in the first category.
May 30, 2010, 7:09 pmPaul Tarnowski says:
This, so very much this. I’m an IT consultant for small businesses and the only times I’ve ever seen systems that were not well protected was when the owner/operator of a business decided they were knowledgeable enough to secure their own systems when their only experience was following the setup wizards on low-end/mass market consumer systems. Just about every small business where they have less than 5-6 computers and don’t have a decent IT company contracted is going to have security problems, a badly configured network, WEP for wireless at best, no/abysmal update cycle (afraid that updates will break their computer’s functionality, which, unfortunately, it can, and then they can bring in an expert or cause more harm), etc. But they just don’t want to pay for the overhead.
This despite the fact that these days it’s so much easier to secure a network with group policies, firewalls, etc. (if the OS supports it, unfortunately many small businesses use consumer machines with Home versions of Windows). And the cost for security software is lower than ever for coverage that is better than anything that has been out there before. So for a lot of places where there are security issues, it’s a matter of education and stupid-user-tricks (PEBKACs) on the part of the people who own the network and don’t want to pay for security until after the barn has burned down.
But the most vulnerable networks are not critical to the overall running of America or any other country, and the damage they can cause, from a strategic perspective, is very limited.
May 30, 2010, 7:43 pmChris Travers says:
Meh… I’ve been through times when storms take out the power for a week or so….. IME, people do better than one would expect….. Taking the power grid down for a week isn’t going to cause a health crisis, and the systems that matter generally have backup generators (and that includes not just hospitals and phone carriers, but also some gas stations and supermarkets for POS systems, minimal refrigeration, and the like).
Sure, cooking becomes a pain… But I’ve never seen water systems fail due to a grid outage in this country. (In Indonesia? Sure. Here? Nope.)
I put week-long electrical power failures in the “greatly inconvenient” category rather than the “crisis” category.
You’ve either missed problems more than I have, or had better luck with customers ;-) The problems here usually have a lot more to do with application developers being clueless rather than clueless network admins. The problem is that many small-time application-developers don’t adequately consider what a malicious insider could do (confused deputy problems and code injection are the most common).
May 30, 2010, 8:20 pmcyberhippie says:
There is no cyberwar. It’s a construct of people who stand to profit from hysteria. Let me repeat, there is no cyberwar. Should any government start one, it will be the USA leading the arms race. Just like nuclear weapons after WW2.
“Best Practices” are a horrible, lowest-common denominator standard so people can check a box in an audit run by financial auditing firms. “Do you have a firewall? yes/no”
Let’s ask the basic questions. Why are critical infrastructures, such as power plants, damns, water control points and the like on the Internet in the first place? What happened to distinct networks separate from that which the dirty public use? The USA can’t engineer its way out of a paper bag nowadays.
Just because most government networks are swiss cheese doesn’t mean there is a cyberwar. It’s like the house on the street that leaves their doors open all the time. The govt should stay out of private industry, and frankly, private industry should stay out of the government.
There’s a reason the DLA (defense logistics agency) won’t buy computers from Lenovo and other foreign-manufactured entities. The DoD has already seen Lenovo laptops arrive with hardware keyloggers and infected BIOS eeproms.
There is no cyberwar, unless you’re a lobbyist trying to do what you’re paid to do.
May 30, 2010, 8:26 pmChris Travers says:
Way too often “best practices” mean “good-enough practices.” Practices which are actually the best take a bit of effort to do…..
And you should see my preferred firewall setup :-P
May 30, 2010, 8:51 pmPaul Tarnowski says:
This pre-supposes a true threat that would be absolutely debilitating. However, the complete loss of the internet itself will not, as some believe, destroy America, although the economic devastation could well be in the trillions. Local service outages have happened before and will happen again. And local outages usually accompany major storms, blizzards, earthquakes, etc, so the effect on the local populace is usually far worse. Other communications mediums do exist, and although there may well be some deaths, generally the strategic value is limited, as any specific exploit will only happen once, and it would require a perfect storm to accomplish such a thing in the first place.
True. Especially internal webapps on an intranet not properly parsing input before applying it to databases or file retrieval, and without proper permissions set. Although my experience is with small businesses that at most run one specialized piece of software, I know exactly what you mean.
But I was talking about how the most exploitable systems are typically because of admin error. Much of the software out there can be secured, given the admin has the knowledge required.
To give an example, although I can’t go into details for legal reasons, I’ll just say: specialist software package running on consumer machines (no group policy), server service running on unsecured desktop, typical usage in admin mode, multiple remote access software suites running, with a WEP wifi network who’s key was given out to clients running on a mass-market consumer router with original logins. All user logins using easy to guess passwords. And the owner insists that everything has to stay the same. Had to walk away from that place because of the legal liabilities.
May 30, 2010, 9:46 pmRandy says:
” I don’t think government lawyers would be useful even if you cut them into pieces and used them in a junk shot to plug the well.”
There is a new page on Facebook which argues that we could plug the oil well with copies of Ayn Rand’s books. It already has thousands of fans.
” Taking the power grid down for a week isn’t going to cause a health crisis, and the systems that matter generally have backup generators (and that includes not just hospitals and phone carriers.”
I disagree. If Americans have to go without cable or tv for more than a few days, they really go batcrazy. I’d hate to think of the rioting that would occur if it lasts beyond a few weeks. When a storm blew out power in a DC suburb a few years ago, everyone thought it was fun for the first few days — families reading by candle, playing Scrabble together, actually talking to one another. But after four or five days of this, they really were getting frazzled.
May 30, 2010, 11:09 pmSun Tzu's Nephew says:
I contend that private industry has motivations to prevent disruption of their operations while government has only motivation to increase in size.
Is there anything that the government does well? I’m all for defense, and the US has been remarkably successful….but it’s not done ‘well’ by any other objective measure, and even then it’s horribly inefficient (no, I don’t know how to do it more efficiently).
Everything else government does is done poorly. Is it your contention that this will be the one exception?
May 30, 2010, 11:14 pmSun Tzu's Nephew says:
No, not making them all the same. Making sure they’re as secure as possible.This is important, because these systems aren’t all parallel and independent. Taking out one part of a SCADA system might interrupt communications between neighboring parts, disrupting them even though they weren’t hacked. In that vein, The Drill SGT is exactly correct. Hacking the internet-connected monitoring and control systems in newer elevators could effectively deny physical access to many large office towers. These are just a couple of many, many possibilities.
If you take down power alone, refrigerated food is gone within a few tens of hours. Water systems fail. People can’t pump fuel for emergency generators because the gas stations’ POS systems don’t work. You get into cascading failures, like the health crisis from lack of food and clean water meeting hospitals with no power.It’s obvious that a lot of people here have no grasp of the issues here. I suggest reading a back volume of the RISKS Digest, or maybe two.Last, it’s true that many networks are configured to localize failures and limit the extent of damage. However, some very important networks are not well-designed in this fashion, as we learned on 14 August 2003. An attacker who knows how to control something to make it (or the wider system of which it’s a part) fail can do a lot more damage with a hack than someone simply aiming to crash the control system. We can assume that a sophisticated military cyber-warfare unit will be in the first category.
The point of failure then is the large generating stations. A distributed environment of smaller generating stations with independent controls would work better.
My power company is remarkably reliable (for a rural service). In fact, the power goes out less often than it did when I lived in the So Cal ‘burbs….yet I still have our own generator, just in case.
Driving to Las Vegas from Los Angeles, or to Phoenix, you can see the power transmission lines from the freeway. Out there by themselves, essentially open targets. How hard would it be to disrupt a major portion of power to So Cal?
May 30, 2010, 11:21 pmChris Travers says:
Confused deputy problems are also remarkably common. For example, I’ve noticed few small-scale internal web apps have ANY anti-XSRF features. Basically the problem is that nobody reviews the approach to see what a malicious user COULD do or what a malicious third party could trick a user into doing (automatically or otherwise).
I like using SQL-Ledger as an example because pretty much every kind of vulnerability it has…. Here’s one example:
SQL Ledger runs a request by, among other things, caching user settings in an executable script (server-writeable) and running it on the next request. The program also has a template editor for editing invoice templates, stylesheets, and the like. It’s possible to trick the editor into:
1) Overwriting authentication information (passwords, etc)
2) Reading/writing these pre-user setting scripts (to add arbitrary code which would run next time the specified user loads a page)
Of course those could be the first step to a greater compromise of the server, financial app, and/or database manager. Of course with SQL-Ledger’s security, that’s not the easiest way to attack the system…. Note too these were reported to the software vendor a month before going public, and publicly reported YEARS ago, and still unpatched…..
May 30, 2010, 11:59 pmMike P Wagner says:
Good to learn something – I am a kernel developer whose really watched security purely as a spectator for the last couple of decades.
I was a pretty low level developer for a volume manager on a B2 system a long time ago, so I sat through a lot of training. Other folks were doing the heavy lifting when it came to the mathematical modeling of the system. As I recall, my inspected some security attributes, occasionally queried some other subsystem for permission to do each operation based on those attributes, and passed those attributes along.
That training is most of what I actually know about security, and it’s pretty antiquated.
Thanks.
May 31, 2010, 12:14 amChris Travers says:
I often joke that the reason that the Soviet Union fell was that every job was a government job…..
May 31, 2010, 12:34 amPaul Tarnowski says:
Sun Tzu’s Nephew says:
“Is there anything that the government does well? I’m all for defense, and the US has been remarkably successful….but it’s not done ‘well’ by any other objective measure, and even then it’s horribly inefficient (no, I don’t know how to do it more efficiently).”
I’d say it’s a matter of distributed versus centralized command and control. The military works well because it has a lot of leeway in command — it was learned, bloodily, that you can’t command the troops effectively from the rear. Whenever it’s tried, soldiers die unnecessarily.
Unfortunately, when the Federal government gets involved, local civilian authorities don’t have any of that autonomy. So Jindal has to get permission from the Feds for the Coast Guard to start diking the approaches to shore, because the Feds have to release the money, etc. It becomes a mess. Centralized government does not deal well with distributed problems. And cyber security is about as distributed as you can get.
Sun Tzu’s Nephew says:
“Driving to Las Vegas from Los Angeles, or to Phoenix, you can see the power transmission lines from the freeway. Out there by themselves, essentially open targets. How hard would it be to disrupt a major portion of power to So Cal?”
But how long would it stay down? Currently we suffer disruption from any number of calamities, most of them natural. Although it might make a good target for limited disruption, for how long would it disrupt? Most power companies are equipped to deal with recovery from natural disasters, and do so quite well. Certainly there can be localities which are not going to get power for weeks, but they are essentially in areas which are affected by power outages due to storms, flooding, blizzard, etc, and have the means to cope better than anyone else.
I’ll grant you that cities would not fair well without power for long…except to use your example, look what happened to the eastern seaboard 7 years ago. Power was back up that same evening in quite a few places. People survived well enough until power was restored everywhere two days later, and continued on limited power for several days after. I am not dismissing the possibility for concern, but just how bad could an attack be? Or more to the point, can you say that any attack that affected systems for less than 72 hours would be of any significant strategic benefit to the attacker? Certainly it would force buyers in the power sector to be properly familiar and expert on security concerns (which, to my knowledge, they’re not), and security audits all around. But the problems can be dealt with, easier than any problems you have with your computer, as it’s unlikely you run nightly backups.
An attack that caused actual physical damage would be different, but it would be unequivocally an act of war. ISPs around the world would be handing their user info over faster than you can say boo as their governments suddenly consider what would happen if somehow intelligence came in that they were the ones that set it off. Everyone remembers Iraq. The world would be holding its collective breath. I say this because I knew the American character quite a while ago, foresaw both Afghanistan (AQ was going to hit the US at some point, retaliation was inevitable) and Iraq, and you guys are like a bulldog regardless of who’s in power (and especially if they want to stay in power). You get tired of dealing with the fleas fast enough, but if someone should draw any real amounts of blood in one go, you’ll go after them like mad dogs.
Now, there are three differences between a cyber attack and a natural disaster that has an equivalent effect: 1) one is directed and the other is not, 2) one can affect any system within a geographical area, the other can only affect systems that are vulnerable or made vulnerable through a vulnerable system, and 3) one has a physical effect outside of the system, one does not. Hands up for which will more often be worse.
What I find out of proportion, really, is to compare this to the Deepwater oil spill. The Deepwater oil spill is a major problem in which any response is limited because of physics and chemistry; this is limited to how much intelligence can be thrown at the problem, both before and after the fact.
Not surprised, considering my experience with clients. There is a real need for many not to get ahead of problems, whether it’s software, hardware, or password choice. I’ve recently had to try to answer in laymen’s terms why clients should take security more seriously. The common question is: but why would anyone try to attack me? No one thinks they can be a victim until it happens, then they get paranoid. People are silly that way.
:cough: My response to Sun Tzu’s Nephew notwithstanding, of course.
PS> Actually, thinking about it, Canada is a more likely initial target than America for a full-blown attack in North America.
May 31, 2010, 12:39 amjohn deleon says:
Mr. Baker,
Well, it looks like you had a few minutes to “shotgun blast” your thoughts around the oil and cyber business. The wording and subjects seemed all over the place intentionally without any real statement based on real facts and experience.
So it seemed with the numerous responses posted as well.
I didn’t read anything from you that wasn’t based solely on something sent via the cyber systems you and the others are so critical of.
Nor did I see any evidence that you or any other “poster” has had any first hand knowledge, experience or training in the oil business, the government business or any related activities that would provide you some solid background to really know what you are talking about. Looks like you gsuuys get your info from others thoughts, concepts, suggestions, cyber nets and thnge media you are criticizing.
I have over 40 years in military, government, private sector activities involving extraordinary and unusual businesses. Without a doubt I know you, the posters and myself do not operate anywhere near the global level of what we are seeing and hearing about.
For example: How many oil lobbyists are there, for how long, who is on their payroll, who pays the lobbyists, who pays or controls the payor? Is it countries, companies, governments or a combination of all? Why is it that the oil platforms in the gulf are the only ones who do not have to install the $500,000 per unit safety shutoff valves that every other platform on the planet has to do? Hmmmmm! So many other things in play to control the flow of power on the planet…do you know the players, the real players? Do you or any poster know just one? You really believe that a cyber war will “doom” the planet? You don’t say or hint at this being an insignificant piece of the action.
There is just too much we do not have any idea of as to whether or not it is real or imagined. I do agree, the fallout damage to the gulf is horrific and with no solution ready for implemention. (Or is there?) But there seems to be a lot of so called “experts” getting a lot of facetime on the media in order to promote their books, careers and the fear factor for those who do not operate at a global level.
Well, have a nice day…whenever you can. You a businessman, oilman, government man, special ops man or a teacher man?
May 31, 2010, 3:03 amwaymad says:
Keep up the good work, Stewart, and ignore the flak.
The current texts in this field include P W Singer’s ‘Wired for War’, and in the fictional genre, Daniel Suarez’ ‘Daemon’ and ‘Freedom’.
And for all those happy types who want to wish this away, ponder this.
Do you know who built the chips inside your router, car EMU, phone, camera, or utility SCADA system?
Have you certified proof that they contain no malware, trapdoors, self-destruct etc at pure silicon level?
Thought not.
So just what’s stopping someone who is privy to those codes and their method of activation, using them?
Not much. Perhaps just the right circumstances, where, in John Robb’s terms, the ROI is sufficient. And a final thought: google ‘systempunkt’ (another JR/Global Guerillas term).
And, of course, sleep well…..
May 31, 2010, 3:19 amhaha rimshot says:
Guess I hit a nerve.
May 31, 2010, 5:20 amEngineer-Poet says:
Just wave a magic wand and replace all our gigawatt-scale coal and nuclear plants with decentralized systems, eh? Running on what? Coordinated how? Getting the additional fuel needed due to lower efficiency from where? (“… simple, neat and wrong.”)
The plants aren’t the only vulnerable thing. Major transformers are vulnerable too, and we don’t have the manufacturing capability to make new ones with lead times less than months. Natural phenomena like the Carrington Event could do more damage than a cyber-attack. We have to harden our systems against these things, and government is the only agency with the ability to look forward and allocate the costs of doing it.
May 31, 2010, 8:55 amSun Tzu's Nephew says:
Take out a few towers, or a few transformers and it will take long enough to replace them: They don’t grow on desert bushes. Coordinate an attack around several different grids and how much trouble do you think the So Cal Metroplex would be in? Throw in an attack against water distribution and things will REALLY be miserable in the city.
May 31, 2010, 10:20 amSun Tzu's Nephew says:
Replace them with smaller nuke generating stations, or smaller gas plants like VW has developed. Don’t put SCADA on the net for them, without really good security that requires human intervention on top of remote control.
I’d be happy with one of Toshiba’s 4S reactors http://www.nrc.gov/reactors/advanced/4s.html in my neighborhood. We don’t have natural gas distribution in my area so the VW choice wouldn’t be practical for us, when I lived in the city I’d have been glad to have one in the neighborhood.
May 31, 2010, 10:26 amChris Travers says:
There are, however, some opportunities for decentralized power generation including methane composters for manure at dairy farms, wind, solar, etc. This wouldn’t replace the centralized plants but it would free up resources and some of the power sources might actually have a net positive environmental impact (methane vs products of its combustion, for example). Furthermore small regional power plants running on biomass that farms might otherwise just burn off might not be a bad idea, though at least where I live, we use a lot of this to heat homes…..
I think more decentralized power would be a good thing. However, I’m not naive enough to think the whole thing could be fully decentralized.
May 31, 2010, 2:25 pmEngineer-Poet says:
Very true (though scheduling is an issue; I haven’t yet heard of any plants at dairy farms which included methane storage, so they have to use it as it’s generated). However, staying off my hobby-horse (check my blog, I dare ya), none of these resources addresses the issue of disrupted control systems or damaged equipment on the grid.
May 31, 2010, 7:22 pmChris Travers says:
That’s all true. OTOH, the methane, given optimal conditions, should be reasonably constant (in that the manure which is composted is a constantly renewed resource). Seasonal biomass-based generators would require more work in this area.
Disruption of control systems or damaged equipment is a much harder problem to solve, esp. because the interdependence issues make this difficult. There’s been a lot of promising research into use of superconductors in this area (which could provide some forms of automatic failsafes). There was an IEEE Spectrum article on this some time ago.
June 1, 2010, 12:09 pmdll111 says:
You’re thinking of Redford’s “Hackers,” and it was quite a good movie.
June 1, 2010, 3:24 pmPat Cahalan says:
@ waymad
“Do you know who built the chips inside your router, car EMU, phone, camera, or utility SCADA system?”
Yes, actually. So does three-quarters of the geek squad who subscribes to Make. You don’t know many hard-k0r3 nerds.
“Have you certified proof that they contain no malware, trapdoors, self-destruct etc at pure silicon level?”
Define “certified proof”?
I’ve seen a bunch of this stuff disassembled on workbenches and hacked at by geniuses with logic analyzers and other nefarious gadgetry. If none of them have come across anything diabolical while trying to bypass TPM and chip-level encryption (ever)… I’m thinking it’s within a reasonable delta of “zero” probability that this is common behavior.
Sure, there’s possibly embedded badness in a chip somewhere. It’s virtually guaranteed to be a floating point error put in by mistake, not a “press ‘here’ to 0wnz3r b14tch3z” button.
@ OP
“Hostile nations are probably already seeding our privately owned infrastructure with logic bombs and malware designed to shut down critical services — power, telecom, Internet, banks, water and sewage.”
Horsefeathers. Some of your analysis is worthwhile reading, but it is lines like this that lead me to take your overall writings as either seriously lacking in real technical expertise or deliberately salted with baloney for political or psych warfare purposes.
Hostile nations are certainly modeling networks. Hostile nations are certainly hacking the kernel of embedded operating systems. Hostile nations are certainly looking at standard implementations of internet protocols, to see if they can devise a way to exploit that under the appropriate circumstances.
Guess what? Right now we’re doing that, too.
They’re not dumping code inside the power grid, right now, today. Because they’ll get caught between now and when they’d want to use it. That’s insanity; you give up your capability to the other side without any benefit.
Yes, the average network is subornable (you don’t even need to be a good technologist, you just need good social hacking skills and a reasonable skillset).
It is not, however, subject to a magic nuclear blast that will flatline the whole Internet – even some of the major weaknesses couldn’t be leveraged against the whole thing simultaneously, affecting the network in anything resembling perpetuity. If Estonia had known what to cut and how, they could have cut off most of the incoming attacks during their little event.
If China started attacking the U.S. directly, all traffic from behind the Great Firewall would be roundfiled within short order. Distributed agents (think semi-autonomous botnets) would probably still exist, but they’d be cut off from the CnC network, so they could only continue to do what they were programmed to do – wreak confusion while the actual, yanno, *bombs* do damage.
Yes, it would suck. Yes, a lot of damage could be done. It’s even conceivable that real damage could be done (think blowout valves tripping, turbines cranking themselves past fault tolerance, traffic grids locking green, etc). Making all this work in a way that would be, in and of itself, a critical fault would be unlikely in the extreme. Manual overrides would be thrown. Networks would drop off mostly intact, and come back online. Failsafes would kick in, etc.
June 1, 2010, 9:07 pmDave says:
The author, like Obama, clearly has little knowledge of the industries cited. That aside, the fact that businesses are diverse is actually a good thing. It means that an attack on Verizon’s network only takes down Verizon, rather than everyone else too–as it would in a system even more centralized and regulated by the government than it already is.
June 2, 2010, 9:01 amPat Cahalan says:
@ Dave
Most of the major telecommunications companies use essentially the same technologies. COTS software is everywhere. I’ve seen Windows workstations running control software for factories, something that didn’t happen 20 years ago.
The problem is, they all use it different ways. You can probably use roughly the same toolkits to break into Verizon as you would to break into BofA, Sprint, and Wal-Mart, at least to some degree (it would have to be an incredibly diverse toolkit, however).
However, once you’re in, you don’t own the whole thing. Getting to the information you want (or the network kill switch, or the IOS that opens the floodgates, etc.) requires a different path of exploitation to get to your end goal. It would be very difficult to automate a real penetration mechanism, actually directing such an attack against multiple targets requires a very high degree of skill. You can build a worm that hacks a bunch of boxes with the same vulnerability, but rooted boxes don’t do you any good if you don’t actually tell them what to do.
Sure, you can simply flood the network with traffic, but at the present time most of the major backbones for the Internet still operate inside the boundaries of the U.S.; we could cut off large chunks of the world. If you’re using a botnet that’s geographically located in the U.S., we can cut off the ISP(s) hosting the subnets that those botnets live on until we get things back under control.
Note: even if every telecommunications company was under complete government control, this would not present a major hurdle to hacking everything (or an advantage, either). Systems this complex simply don’t work that way.
When Global Crossing bought part of Exodus Communication’s assets, they still hadn’t merged all of it together by the time GC declared bankruptcy. You can’t take an organization with billions of dollars of capital assets and technology and flip a switch and make it like everybody else. There’s a reason COBOL programmers actually had work from 1997 and 2000.
Tighter regulation of the telecommunications industry would not increase technical risk, that’s crazy-talk. Requiring common reporting and audit mechanism may (highly stress “may” here) introduce social engineering vectors that would work in multiple companies, but it’s certainly the case that it would improve actual exposed code security. SOX, for example, is a ridiculous pain in the ass, but it doesn’t make you *less* secure.
Now, it might be a bad idea for a whole slew of reasons, but security isn’t one of them.
June 2, 2010, 11:08 amChris Travers says:
I know COBOL programmers who still have work TODAY…..
There are two additional problems here:
Most larger networks are built to contain threats. What this means is that attacking a network is often fruitful for espionage purposes, but compromising it via cyberwar is quite another thing. So p0wning a bunch of systems does no good if they aren’t the right systems to effect the attack.
Secondly, while social engineering often works, it may not work against the people who maintain the most security-sensitive devices. So yes, you could compromise a network. However disrupting it would take more effort still, and massive disruptions might not be directly possible with social engineering.
This is true. However, it wouldn’t solve the problem that Stewart is talking about either, which is that these things are complex enough the government can’t just send out agents to fix a problem once it happens. I would further point out that the best initiatives in this area are actually private regulatory efforts, like PCI-DSS.
(As an aside, my first reading of your last sentence was about SOX, the software, which is also a rediculous PITA but probably not exploitable ;-)
June 2, 2010, 11:38 amChris Pugrud says:
I started focusing on computer security as a career back when power control SCADA systems started getting connected to corporate networks and the Internet at the demand of the federal government. The fed.gov demanded opening up the transmission market for competitive access, which led to previously closed, air-gap security, networks being made much more vulnerable through connection to other networks.
That focus on learning how to build “secure” networks took me through companies large and small, the .com bubble, and onto government and military network security. I hope I’ve learned a few things about security over the years. I do not think that either government or private industry has a monopoly on good security practices, they just go about things in slightly different manners.
While the cyberwar industry makes for entertaining movies and books, they are dependent on the assumptive premise that western civilization will completely collapse after two to three days (or weeks) of life without the Internet, or the television, or power. Cyberwar is not a cold war or something unto itself, it has only proven effective as a prelude, used to stun and confuse a population during an actual, physical, attack.
Computer security, or information assurance, or smart business, is about managing risk. No mere computer attack could wipe out everyone’s credit card debt, only a destruction of the debt collection mechanisms, society at large, could wipe out your credit card debt. In the face of catastrophe, people are going to be far more worried about food, survival, and shelter than their mortgage payment.
When lives are at stake, organizations build redundant, physically separated (air gapped) networks to increase security and lower risk. Data is kept in multiple locations, including offline and off grid locations that are not subject to the effects of the risks being guarded against.
If you truly want to believe that civilization will completely collapse in a psychotic fit of withdrawal from the Internet, you really need to unplug and take a vacation somewhere with no Internet. Bonus points for vacationing in a place with no phones or no power.
June 2, 2010, 3:20 pm