When Senators Lieberman, Collins, and Carper proposed legislation last week to deal with the risk of a large-scale attack on our computer infrastructure, the libertarian-privacy attack was not long in coming. Declan McCullagh, a committed libertarian journalist for Cnet, posted a long story full of angst about the bill.
It would, he said, “”grant the president far-reaching emergency powers to seize control of or even shut down portions of the Internet.” He claimed that, under the bill, “companies such as broadband providers, search engines, or software firms that the government selects ‘shall immediately comply with any emergency measure or action developed’ by the Department of Homeland Security. Anyone failing to comply would be fined.” Warrantless wiretapping is excluded as an emergency power.
“Because there are few limits on the president’s emergency power, which can be renewed indefinitely,” McCullagh predicted (and pretty obviously hoped), “the bill is likely to encounter stiff opposition.” He cited concerns expressed by TechAmerica, the Center for Democracy and Technology, and the Cato Institute.
On one technical but important point, Declan may have misread the bill. He seems to think (judging from a post of his on Dave Farber’s list) that the bill would impose obligations on any company for which the telephone system or Internet is “essential.” I assume that’s why he says that search engines are covered by the bill. I doubt that they are, because the bill in fact applies to a relatively limited set of critical facilities — and to the information infrastructure on which those facilities depend.
So, if operators of our power grid are dumb enough to run their systems by relying on the Internet and Windows XP, then the bill’s authority to order emergency measures would apply to the providers of electric power, to their ISPs, and to Microsoft. Otherwise the ISPs and Microsoft are in the clear. As for the rest of us, including our search engines, we’re in the clear from the start.
The broader issue is whether Declan is right to hate the bill. Certainly the privacy-industrial complex is gearing up for a scare campaign. But I think it’s fair to ask the privacy campaigners two questions before joining them in chanting “Internet kill switch.”
First, do they believe that foreign governments can’t attack networks that are essential to our lives? Frankly, I don’t think there’s anyone with an ounce of technical savvy who thinks such an attack is impossible, or even improbable. I laid out the case for that risk in chapter 9 of Skating on Stilts:
If you’re a foreign government, breaking into U.S. networks is a twofer. You can start by stealing secrets. But if push comes to shove, you can use your access to destroy the same systems you’ve been exploiting. Corrupt the backup files, then bring the whole system down. Or start randomly changing data and emails until no one can trust anything in the system. It wouldn’t take much to create chaos. The financial crisis of 2008 became a panic when bankers began to disbelieve each other. No one trusted the other guy’s books, so they stopped lending, and theworld crashed. Could that same mistrust be created by modifying or destroying a few firms’ computer accounting and trading records? We probably don’t want to find out.
It’s no secret how to fight a war against the United States. Slow us down, then cause us pain at home and wait for antiwar sentiment to grow. Cyberattacks are ideal for that strategy. Everything in the country, from flight plans and phone calls to pipelines and traffic lights, is controlled by networks susceptible to attack. A determined, state-sponsored attacker could bring them all down—and blame it on some “>hacker liberation front so we wouldn’t even know whom to bomb.
(I have posted all of chapter 9 in an easily accessible archive for www.skatingonstilts.com. The excerpt is licensed for free copying and distribution.)
So if the answer to my first question is yes, an attack is possible, my second question is “Who do you think should take action in response to the attack?” Cato Institute? TechAmerica?
Fat chance.
As the BP oil spill shows, companies are quite capable of setting the stage for catastrophes well beyond their ability to remedy. We properly expect the government to regulate companies to address risks that can’t be internalized by the companies taking the risks. And when disaster strikes despite those efforts, we expect the President to have the authority to respond.
If another country launches a computer network attack on US infrastructure, do we want the President to look as helpless as he looks today in response to the BP spill? Remember, he won’t be looking helplessly at a few tarballs on the beach; in a worst-case emergency, he might be looking helplessly at a country that lacks power, working phones, and maybe even a reliable financial system.
If that happens, Declan McCullagh, the Cato Institute, and TechAmerica won’t even be returning your phone calls.
J.T. Wenting says:
Like it or not, this bill has only 2 reasons to exist:
1) giving the government the right and capability to impose censorship
2) giving the government the right and capability to limit access to the internet by those it doesn’t like
Both are in violation of the constitution as both limit freedom of expression.
June 13, 2010, 12:34 amSteven Den Beste says:
I would rather trust someone who sees it as his mission to increase the flow of information as much as possible, instead of someone who has a vested interest in keeping it throttled.
So if there is an attack, I’d rather trust the technical people at Level3 and the other backbone operators than to trust the US government. I would say that even if it was 100% certain it would take them longer to solve the problem.
June 13, 2010, 12:42 amGuy says:
the privacy-industrial complex
Which industry are we talking about here?
June 13, 2010, 1:09 ammethodact says:
One of the most profound works I have ever written, outlined what civilization itself might become, by preserving the Internet, and also, my original ideas in how to do so. EV immediately deleted the text, and banned me, whereupon, the House abruptly passed the Cyber Security Bill, within a matter of hours, almost like they were horrified of those ideas.
Your framing of “privacy industrial complex”, is pejorative and belies any real objectivity and telegraphs the camp you are in.
June 13, 2010, 1:10 amOrenWithAnE says:
In addition to getting out of my pants, away from my gun cabinet and out of my wallet, I now must campaign to keep the government off my computer.
Lovely.
June 13, 2010, 1:20 amJohn Bragg says:
“do we want the President to look as helpless as he looks today in response to the BP spill?”
After a critical cyberattack, our President won’t look like anything, because there will be no functioning TV, or internet for him to appear on. Any communication would be verbal only, either by radio or by improvised text-only telegraphs.
If there is a crisis, and DHS has a credible plan, industry will accept the plan with or without prior legal authorization. More likely, as in Katrina, the Gulf oil spill, the Iraq occupation and stopping the Iranian nuclear program, the government will not have a credible plan, but this bill will allow them to grab power anyway.
June 13, 2010, 1:20 amJohn Thacker says:
But the President has the authority necessary to respond to the BP spill. From which I can only conclude that you’re arguing that even if we do give the President this power, he’ll still muck it up.
It simply wouldn’t make sense for you to argue that since the President has screwed up something over which he has sufficient power, that he should therefore be given power over something else.
June 13, 2010, 1:45 amMonty says:
If power company packets are routed through tier 1 ISPs, would those ISPs also be subject to the President’s power to shutdown ‘portions’ of the internet? If the president has authority over the core backbone providers because critical data flows through them, the president for most purposes has control over the internet in the US. Sure some traffic may find its way around the shutdown tier one backbone, but the secondary routes would be flooded into uselessness.
June 13, 2010, 1:57 amGuy says:
Some of us believe that the President has the inherent authority to defend the nation, the Constitution, and its laws in times of truly extraordinary emergency, when he is faced with absolute necessity, and that statutory emergency provisions merely encourage abuse.
June 13, 2010, 2:06 amNate says:
Here are a couple of novel ideas.
June 13, 2010, 2:24 amMake it illegal to tie critical infrastructure to the Internet.
Fund academia and non-profits to develop more secure Internet protocols.
PeteP says:
JTW – you couldn’t be more right, or more wrong.
Yes, the government will undoubtedly find ways to abuse the power, and screw things up generally. It’s what they do best, they’ve been practising it for centuries. However, we give them really big bombs and planes and other stuff to kill people with, too. This new bill is hardly in that class. And SOMEONE has to have the ability to ‘do what’s needed’ when ( not if ) the Big One cyber-attack comes. It’s an irresistable target for anyone wanting to harm America, be it the anarchists, the jihadists, or anyone else. It’s the poor man’s nuke, all it takes is a small computer and time. Like prisoners who have nothing to do all day except think about ways to cause problems in jail, there are many millions more out there who have nothing to do but try to think up ways to screw America up. They have computers, and lifetimes to sit in their darkened little rooms wokring on them.
Sadly, on the flip side, there are those in government ( and always will be ) like Cass Sunstein, Genkowski, et al who will want to take this power and use it to force their social agendae on the country.
Steve DB – “I would rather trust someone who sees it as his mission to increase the flow of information as much as possible, instead of someone who has a vested interest in keeping it throttled.” So then, you feel that our national security is best served by Wikileaks, for example ?
June 13, 2010, 2:26 amGene Hoffman says:
Stewart,
You never did acknowledge that the attack you base your worst case scenario upon happened in the last week of 2009 and, though annoying, not much happened beyond Google pulling out of China.
All critical US infrastructure is under attack every hour. Sometimes those attacks rise to Nation/State. In reality, those of us responsible handle those attacks like you handle your book promotion here.
-Gene
June 13, 2010, 3:30 amcls says:
Did some alien pod take over the site? I thought I had come to Big Brother Central, not to the Volokh conspiracy. If I wanted derision of privacy I could go elsewhere. I come here looking for liberty-inclined information on law and policy, not put downs for those worried about civil liberties.
June 13, 2010, 4:10 amNocomment says:
+1
June 13, 2010, 4:16 amChris Travers says:
I think you are missing something fairly critical in this scenario. This sort of attack is VERY labor intensive. You can’t just start changing emails without being detected unless you have spent a fair bit of time reading them so you know what’s going to seem out of context. Similarly, attacking a financial system for even a midsize poses even more problems because the data is reviewed so many times. Such an attack can’t work unless the fake data is believable and difficult to differentiate from the real data. And unless you get EVERYTHING (including bank records, perhaps on read-only optical disks) I am having trouble determining how this could be done to a single midsized firm, much less a number of large firms. There are a number of further difficulties in pulling this off including reaching this sort of critical system and elevating permissions above what any sane accounting system will allow (i.e. you can’t do it from within the accounting system itself but you’d have to attack it on a lower level).
Furthermore if such an attack was carried out successfully, any emergency response would be too late to stop further attacks. One might not even be able to trace the attack properly in the first place because it might not be discovered until months later. So if this is the problem, emergency powers are not the answer. The only answer would have to be technological changes to accounting sustems (such as having users digitally sign records with private keys, and the private keys stored externally).
I really think these bills that woudl grant emergency powers in this way are simply solutions in search of problems. I don’t like to think about what “problems” they’d actually “solve.”
June 13, 2010, 6:12 amChris Travers says:
I’d point out that financial systems have a tremendous amount of error checking built in. It’s certainly possible to alter the data in a believable way, but it’s remarkably difficult to do this without being caught at least by year-end, and without making it reasonably possible to track down the altered transactions without too much trouble.
June 13, 2010, 6:18 amChris Travers says:
We’re better than that!
June 13, 2010, 6:20 amAvatar says:
If you’re worried about massive attack from foreign locations, concentrate -on the foreign locations-. It’s not like the Chinese (and let’s say “the Chinese”; nobody’s pretending any other foreign governments are even interested in this kind of shenanigan) can teleport their packets into Topeka, Kansas to run amok. Internet traffic runs over physical infrastructure. Nations don’t have infinite transition points between their data networks; this is very true of China. If the President were to determine that the US was under Chinese cyberattack, the correct response isn’t to go to every American and say “okay, unplug your internet”; it would be to put China off the internet.
I’d honestly be surprised if we hadn’t already mined the major trans-Pacific cables. It sounds like the sort of thing that would be good training for a submarine crew…
Even so, imagining that someone could deliver a lethal cyberattack against US systems like that… it’d be like trying to use anthrax against a plague ward. The trick wouldn’t be succeeding, but even getting us to notice that we were under attack, under the tremendous tide of attacks that goes on every day, against essentially every computer that’s hooked up to the Internet. The resources of a government aren’t particularly helpful for such an attack vector – they’re more likely to assist with physical access or social engineering.
It’s also the sort of thing that’s likely to deliver very little benefit, but cause massive problems if it’s uncovered. Ask the Germans about the Zimmerman telegram.
June 13, 2010, 6:27 amJosh Bornstein says:
This is my favorite post on VC, EVER!!! I can’t tell if it’s satire (if so, I apologize, and doff my cap to you in admiration), or if Methodact is being serious. Did you really write that glowing review about your own writing? Wow. The mind boggles.
June 13, 2010, 7:09 amAdam C says:
Agree completely with Chris. The post is advocating a policy change in order to counter an “attack” without any technical explanation as to how such an attack might occur. I suppose we should also give the President the power to force us to undergo lobotomy, since there are people trying to control our minds right this instant.
It’s not that there isn’t any precedent to get surprised by a big gap in your defense. For instance, a timing attack was discovered against (some) SSL implementations a while back — which was quite a surprise, because it _did_ affect an enormous number of systems — and yet nothing came of it. There was a patch, there was scrambling, and nobody ever managed to actually beat the crap out of an SSL server long enough to profit from it.
Most attacks are small and target unhardened systems by necessity. It’s not like you can just fire up your favorite buffer-overrun-exploiter, or number field sieve and take control of the Federal Reserve. (I guess Robert Redford managed it…) And, supposing you did, you would not get away with much before somebody stopped it. Annoying, potentially embarrassing, even damaging? Sure. Catastrophic, warranting the President to declare “martial law on the internet”? You have to be kidding… (Robert Redford was.)
June 13, 2010, 7:20 amBrett Bellmore says:
Actually, I WOULD trust the Cato Institute more than the government, in the event of a cyber attack, because I’d at least have some reason to believe they didn’t mean to come out of it with police state powers.
But, seriously, the key to dealing with these attacks is what you do before them, not after. If the government wants to help, maybe it could ease up on going after Microsoft for anti-trust, and start going after them for inserting back doors into their OS? “The anti-Back-door act of 2010″, has a ring to it…
And preemptively, why don’t we do our own cyber attacks on our own nation, to find the vulnerabilities? Maybe if somebody who logged onto the internet over a cable modem with their anti-viral software expired got their computer frozen, with a flashing message, ‘Update your security, dufus!”, instead of being recruited into a bot-net and thinking things were fine, we’d be a bit more secure.
And, yeah, maybe it should be illegal to run critical infrastructure over the internet…
June 13, 2010, 7:37 amChris Travers says:
Do a search on the string NSAKEY……
June 13, 2010, 8:05 amPersonFromPorlock says:
Kinda like the Commerce Clause, then?
June 13, 2010, 8:15 amsteve s says:
We have been attacked on an ongoing basis for years. We have responded fairly well so far. The military has been working for a couple of years now to put together a cyber command unit. IOW, the government has been working on this for a while. It is a tough problem with our open infrastructure. We will always be partially open to attack, just like we will be to physical attack with our huge borders.
Since no one here appears to follow the work of DARPA, no one seems to appreciate the anti-government spiels when it comes to comments about the internet.
Sigh, so difficult to be a philosophically consistent libertarian. (Apologies if you are not of libertarian ilk.)
June 13, 2010, 8:18 amJim Fleming says:
What is THE.Internet?
S.C.U.B.A – Self-Contained UNIX BroadBand Apparatus
Co-Location companies with vocal fat nerds selling IPv6 hosting in A/C.Cabinets is not THE.Internet. The.CLOUD is not THE.Internet. Frat.Boys running the I*star*.Domain.Name.Theatres are not THE.Internet.
[When all you have is a hammer, everything looks like a nail.] DNS is an old hammer.
People have allowed a punk without a high-school education to dominate the DNS
and IPv4 address allocations. Is he smart ? Are they fools ? Is that THE.Internet ?
S.C.U.B.A – Self-Contained UNIX BroadBand Apparatus
WRT-160N – $50 – Self-Contained ? Needs 12vDC – UNIX ? Yes – BroadBand ? Sort-Of Apparatus ? Looks-Shiny & Slick
WRT-160N.MESH – 10 units ? – $50×10 = $500 – Wireless – Self-Contained ? Flash Storage
What is THE.Internet? What is Banking? What is Money? What has value?
Can one DVD contain the names & IDs of all the “Important.People” in the world ?
S.C.U.B.A – Self-Contained UNIX BroadBand Apparatus
June 13, 2010, 8:25 amBrett Bellmore says:
That was my impression, yes. Heck of a world where, when somebody buying your product and using it stupidly puts you under the government’s heel.
June 13, 2010, 9:01 amBrett Bellmore says:
I was thinking in terms of government regulated, and often run, utilities. I’d certainly oppose the government having the power to declare a private company ‘critical’, and take command of it.
June 13, 2010, 9:20 amNick42 says:
While I’m completely willing to admit that many industries lack the level of security they really should have, I don’t think this is the way to get there. First of all, if the bill removes civil liability for breaches, as McCullagh states, it would be a huge step backwards. Not becoming another Heartland Payment Systems (with tens or hundreds millions of dollars in breach related expenses) is the fear that’s going to drive real security spending.
If this “critical infrastructure” (is that term even defined in the bill? Or is Congress passing the buck again?) is so critical than it’s already regulated. Those industries security needs should be regulated by existing regulatory bodies. That way you might actually get requirements tied to the actual threats that industry is facing, not just a generalized list of best practices. You want SCADA (industrial & power plant control) systems airgapped, have the utility regularity bodies require it.
The comments about looking to Cato for network defense are just a distraction, as is the comparison to the BP oil spill. If you think the government is suited or able to dictate tactics during incident response, just go watch Cyber Shockwave. That exercise is one of the scariest things I’ve seen in a long time.
June 13, 2010, 9:27 amRich says:
For any ones information the electric companies are already looking to use the internet to control the power grid. Many of us in the industry see this as folly while others of course do not. Personally the last few of our blackouts have been root caused by failure to maintain the right of way and the equipment but made much worse by automation failing to work at critical times.
June 13, 2010, 9:33 amI have been in the computer industry for 36 years now and while I appreciate the computers that run my car, my brand new Escape just had a recall to load a new transmission control program.
As we say a human can mess up a system but it really tales a computer to “F” it up
Chris Travers says:
It also has some critical errors. Even if the PSTN was compromised, it wouldn’t lead to ATC outages since these have a backup network running over point to point microwave links (yes, primary information exchange is over POTS leased lines, but backup systems are not).
I don’t know enough about electric control systems to know whether the internet is fundamentally a bad match or not. While it is not entirely foolproof, it IS possible to create a system that isn’t particularly vulnerable to compromise over the internet but doing so usually makes it more susceptible to denial of service attacks (in a fixed network this can be mitigated to some extent but not entirely eliminated). The question is how much of an outage in control streams is tolerable. Again, I don’t know the systems well enough to comment.
This brings up a more interesting issue regarding automation generally. There’s growing evidence that people trust highly automated systems more than they should, and that when things go wrong, they are also more abstracted from the problem, making it harder to correct in a timely fashion. There was an IEEE Spectrum article a while back titled “Automated to Death” which discussed this problem in detail. But this isn’t just a problem with power grids. It’s a problem with automobiles, airlines, trains, and all sorts of other things.
And while we are at it, we could fret about SS7oIP…..
June 13, 2010, 9:55 amJ.T. Wenting says:
if that comes it’s an act of war and should be treated as such.
June 13, 2010, 10:42 amBut like it or not, the government (any government, anywhere, at any time in history or presumably future) has as its main goal only the increase of its own powers.
As such, any plan that would grant them more “emergency” powers has to be viewed with extreme caution as it’s just an excuse for another powergrab.
Soon that emergency will be permanent, and the “temporary restriction” a permanent one.
The US constitution was a great idea, but has been utterly derailed and the fact that the US government is even considering something like this shows that clearly.
Being policed by a government agency, and giving that government the power to change it pretty much at will is of course going to ensure it will get so corrupted.
stewart baker says:
Chris Travers and others argue that private security measures are doing the job, and that the government’s help isn’t needed. I’m pretty skeptical. To say that foreign governments can’t corrupt financial data because the job is labor-intensive seems a little Dr. Evilish: “Why you’d have to have a population of a BILLION PEOPLE to pull that off! Bwah-ha-ha! Ridiculous!” And to say that all the errors would be corrected at the end of the fiscal year doesn’t really take account of how fast markets can lose confidence in institutions, which seems to be measured in days, if not hours.
I’m more persuaded by John Thacker’s argument that the BP analogy isn’t quite right. It’s certainly true that the government had authority to regulate BP and has authority today to order BP to take additional measures. In dealing with cyberattacks, the government has neither authority, though the Lieberman-Collins-Carper bill would make a start on filling both gaps. My best quick response to John Thacker is that, even with broad authorities, the President hasn’t been able to deal effectively with the BP spill, so it’s virtually certain that he wouldn’t be able to respond to a cyberattack if he lacks even those authorities. We know it’s always going to be hard for government to deal with disasters caused by failures of complex technology in private hands; why would we make it harder by leaving government without authority? And without making this comment really long, it does seem to me that there are a lot of incentives, including liability concerns, that will cause even well-meaning private network defenders to adopt suboptimal security strategies, something that could be cured by government action.
Actually you probably already have a government on your computer. It’s just not the United States government.
The high-tech industry long ago figured out that the best way to attack any security requirements from Washington was to raise the privacy specter. The alliance between privacy groups and tech industry lobbyists to slow security regulation has been enduring — and bad for the country.
I think you’re going to be challenged by my posts, then. In my view, the privacy-libertarian critique of government has become the default Establishment position on technology policy (despite being a minority view in the country). And it’s producing really bad technology policy. Bad policy that is going to seriously hurt the country.
But, just for my information, where exactly is the “elsewhere” you would go to find derision of privacy? It seems to me that this is one Establishment doctrine that everyone is reluctant to deride.
June 13, 2010, 11:05 amDuracomm says:
Stewart, your belief that the free enterprise and the “privacy-industrial complex” is the problem is charmingly naive.
Unfortunately your utterly naive belief that government action and regulation can only improve security is exceedingly dangerous to the safety and security of the United States. This belief provides far more risk to the US than the “privacy-industrial complex” you rail against.
What is really entertaining is the fact that the the primary example you cite for needing more government involvement (the bp spill) demolishes your own argument.
You said
The government regulated bp. The government approved bp’s well plan. The government approved bp’s spill response plan. The government leased minerals to bp to drill. The government was responsible for ensuring bp’s compliance with regulations.
In other words government was deeply involved regulating bp.
Which makes your argument neatly and comprehensively self refuting.
June 13, 2010, 11:17 amPeteP says:
“You can’t just start changing emails without being detected unless you have spent a fair bit of time reading them so you know what’s going to seem out of context.”
You’re over-thinking it. It’s very easy to randomly substitute ‘yes’ for ‘no’, or delete a sentence here and there ( looking for ‘brackets’ of periods ) etc. Change the word ‘good’ to ‘bad’ etc.
“Similarly, attacking a financial system for even a midsize poses even more problems because the data is reviewed so many times. Such an attack can’t work unless the fake data is believable and difficult to differentiate from the real data.”
Wrong again. You apparently have never been in corporate accounting. Errors are common, imbalances are common, bad data is common.
But the point is not in attacking only bank records. How about the power grid ? Aviation ? Shipping and trucking ? Train system ? These would be the targets.
“nobody’s pretending any other foreign governments are even interested in this kind of shenanigan) can teleport their packets into Topeka, Kansas …..it would be to put China off the internet.”
BWahahaha ! Too funny !!!! You think they aren’t capable of setting up a few thousand computers and staff in the U.S. in sleeper cells to carry out the attack ?
“if that comes it’s an act of war and should be treated as such.”
Ok, how exactly do you do that ? Let’s say an attack on the power grid control systems and, oh, let’s say the computers that control the Port of LA, the intent being to shut down that Port ( how many billions of dollars in shipping every day ?? ) and disrupt the power grid wherever possible, all just to cause economic damage and fear and confusion. This attack is spearheaded by a large bot-net with a hundred thousand computers in 57 different countries ( we know these already exist and operate today, spammers use them ). Do you bomb someone ? What and how do you respond ?
June 13, 2010, 11:32 amDuracomm says:
Stewart,
The bp spill provides an example of how government regulations, and government involvement in a disaster often delays response, makes problems worse, increases the amount of damage, and delays recovery.
Not at all helpful to your argument that the “privacy-industrial complex” is the problem.
Morning Bell: How the White House is Making Oil Recovery Harder
A fairer headline would have been how government is making oil recovery harder but I don’t write headlines…
But wait it gets better
Surely there was some sort of government regulation that could improve the situation?
Well government regulations are in place. Unfortunately, they did not work the way supporters of increased regulation hope.
US government regulations had an impact Stewart’s nemesis, the “privacy-industrial complex” would anticipate.
The bp disaster provides a crystal clear example of how increased US government regulation of, and involvement in, the nations IT infrastructure is likely to damage and degrade US security not improve it.
June 13, 2010, 11:50 amKen Arromdee says:
It’s not just labor-intensive, it requires skilled labor, doing particular things. You can only get so many moles into a company. You can only break into so many buildings. You can only bribe so many company officials. It’s not the kind of attack that can be done just by using sub-minimum-wage conscripts and making up for their lack of skills with the fact that you have a lot of them.
June 13, 2010, 11:50 amChris Travers says:
I didn’t say that government help wasn’t needed. I said that this measure didn’t do anything to address any real elements of a cyberattack. Sure there’s a role for government to play and in fact government already plays a role to some extent.
HOWEVER, the government itself as a whole has fallen behind private enterprise in securing internet-facing web hosts. That tells you something right there. Nonetheless, there is a role for some government help in this regard. The NSA has been remarkably instrumental in helping private industry build more secure networks, for example.
Furthermore, addressing liability issues is helpful also because it helps spur private industry to address the issues. The question of credit card fraud liability, for example, has been the driving factor behind PCI-DSS compliance requirements, which I’m sure you’d agree is a good thing.
It’s definitely not a resource-efficient form of attack. And it’s not a matter of throwing lots of people at the problem. Once you get in, you have to throw a few VERY HIGHLY SKILLED people at the job for months before you are ready to alter the data. The problem is that corrupting data isn’t enough to carry out an attack on the trustworthiness of the data. What you have to do is corrupt the data in such a way that the bad data cannot be sorted from the good using automatic means, and an important prerequisite there is that the data must be believable. That’s far harder done than said. Moreover now that you have to wait months anyway, if you time the alteration correctly (say, right after year-end is done), then you can sit back and wait for the attack to be discovered some months later.
Furthermore, I suspect you don’t work a lot with business’s accounting systems, but it’s not uncommon for my customers to be running multiple accounting systems in parallel, and many of these have extremely complex database structures with a certain amount of redundancy built in. Furthermore for mid-size to large businesses, some key data is often in read-only media (such as checking account activity from the bank shipped to the customer on CDROM every month). So I don’t see such an attack working unless you have highly skilled agents who work for the company in the bookkeeping department with access to the CDROM’s. Add to that the fact that accounting processes are based on the idea that nobody is supposed to trust eachother…..
Moreover a lot of midsize businesses don’t manually enter much accounting data. These come from other databases elsewhere and are imported in part, reviewed independantly by the accountants every day during the post process, etc. Carrying out a successful attack would also mean successfully locating every one of these databases and carrying out modifications on them which would properly hide the attack. The chance of something being missed is significant, which gives the accounting team a chance to find and fix the problem.
The complexity of an attack on a set of interoperating financial systems is far more complex than you give it credit for. Is it possible? Sure. Is it worth it? I highly doubt it.
I would submit that there are more effective attacks that such experts could be doing other than altering accounting data which MIGHT impact the economy months later.
It’s sort of like, say, carrying out a terrorist attack on subways with Sarin gas. Sounds horrible on paper, but in practice just isn’t very cost-effective compared to more conventional approaches.
So here we have a few things:
1) This is unlikely because it involves too much effort for too little payoff.
2) This specific type of attack (data alteration undermining confidence in data) would likely be discovered much later, negating any time-sensitive argument for emergency powers, and
3) Since this measure does not solve your hypothetical, I have to conclude it’s what we software engineers call “a solution in search of a problem.” Such solutions are rather undesirable.
So it’s not a matter if government helps out. It’s a matter of what steps the government can productively take to provide better security. IMO, this means ensuring that folks who are injured due to security breaches (due to negligence in terms of network security) can recover damages, perhaps adding additional statutory damages to this sort of thing where folks are negligent in protecting critical infrastructure. Some grants for industry groups to develop security standards wouldn’t be a bad thing either. I wouldn’t even object to having the NSA provide some advisory roles to these groups.
But emergency powers to take over the internet, justified by an attack scenario which is extremely complex for its damage potential and which, if it were successful, probably wouldn’t be immediately discovered (indeed, the measure of success would be in part that it wasn’t immediately discovered) just doesn’t make sense.
June 13, 2010, 11:59 amChris Travers says:
Moreover throwing lots of people at a knowledge project is a way to have lots of stupid mistakes made.
June 13, 2010, 12:04 pmChris Travers says:
I work with corporate accounting teams building their accounting systems. Some have attrocious processes and probably couldn’t survive any sort of audit. Others have very good practices and could easily audit data. However, it’s not uncommon in both cases to see, for example, Quickbooks Enterprise and Sage 500 running in parallel, along with some internally designed application which does some other part of the books.
June 13, 2010, 12:10 pmSammy Finkelman says:
The problem is that the government is likely to mess up and delay the recovery process and make the whole thing last longer. We have seen in recent years how usually in an emergency situation, current thinking seems to call for preventing people from helping themselves and centralizing all responses to the event – completely the wrong thing to do. Socialism doesn’t make any more sense in emergencies than in ordinary situations, but in emergencies more people can be trusted not to do bad things.
Therefore this is a bad bill – because in a real emergency companies would fully co-operate in a good plan.
Perhaps what if needed if anything is only some language to make sure that will be legal – antitrust exemptions or permission to share data, waiving maybe some privacy protections if done for the purposes of maintaining the integrity and functioning of the system.
Very little advance planning is needed or useful.
The government’s usual response this century is to cut off all self-help efforts – haven’t we seen that with the BP oil blowout and for that matter with Katrina? – while running any kind of efforts through help through a slow and obstructive bureaucracy that won’t do anything unless it is sure it is right.
June 13, 2010, 1:08 pmStephen Lathrop says:
It looks like some of the people participating here understand what they are talking about. I doubt any of them understands this discussion. I know I don’t.
June 13, 2010, 1:08 pmSammy Finkelman says:
Now there are some good kind of regulations, but they have to be different in character. What we definitely don’t need is a need for pre-approval of any attemot to help.
For prevention what we need is not for someone to assure us something bad will never happen but something that will tend to endure that if things are startuing to go wrong there is someone with the power to call attention to it. maybe some people should specifically have that job.
See this letter by Terry Barr of Samson Oil and Gas Company published in the Wall Street journal of Friday, June 11, 2010 for an account of what went wrong to cause the explosion and oil leak. I haven’t heard any kind of regulation proposed that would get at this kind of problem. Various news stories have also told some of this.
http://online.wsj.com/article/SB10001424052748703303904575293270746496824.html
This is most of the letter:
The BP testimony to the House Committee on Energy and Commerce on May 25 says it all, but perhaps that material needs to be explained. From looking at that evidence, this is what we know:
1) When cementing the production casing the cementing crew, which was being supervised by BP, had difficulty landing the top plug into the casing shoe. This was the first “red flag” because a satisfactory cement job to the production string is fundamental to the safe operation on a go forward basis. The fact that the cement job did not go as planned should have caused the testing operation that followed to be carefully scrutinized, it clearly was not.
2) As is normal practice, the integrity of the pressure tight seal was tested by pressuring up on the casing and observing the pressure response. If pressure bleeds off there is clearly a problem with the pressure integrity of the shoe, However, industry practice dictates that a positive test, that is no pressure drop, is not diagnostic, simply because the reservoir pressure is sufficient to retain the pressure being applied. A negative test is useful because it is diagnostic of a failed cement job. In this case the test was positive.
3) Again, as is normal industry practice a negative pressure test was run, with pressure released from inside the casing and the pressure response was measured. In this case evidence has been bought before the committee that there was a 1,400 psi pressure response. This response is highly diagnostic and is therefore the second “red flag” and at this point the BP supervisors should have concluded that they had what the industry calls a “wet shoe.” That is that the cement job had failed to form a seal at the casing around the reservoir which we know contains high pressure oil and gas.
4) At this point a decision should have been made to do a remedial cement job; this is an expensive operation, but having seen a 1,400 psi response, there was no choice.
5) The BP engineers then proceeded with the balance of the operation to temporarily abandon the well. This meant replacing the 14-pound-per-gallon mud that was in the wellbore with 8.5-pound-per-gallon sea water. The denser mud had been, up until this time, the primary pressure control and was keeping the hydrocarbons in place despite the lack of an adequate cement job at the casing shoe.
Given the two red flags that had been thrown up previously, one would have expected that as a precaution a cement plug would have been placed somewhere in the wellbore as a secondary pressure seal before this primary pressure control system (heavy mud) was evacuated from the wellbore. But at the very least the mud replacement operation should have been heavily scrutinized. Clearly it was not.
6) Evidence provided at the hearing, including the pressure data transmitted from the rig for the last two hours before the explosion, is diagnostic. At 8:20 p.m. on the day of the explosion the pressure data suggest there was a constant flow of sea water being pumped into the drill pipe that was displacing the heavier mud system which was the primary pressure control for the well. The rate going in was 900 gallons per minute, but the flow data of mud coming out was steadily increasing from 900 gallons a minute at 8:20 p.m. to a rate of 1,200 gallons per minute at 8:34 p.m. During this 14-minute period one can conclude that hydrocarbons were flowing and pushing more fluid from the wellbore than was being pumped in.
This is what this data is supposed to monitor, but the well flow evidence would appear to have been ignored, because at this point the BP rig supervisors should have gone to a well kill operation and started to pump heavy mud back into the well bore to restore the primary control mechanism. Instead the mud continued to be evacuated.
7) At 9:08 there was another piece of evidence that is very clear cut. The sea water pump was shut down presumably to check the well stability. However, with the pump shut down a pressure increase was seen in the standpipe (SPP). This pressure response has to be associated with the reservoir flowing hydrocarbons and again at this point kill operations should have been initiated by the BP engineers.
8) From 9:08 p.m. to around 9:30, despite the sea-water pump either running at a constant volume or shut-in, the SPP continued to increase; again this is evidence that the well is producing hydrocarbons and should have caused a kill operation to be initiated.
9) At 9:30 p.m. the seawater pump was again shut-in to presumably observe what the well was doing, and again there is a notable increase in the standpipe pressure.
10) At 9:49 the SPP showed a very large increase and the explosion followed—this is obviously the point at which the gas and oil reached the drill floor and found an ignition source.
Mr. Hayward and BP have taken the position that this tragedy is all about a fail-safe blow-out preventer (BOP) failing, but in reality the BOP is really the backup system, and yes we expect that it will work. However, all of the industry practice and construction systems are aimed at ensuring that one never has to use that device. Thus the industry has for decades relied on a dense mud system to keep the hydrocarbons in the reservoir and everything that is done to maintain wellbore integrity is tested, and where a wellbore integrity test fails, remedial action is taken.
This well failed its casing integrity test and nothing was done. The data collected during a critical operation to monitor hydrocarbon inflow was ignored and nothing was done. This spill is about human failure and it is time BP put its hand up and admitted that.
Terry Barr
President
Samson Oil and Gas
Lakewood, Colo.
June 13, 2010, 1:17 pmSammy Finkelman says:
One thought: the fact that nobody ever expected the blowout preventer to be used allowed its quality to deteriorate since nobody thought it would ever matter.
Also, replacing the mud reminds me of how the Chernobyl disaster happened.
And of course what was missing was someone at the someone at the scene with both the knowledge to understand when something was going very wrong and the power to prevent it. This is what we need more than any attempt at detailed prior regulation, which will never be good enough. Once you have a half decent system what counts then is someone with the power to call a halt to things and the knowledge to know when and when not to do it.
June 13, 2010, 1:24 pmSammy Finkelman says:
Leaving the co=operation of companies voluntary would help ensure than any proposal to deal with the emergency by the federal government would make sense.
and there is probably now already something on the books that would deal with a really obstructionist company that was causing problems – where they could go to a judge and ask for some injuction.
June 13, 2010, 1:28 pmAdam C says:
Have you actually written an exploit and/or tried to break into a secured system yourself? It isn’t just “labor intensive” the way digging a 50-mile trench is labor intensive. It requires skill, knowledge, opportunity and, for a major attack, enormous computational resources (which make you easier to find and stop). That all these would somehow become available if only somebody felt like doing it ignores all data on the subject: lots of people can and do acquire these resources, but never in sufficient quantity to bring down even a fraction of the earth(or else, they would have already). We could also be worried that somebody would jam the entire RF spectrum; but this ignores the reality that this is a technically very very hard thing to do.
June 13, 2010, 1:49 pmChuck says:
If you or Declan are concerned about the president having the authority to shut down the Internet, consider 47 USC 606 (c) and (d). See below (emphasis added).
(c) Suspension or amendment of rules and regulations applicable to certain emission stations or devices
June 13, 2010, 2:01 pmUpon proclamation by the President that there exists war or a threat of war, or a state of public peril or disaster or other national emergency, or in order to preserve the neutrality of the United States, the President, if he deems it necessary in the interest of national security or defense, may suspend or amend, for such time as he may see fit, the rules and regulations applicable to any or all stations or devices capable of emitting electromagnetic radiations within the jurisdiction of the United States as prescribed by the Commission, and may cause the closing of any station for radio communication, or any device capable of emitting electromagnetic radiations between 10 kilocycles and 100,000 megacycles, which is suitable for use as a navigational aid beyond five miles, and the removal therefrom of its apparatus and equipment, or he may authorize the use or control of any such station or device and/or its apparatus and equipment, by any department of the Government under such regulations as he may prescribe upon just compensation to the owners. The authority granted to the President, under this subsection, to cause the closing of any station or device and the removal therefrom of its apparatus and equipment, or to authorize the use or control of any station or device and/or its apparatus and equipment, may be exercised in the Canal Zone.
(d) Suspension or amendment of rules and regulations applicable to wire communications; closing of facilities; Government use of facilities
Upon proclamation by the President that there exists a state or threat of war involving the United States, the President, if he deems it necessary in the interest of the national security and defense, may, during a period ending not later than six months after the termination of such state or threat of war and not later than such earlier date as the Congress by concurrent resolution may designate,
(1) suspend or amend the rules and regulations applicable to any or all facilities or stations for wire communication within the jurisdiction of the United States as prescribed by the Commission,
(2) cause the closing of any facility or station for wire communication and the removal therefrom of its apparatus and equipment, or
(3) authorize the use or control of any such facility or station and its apparatus and equipment by any department of the Government under such regulations as he may prescribe, upon just compensation to the owners.
Stewart Baker says:
1. Lots of comments suggest, in more detail than I want to address, since I think it’s a bit of a distraction, that the government’s regulation of BP was not very good or that the government’s response to the spill isn’t really helping. The regulatory failure seems pretty plain, even if it was simply a matter of not driving up the cost of negligence. I’m more skeptical of the effort to prove that the Administration is actually hurting the response; pointing to the Jones Act and the like is a little bizarre; the Jones Act is not part of government’s emergency response; in fact, the government has authority to waive the Act in an emergency if I remember right. If the government had no authority to responds to an oil spill, the Jones Act would still be there; it just wouldn’t be waivable.
But I’m not naive about government; of course it has its own dysfunctional dynamics, and of course it needs to be watched and held accountable for its screwups (something that may happen as early as November). But I do reject the idea that government’s dysfunctions are disqualifying while industry’s dysfunctions are trivial. If you think that BP will do the right thing to avoid liability, you’re talking about another form of government regulation, with its own set of dysfunctions, as the WSJ will cheerfully tell you at great length. But without liability, who among the commenters believes that blowouts would still be rare?
2. To respond to a comment received elsewhere, here’s why I think Declan overstated the scope of the bill. That scope depends on the definition of covered critical infrastructure, which is what the bill gives authority over:
“(4) the term ‘covered critical infrastructure’means a system or asset—
‘‘(A) that is on the prioritized critical infrastructure list established by the Secretary under section 210E(a)(2); and
‘‘(B)(i) that is a component of the national information infrastructure; or
‘‘(ii) for which the national information infrastructure is essential to the reliable operation of the system or asset.”
I think the structure and grammar are pretty clear. To be covered, an institution must satisfy both (A) and (B), which are joined in the conjunctive “and.” To satisfy (B), the institution must meet either the criteria in (B)(i) or in (B)(ii), which are joined in the disjunctive. Both B)(i) and (B)(ii) can only be satisfied by ties to the national information infrastructure.
Or to put it in English, you can’t be covered if you aren’t on the list, and just being on the list is not enough. You also have to be part of the information infrastructure or the information infrastructure must be essential to your functioning.
Thanks to the comment, though, I’ve realized that I was too quick to say that Microsoft and ISPs would be directly subject to regulation if they service the power grid. They would not, at least not for that reason. Only the grid would be subject to regulation, though of course any order to the grid owners about what standards their ISPs or operating systems must meet would have pretty profound indirect effects on Microsoft and ISPs.
June 13, 2010, 2:04 pmDuracomm says:
Stewart said,
The fact that government could have waived the jones act but did not further damages your argument.
Much of the disagreement with your rather facile belief that increasing government regulation increases safety and security is based on the cold, hard, fact that government regulation always has unintended consequences and they are often quite negative.
Knee jerk support of additional regulation just because it has a “security or safety” label on it is dangerous and weakens safety and security out here in the real world.
June 13, 2010, 3:14 pmBS says:
Having Barack Obama or George Bush involved in defending from a cyber attack would improve things how?
That’s so 1990′s. Companies that run at internet scale (or peta-scale) aren’t nearly so easy to attack this way. For example, if you try to change an email in a cloud-based service, you’ve got to change all of the copies and somehow defeat the error correcting codes that would undo your change with no one even noticing that you’d tried – though the data you modified might be marked for scrubbing.
Many emails quote earlier emails, so a general attack of changing ‘no’ to ‘yes’ would require changing it consistently to be undetected.
Many data storage systems that operate at scale are append-only, much like a general ledger. It’s not feasible to do updates in place at scale.
Internet-scale systems have to be designed to cope with errors. For example, disk drives are quoted with about one unrecoverable read error every 10 terabytes (10,000 gigabytes). This doesn’t sound bad, except when you are handling thousands of terabytes, disk errors are a common occurrence. About 3% of your disks will die every year. Machines (and racks of machines) die constantly without warning.
If you don’t handle those situations, your application doesn’t work. Many attacks would fail due to the redundancy and error correction that has to be built into the system for it to even work in the first place.
When attacked by a typical criminal botnet, and it gets through the automated defenses, the first response is to just throw more hardware at the botnet than they can throw at us while our excellent security people figure out how to defeat the attack. Defeating the attack usually takes a few minutes to a few hours.
The really frightening attacks are the sophisticated, nation-state level attackers, like GhOstnet.
For those interested in learning more about sophisticated espionage attacks against computer infrastructure, here’s a link to a good technical report from Cambridge University that analyzes an attack against the Dalai Lama http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf. The attack that they documented seems to be quite similar to the attack against Google and other companies that was discovered at the end of 2009.
A Canadian report on the Dalai Lama attack http://www.scribd.com/doc/29435784/SHADOWS-IN-THE-CLOUD-Investigating-Cyber-Espionage-2-0
More about Gh0stnet with a mention of the F-35 Fighter Program http://www.defensenews.com/story.php?i=4172668
June 13, 2010, 3:47 pmThe root kit that Ghostnet uses with screenshots showing apparent surreptitious remote monitoring of web cams http://www.f-secure.com/weblog/archives/00001638.html
What some of the pdf based attacks looked like and a map showing where the compromised computers were located http://www.securityfocus.com/blogs/1809
methodact says:
Josh Bornstein:
I do not want to be doing this. I would rather be in full communion with all things Abby Sunderland, right now. But even as I might look as though I am responding to your bait, my aforementioned work was not unlike John Perry Barlow’s, “A Declaration of the Independence of Cyberspace”, in that it addressed a concept of separate sovereignty for the Internet. It was in response to a post by EV about one state jurisdiction holding content posted in another state (where it was legal), as illicit material in order to jail the remote offenders of its particular delicate sensibilities, thus rendering the entire Internet criminally subject to the whims of the least tolerant jurisdictional elements on the grid.
It dealt with a permanent tax exemption for the Internet, sui generis, as a totally new kind of sovereignty for civilization. I would go into the more radical elements of what I wrote then, that got me deleted and banned, but at this time I am not prepared to paradigm-shift from where I am right now, from my current interests and focus.
But you should know about the Chatham House Rule, and that the Bilderbergs, Chatham House, etc., all pursue the utmost secrecy for themselves, yet contrive full exposure of those they (would) control. Chatham House recently made public, in a very uncharacteristic move, an open video in which they discuss their power-grab agenda framed as the exigency surrounding “cyber security”, with all the same shopworn platutes we tend to read here.
As the previous insult attending to my persona non grata, here, still leaves an excedingly bad taste in my mouth, I shall merely add that Steve is right, we are in a cyber battle, continuously. My biggest example would be where Andrew Cuomo tried to shut down Usenet, in order to faciltate his ISP shakedowns and to meanly practice his demagoguery to further his own poltical interests.
June 13, 2010, 4:05 pmPeteP says:
“For example, if you try to change an email in a cloud-based service, you’ve got to change all of the copies ”
No, I don’t. I only need to change the one that gets delivered. We’re talking obsfucation and misdirection here, not ‘proof against any follow-up forensics’.
“Many emails quote earlier emails, so a general attack of changing ‘no’ to ‘yes’ would require changing it consistently to be undetected.”
Tivial. Don’t modify lines that start with the common ‘quoted text’ ASCII codes, like ‘>’ etc.
“Many attacks would fail due to the redundancy and error correction that has to be built into the system for it to even work in the first place.”
You think the attackers care how many tries fail ? When they have their automated processes simply spewing out hundreds of thousands of attacks a day ? You think they care if 50,000 fail, and only 100 succeed ? Look at the cost-benefit ratios from their point of view. So, a few billion packets were wasted. They cost NOTHING. So, a computer ( or 10,000 of them ) ran an extra day or 10 – send me the electric bill.
“Defeating the attack usually takes a few minutes to a few hours.”
Even if I grant your premise, which I do not, how much harm would it do if they were to take down the entire power grid for a few hours ? Would it be worth it to them , you ask ? These are people who explode their own mothers in order to kill two goats and a christian.
June 13, 2010, 7:14 pmKatahdin says:
Not so much? I live in the Seattle suburbs, and we lose power an average of maybe 1 day per year (usually for a few days, every few years). We break out the coleman stove and take dinner to electric stove neighbors. Nobody dies. It’s kind of peaceful and quiet. If I feel the urge, I fire up the generator. And of course, the generators at the hospital, police station, cell phone towers and so on are all running.
If terrorists or nation states manage to cause power outages on that scale, we’ll probably start to care about security. Until they do, we should spend the money trimming trees by the lines, which is what causes the majority of current outages.
June 13, 2010, 7:44 pmDG says:
I’m out this week at the NANOG conference in San Francisco. This is where all the guys who actually DO run critical Internet infrastructure get together to compare notes. Very few government folks here and the ones who are here are here to learn, not to tell people what to do.
The problem with the entire approach described in this approach is the idea that anyone in the government would know what to DO to fix a problem.
{If another country launches a computer network attack on US infrastructure, do we want the President to look as helpless as he looks today in response to the BP spill? Remember, he won’t be looking helplessly at a few tarballs on the beach; in a worst-case emergency, he might be looking helplessly at a country that lacks power, working phones, and maybe even a reliable financial system.}
The President would know how to fix a major cyber-attack? One of his advisors? IT staff at DHS (laughable), or DoD (unlikely). The only really clever government IT guys are at NSA and NIST, and they are certainly no better than the guys at the major backbone providers.
While there is an argument for a certain coordinating role, that could make things worse.
Stewart, if you are serious about this topic, why aren’t you in San Francisco this week to talk to the folks who would actually have to live it?
June 13, 2010, 8:07 pmJustAJoe says:
3) Give you another left-wing conspiracy plot to take away all our freedoms forever to salivate over
June 13, 2010, 9:26 pmDerHahn says:
Anybody who’s has actually dealt with computer systems larger than two boxes with Intel warning stickers on the front running Micro$oft Windowze read this line ‘Corrupt the backup files, then bring the whole system down.’ and correctly determined that the author doesn’t know what he’s talking about. I don’t give a damm what his supposed credentials for writing his book are, and will guarantee that any ‘experts’ he relied on are similarly over-credentialed agenda pushers, not experienced technicians.
June 13, 2010, 9:39 pmChris Travers says:
Gh0stnet is a real concern. However, the fundamental questions are what you can do with it.
Certainly espionage is not innately difficult above and beyond the basic problems of compromising a system. But from there we get to inherent difficulties. These difficulties are not embarrassingly parallel problems so they can’t be solved by throwing more people at the problem. In fact, throwing more people at the problem increases the likelihood of failure.
For example, compromising all backups means altering data such that it is damaging but not discovered until the last known good off-site backup has been recycled. This is the first indication that “corrupting the backups and then crashing the system” does not constitute an emergency worthy of emergency powers— by the time the attack has succeeded (months or years after the original attack) the trail will be very, very cold. This inherent time delay also means
Secondly, such an attack might also depend upon damaging off-line records as well, as long as they are in a machine-readable format. One is looking to defeat simple, automated attempts to track unauthorized changes and restore data, not necessarily follow-up forensics. So while paper bank records that someone would have to go through don’t need to be torched, machine-readable records on CDR media would have to be replaced. This is because recovery might be much easier if one could just start running old bank statements to reconcile against asset accounts and look for discrepancies. This means on-site agents. The problem here is that each attack and each agent is possibly detectable, so if you don’t want to be detected, you have to use as FEW agents as possible.
Furthermore, there has to be an in-depth understanding of how a company processes the financial information. Most financial services businesses I have worked with have an amazing amount of redundency here. For example, a stock brokerage may have a trading platform which exports information (on a daily basis) to an accounting platform. Only new data is exported, so if the financial data is corrupted, one could essentially re-run an import (reducing an audit to things like corporate payables). If that’s possible then the attack must be treated as a failure…… This is why I say it’s labor intensive: the pre-attack surveillance required to hit a financial application sufficient to thwart easy recovery is very difficult and if an error is made, the attack fails.
As for email systems, one key thing to understand is that misunderstandings over email are fairly commonplace as it is, so one key element is that most competent businesses don’t use it as a replacement for face-to-face discussions. If an attack is made that compromises the email systems, it is likely to be detected quickly if it’s going to be useful at misdirection at all. Furthermore countermeasures, such as cryptographic signatures, are readily available anyway on all major email clients.
I really think that the most a cyberattack could do would be to cause hours’ worth of disruption to key communication infrastructure, forcing things like air traffic control to fall back to backup communication systems (ATC uses point-to-point microwave as a backup). It’d be darned inconvenient, but a war could no longer be carried out entirely through cyberspace than in the air (assuming, of course, conventional munitions).
June 13, 2010, 11:02 pmChris Travers says:
If failure means detection, definitely.
June 13, 2010, 11:41 pmChris Travers says:
Very little. I’ve been through power outages before lasting a week or more. One can still buy gas at gas stations, some food at the grocery store (though selection tends to be limited), etc. Society doesn’t come crashing down. It’s annoying and people get grumpy, but and of course there’s a substantial economic cost. A few people die by doing stupid things (my house is set up to be heated by charcoal if necessary, but don’t do this without a proper heating stove)….
All in all, the number of deaths is fewer than, say, a midsummer heatwave. So it’s nothing to be worried about.
June 13, 2010, 11:45 pmPeteP says:
“all the guys who actually DO run critical Internet infrastructure ….The problem with the entire approach described in this approach is the idea that anyone in the government would know what to DO to fix a problem.”
IMO, it’s ridiculous to think that nation-state type actors would want to ‘take down the Internet’. Anarchists, maybe, but not state actors or others with a non-anarchist agenda. In fact, they would want to HELP keep it running ! It’s their pipeline to their targets ( power grid, aviation, shipping, etc ). If they break the Internet, they cut off their own access to where they want to get at. Why would they do that to themselves ?
So, there sits the Internet, ably maintained by the Tier 1 guys et al, making SURE that the attackers have a clear and open road. IMO, the government is the only place where it makes sense to have the power to shut down that road, block that highway, in times of attack. Even if the Internet itself were under attack ( it wouldn’t be, IMO ) rather than being a conduit to targets, no one else is going to be motivated to hit the Off switch in an emergency.
“such an attack might also depend upon damaging off-line records ” You folks keep looking at this from a non-attacker viewpoint. The target would not be merely bank records or such, the target woudl be to gain access to the controllers that run the power grid, for example. Get into the code that says ‘If this load exceeds 100 MW, shut down or switch over’, and add a zero to it, or point the switch over to a place that will cause damage instead of avert it, etc.
” I’ve been through power outages before lasting a week or more. One can still buy gas at gas stations, some food at the grocery store (though selection tends to be limited” So, you’ve been in some tiny little localized power failures. So have I. Causing that kind of small-scale inconvenience would not be the goal of a state-actor-level cyber-attack. They’d be looking to operate more on the scale of ‘everything east of the Mississippi out for two weeks’ – no ‘gas station a few towns away to get fuel from’ etc.
June 14, 2010, 7:27 amChris Travers says:
Still, that’s not the scenario that Stewart Baker was discussing. The point was that the scenario he was discussing is simply not plausible. We probably agree here. I have no problem with the government providing oversight for the power grid internal network security measures, but I see no reason to extent it to an ISP that serves them.
Where I come from, at least some gas stations have generators. Sure selection of a gas station is limited because maybe only a quarter of the gas stations have generators, but one can find them. Grocery stores often have generators sufficient to keep POS terminals and a few refrigeration units (not all) online, and a very few lights.
The worst part is that if it happens in winter some people burn charcoal in their houses and die, but that’s still pretty rare.
June 14, 2010, 10:40 amChris Travers says:
The most likely scenario I can see is to use an attack disrupting a part of the internet as a distraction which could be used to reduce the efficiency of a political response to an action in meatspace. For example, suppose China might try to flood banks and telco networks with packets internally from malware, and while the government is responding to this, maybe invade Taiwan.
June 14, 2010, 10:44 amPat Cahalan says:
> The privacy-industrial complex
The privacy-industrial complex? I think we can now definitively say that the “‘foo’-industrial complex” has jumped the shark.
June 14, 2010, 8:05 pmDuracomm says:
One other reason to oppose giving government more power over IT infrastructure would be the government’s demonstrated incompetence on IT related issues.
The FBI’s Upgrade That Wasn’t
$170 Million Bought an Unusable Computer System
I’m not sure how much government help and expertise the US IT infrastructure could stand before undergoing a complete collapse.
Opposition to more government involvement in the private sector is often a simple recognition of government incompetence.
Not a particular allegiance to the dreaded “privacy-industrial” complex
June 14, 2010, 11:34 pmSammy Finkelman says:
This is no argument. Maybe this was on purpose. Maybe there are terrorist – read Saudi-connected? – moles in the U.S. government.
Things like this have happened too many times.
If we had intelligence agencies that were working, it wouldn’t take us 8 1/2 years – scratch that – 15 years or more – to figure out that Pakistan’s rogue military intelligence agency was the world’s chief sponser of terrorism.
And bin Laden would not be at large. Certainly we would never have trusted Pakistan to guard its side of the border in November 2001.
For more about what’s going on, see these articles:
http://www.nytimes.com/2010/06/13/opinion/13sethi.html?scp=6&sq=pakistan%20&st=cse
http://www.nytimes.com/2010/06/14/world/asia/14pstan.html?scp=4&sq=pakistan%20&st=cse
http://www.nytimes.com/2010/06/03/world/asia/03pstan.html?scp=8&sq=pakistan%20&st=cse
http://www.nytimes.com/2010/06/16/world/asia/16lashkar.html?scp=1&sq=pakistan%20afghanistan%20india&st=cse
KABUL, Afghanistan — A Pakistani-based militant group identified with attacks on Indian targets has expanded its operations in Afghanistan, inflicting casualties on Afghans and Indians alike, setting up training camps, and adding new volatility to relations between India and Pakistan.
June 16, 2010, 10:54 amDH says:
If the government can’t even keep the “Collateral Murder” video in a secure location (you’ll recall it was left on a shared drive on our secret network, which apparently isn’t even adequately logged in some areas), why should it be allowed to seize civilian networks during a network attack?
Should we give the NSA even more access to civilian networks? It already has no respect for privacy or the law, given what occurred at ATT and probably every telco hotel to boot.
The “privacy industrial complex,” should be concerned. And so should you.
June 16, 2010, 10:59 pm