Security

How likely is a cyber 'Pearl Harbor'?

Patrick Lambert considers a recent speech by U.S. Defense Secretary Leon Panetta warning about cyberwar threats.

When talking about Pearl Harbor, especially when it's from the U.S. Defense Secretary, chances are he's talking about some very critical event. So it's no surprise that when Leon E. Panetta spoke of a possible cyber-Pearl Harbor earlier this month, it made the rounds in the media. It's clear what he meant -- one huge targeted strike against U.S. infrastructural targets -- but what is less certain is how likely such an event is to occur, what would happen afterward, and what type of measures can be used to prevent this in the first place? This isn't a new concept, and the U.S. Government, along with security researchers all over the world, have been thinking about such a major security scenario for a long time now. Let's see what the current status of our infrastructure security is, and what the various parties involved are proposing to fix any potential problem.

Panetta's speech at the Intrepid Sea, Air and Space Museum in New York, painted a very dark picture of what the future might hold for the Internet, should a cyber-Pearl Harbor occur. He said that several foreign actors are currently developing the technological capabilities that would allow them to carry forth such an event, including China, Russia, Iran and various militant groups. He said: "An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches." Later in his speech, he also added some varying attack scenarios, saying, "They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country."

Finally, when asked about what he would propose to prevent something like that from happening, he pointed to a recent cybersecurity bill, which was blocked in August by Republicans.

So is the picture portrayed an accurate depiction of things to come? The answer isn't simple. On the one hand, it's true that there are likely big security holes in devices and software running some critical pieces of equipment, whether that be in the power grid, water, or other critical systems. Most of these things were designed a long time ago, before security was much of a concern -- besides putting up fences and a locked gate. Then, you have corporate security, composed of servers and networks that routinely get hacked and broken into, and where sensitive information can be accessed. So Panetta, and the current U.S. administration proposed CISPA, the Cyber Intelligence Sharing and Protection Act, last year. The bill was very controversial, having the potential to breach privacy, so it's no surprise that its future remains uncertain. Meanwhile, Republicans seem to favor a more offensive stance when it comes to cyber warfare, along with responsible disclosure from the private sector.

But the real problem is that all of these issues are lumped together in order to push one agenda over the other. Talks of a cyber-Pearl Harbor, or terrorists launching attacks against U.S. infrastructures, are usually full of hyperbole and very few facts. For example, while it's true that some of the scenarios described by the Defense Secretary sound horrifying, there's no way to accomplish them solely via the Internet. Most things have to be done on site, and any critical systems shouldn't be connected directly to the Net in the first place. Yet, we don't see a lot of bills before Congress asking for tougher laws on fence manufacturers. This isn't to say no new regulation is needed. It's true that it often isn't in a company's best interests to admit they have been victims of a security breach. Forcing these types of disclosures can only be a good idea, if done correctly.

As for the actual attack surface on critical systems, that also can vary, depending on what is considered critical. We definitely have had examples of defense contractors being hacked, and important documents being stolen. But could an organized entity do more direct and immediate damage? How secure are the really important systems? It's hard to say, because the conversation is always so muddied by various interest groups. An employee at a national laboratory gets a virus on his laptop, and the press claims the laboratory was broken into. Some financial websites suffer a denial of service attack, and suddenly it becomes U.S. banks under attack. A nuclear plant suffers a software glitch and suddenly it's the power grid that's in trouble. This isn't to say we should make light of the situation, but before any real, actual solution can be found, the problem has to be well defined, and IT pros should be brought into the conversation, not just politicians.

No one expected Pearl Harbor, and the simple truth is that no one knows for sure whether a cyber-Pearl Harbor could happen. But in order to get a good idea, we need to focus our attention on the real problems: things like critical servers running 20-year-old code, sensitive servers being fully accessible from the Internet, and policies that promote hiding the fact that something bad has happened, instead of disclosing it responsibly. When that can be done, then we will know where we stand, and we'll be able to counter any potential cyber threat.

What do you think? Are dire warnings like those of Panetta just scare tactics, trying to push a particular agenda (CISPA) or are they a genuine wake-up call to those responsible for the safeguarding of critical systems?

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

73 comments
ccasebolt19
ccasebolt19

Mr. Lambert, I found that this was an excellent post that demonstrated the growing concerns of the public of a possible large scale cyber attack on the U.S. infrastructure and reasons why there has not been a lot of progress toward a security solution. Being a computer science student with a specialization in cyber security, it was refreshing to hear a realistic take on news headlines, government speeches, and corporate security flaws. In dissecting the Defense Secretary’s speech at the Intrepid Sea, Air, and Space Museum in New York, you indicated that many of the horrifying scenarios described were, in fact, impossible to accomplish “solely via the Internet” and that most of the insecure systems were not actually connected to it. However, I do feel that there are enough critical systems that are inappropriately connected to the Internet and are vulnerable to attack that could devastate the country’s infrastructure. In looking at the damaged infrastructure on the east coast in the aftermath of hurricane Sandy, we can see just how much damage can occur from a loss of power in a relatively small area. Do you think that even though the situation involving cyber security in the nation is drastically over exaggerated and a handful of weak points exist, that there is still a significant problem in store for the nation if those weak points are not addressed? I would say that your overall tone conveys large amounts of doubt in regards to the likelihood of a large scale cyber attack and questions the validity of statements claiming that critical systems are insecure when you focus on stories that talk about “an employee at a national laboratory gets a virus on his laptop, and the press claims the laboratory was broken into,” or “some financial websites suffer a denial of service attack, and suddenly it becomes U.S. banks under attack.” I agree that many of these scenarios are blown significantly out of proportion; however, I must also say that with the growing aggressiveness displayed by China the security holes that potentially exist should be a top priority to fix due to the potential damage that can be done if they are taken advantage of. I would even go as far as to say that they most likely do exist and the only reason that there has not been a cyber attack that has taken advantage of these flaws is that it would be perceived as an act of war or an act of terrorism. Do you think that that might be a deterrent for international forces to attack our infrastructure? Do you think that if other groups grow in technological sophistication, such as a terrorist group, that we would see a cyber attack targeting our infrastructure?

Murfski-19971052791951115876031193613182
Murfski-19971052791951115876031193613182

Let’s stipulate that a massive cyber-attack on the US infrastructure is possible, and that some entity or other is crazy enough to perpetrate it. The US is not an isolated island, but intimately connected with the global economy, and, in many cases, physically connected via roads, air and sea lanes, and pipelines transporting various types of goods. If the US economy went TUD, the world-wide repercussions would be immense, even if there were no deliberate counter-attack by US resources. I can easily envision a serious depression in Europe, which could spread east into Asia. Without US purchasers, a lot of Chinese-manufactured goods would sit at the docks. Our military presence in places like South Korea injects large amounts of capital into their economy. Non-US airlines fly into US airports in large numbers every day. Not just passengers, either. A lot of that air traffic is critical components for our systems, and for others, as well. These are just few ideas that occurred to me; I’m sure, that with a bit more thought, we could all come up with a lot more. It reminds me of the analogy someone used for the Cold War. We’re in a locked room, and we have a couple of grenades. I can kill the other guy with my grenade, but I’m going to have a hard time dodging the shrapnel.

Kevin917
Kevin917

Is the issue with this frankly. Is there a large threat to our infrastructure? Yes there is but it is NOT cyber warfare. Our complex modern infrastructure can be destroyed with a small nuke in low earth orbit. The EMP effect would be enough to shut most non-hardened systems down. Many of them would not wake up gracefully afterwards. No pesky Internet access needed. Now if you want to defend against Cyber Warfare, cause its cool to have a bogey man these days, the model to use is our own immune systems. Adaptation and herd immunity are the keys. We need systems that learn how to defend against threats, that requires as much information sharing as possible between systems. The typical government military approach, the push being strongly suggested by the Gov mouthpieces, is the equivalent of locking people in their houses to prevent anyone getting a cold "just in case". Then when somebody does catch one sending them to Guantanamo in isolation. Eventually the majority of the population becomes MORE susceptible to disease not less.

david.jankowski
david.jankowski

According to Wikipedia, the CISPA Bill was pass this past April - by the REPUBLICAN-controlled House of Representatives. So where is it that the Republicans (listed twice in the article as blocking this legislation) have prevented this bill from passing? Additionally, our infrastructure and military are CONTINUALLY bombarded by cyber threats DAILY from the Koreans, Chinese, Russians, Muslim Jihadists, and even some of our own allies! If we knew the full extent of thse attacks, it would scare most of us to the level of the attacks, how deeply they are in our systems, and how serious a threat this stuff truly is! Yeah, it's scary. However, cybersecurity IS something that needs to be taken VERY seriously or this country - as dependant as it is on computers - can be controlled without some other group ever firing a shot.

BorisdaBadd
BorisdaBadd

Let us not succumb to what Naomi Klein has so aptly labeled "The Shock Doctrine," which is currently being used against us (i.e., "We the people" us) by Government and the Super Rich who tell the Government what to do to maintain their leverage over us "peasants." CISPA is one of the latest programs designed to intimidate (and thereby control) those of us who have families to support, bills (like education loans and mortgages) to pay, and jobs which may be shipped overseas if we don't tow the party line. It will eventually be implemented - perhaps under multiple guises - because most of the public is already too bitter, too bored, too intimidated, or too self-centered to pay the attention Democracy demands of its citizens to remain the law of the land. When I was a young veteran, returned from Vietnam, (then) President Nixon was using assets of the National Intelligence (oxymoron, that) Agencies to keep track of the behavior (social and political) of law-abiding American citizens so that they could be tacitly - and otherwise - black listed for speaking out against government policy against the War and speaking for racial integration and civil rights. The methods employed then, and by men like Senator Joseph McCarthy earlier, were relatively benign when compared to the capabilities available (and in use) today. I wish I could convince myself that, what I see and hear happening today, is all some fantasy or a reality which exists in some parallel universe other than my own. But I know better, and it makes me sick and ashamed to think how wasted and squandered my comrades in arms were back then - and how the trend, since I was shipped home broken almost beyond my ability to repair, continues unabated as I write this. I am not trying to minimize current and potential cyber threats to our country and to each of us by simple extension. There are a lot of people in the world who don't like us and who - given the training and opportunity - would try now and in the future to hurt us even more than we are hurting ourselves these days. When I went back to college after the war, I could go into any of the scientific libraries on campus (or Free Public Libraries in just about any town in the US), and find reference books freely available to anyone who could read (or not!) which gave all the details for formulating explosives, drugs, poisons, among other things. When I was growing up in a small Pennsylvania farm town, the FBI had prominently posted detailed instructions as to how to go about building an atomic bomb (which included materials, methods and detailed diagrams) so that we could report our neighbors to the Bureau if we saw them buying the parts or building a device in their garage or basement. The reason I mention these things is because such information is no longer free. Libraries no longer carry books on explosives and demolition techniques because some twisted person might use that information to build a bomb and blow up something other than an annoying tree stump. The point I have been trying to make is this: If we as a nation, and as individuals, have any hope of regaining the freedoms we have lost - or are about to lose - then we will have to assume more responsibility than we are willing to do today to force our elected officials and the ones who pull their strings to give them back. I hope that the rasping sound I hear outside my door continues to be my rusty gate swinging to and fro in the wind, and doesn't become the sound of my neighbors sharpening their pitchforks. The concept of a Cyber Pearl Harbor is a brush stroke on the canvas of a much larger picture which I hope and pray with all my heart you younger folk will never allow to be finished. - whs

Starbuckin
Starbuckin

For many years before the 9/11 attacks, I read articles saying, in essence, it's a matter of when, not if, we will have an unimaginably destructive attack on US soil. But when it came, and even in spite of the somewhat smaller scale attacks preceding it, we were utterly unprepared. Creating an atmosphere of dread is useless IF the goal is to protect against a cyber Pearl Harbor. And whether or not that is Panetta's goal, it should be the goal of both government and private sector facilities and utilities to prevent such a crippling attack. So far, everything I have read or heard on this depends on more or less sweeping generalities to make the point. It seems to me that for starters we ought to make a complete cyber-infrastructure inventory. To refer to just one of the vulnerabilities highlighted in this article, certainly, critical systems should not be connected via the highly insecure internet. Do we have any idea how many are? There is no way to plan against such an attack if no one knows exactly where our vulnerabilities lie. I can't even make a personal to-do list for my day tomorrow if I have no idea what needs doing. I have to look around, take stock, determine what is fine as is and what needs attention. I would not expect either government or private industry to publicize the results of such an inventory, but I would like very much to know that either they have accomplished it or they are going to do so post haste.

eankle
eankle

I hate scare mongering as much as anyone else but everyone who discounts the idea of America's vulnerability to cyber warfare needs to read "Cyber War" by Richard A. Clarke. He makes a compelling argument about how unprepared we are and how vulnerable our infrastructure is.

Chashew
Chashew

For as many years as I have been trying to understand half of the reason for cyber attacks, be they Malware or hackers. The only conclusion I can come up with is they like being famous. Like anything that is designed by humans there are always flaws and maybe the biggest flaw in tech is that security apps can be obtained by hack/crackers also. I wonder if those warnings on downloads really mean anything to them about it being illegal to alter or change an app designed to keep us lil guys running ? My guess is "Highly unlikely !" so what now? If there is a continuous circle of head chasing tail going on between developers and criminal developers what do we do next to insure the net stays intact ? Now if I ignore the hacker who is playing with my machine will he get board and go away ? If I ignore the virus in my machine will it go away? If we stop publishing every Joe hacker attack will it go away? Just food for thought on a subject created by pomp and self heroism. I do hope that hacker bothering me now can read this. "Idiot !"

daniel_l_mills
daniel_l_mills

Not a train I'm riding on unless the lethal chemicals are burbon and scotch.

eirvfranke
eirvfranke

From the beginning, Panetta is a politician. However he rose to his defense intelligence positions amazes me. Now he has another government scare speech just before his boss is about to have his own pearl harbor and of course to blame the Republicans without any deeper analysis. It was a political speech and no more. The bill in question is a classic attempt at more statism and control, with the flag of national security, that oft use wedge into american freedom, asserted as justification. How many ways to snoop, eavesdrop, spy on, video and record for future use by a government agency at will. Even the IRS can't prevent illegal use of databases. Halloween is the choice time to announce the enemy in the electronic shadows. Is there no offensive capability? Are we disarmed, or is that part of the reduction of forces plans by the american chamberlains in Obama's socialist administration. Perhaps Axelrod will comfort us, or Jarret who seems to control military decisions in the situation room. Panetta like Hilary like Rice are minions sent out to sour the election and scare us all.

mcarr
mcarr

Of course state-sponsored cyber-terrorism is possible and by all accounts, has already occurred with the release of Stuxnet targeting the Iranian centrifuges. While it's all well and good to make preparations and even to pretend that you're prepared, the reality is that the creative mind will always find the means to disrupt and there's very little that can be done about it. Maintaining a moderate political stance may reduce the likelihood, but that's about as popular as suggesting that weight-loss can be achieved by exercise and good eating rather than a magic pill...

diman75
diman75

How likely? Very likely, especially if it is staged by your own government.

LesNewsom
LesNewsom

In my small corner of the world, I do daily checks of my firewall and see countless connection attempts from china, russia and the like. Mostly, just door jigglers, looking to see if they can get in and they would be successful if I were not doing my job. Unfortunatley, I see many networks that are poorly or totally unprotected. I hear "Why would anybody want to hack us? We have nothing anybody would want." That 'Head in the sand' mentallity is scary, but it does exist. Alongside of that, is the roadwarrior who drops in and wants to get on the network. A quick check of their machine shows the antivirus is disabled and/or out of date. Questioning reveals that they "thought it was working" and that "the machine has been acting funny, but I need to get my work done so I was going to wait until I got back to the main office." So, the possibility of a "Cyber Pearl Harbor" is certainly plausible...moreso than unicorns being discovered.

kjjerome
kjjerome

If we can take a few hundred centrifuges ofline in Iran it can happen hear.

premiertechnologist
premiertechnologist

Now that so much is online and hackers are so prevalent (good thing most of them aren't that smart, but a few of them are truly dangerous), we are truly at risk... every day. Yes, we need to increase awareness, yes, we need to encourage as many as will listen to take action to protect themselves and others, yes, we need to do as much as we can to secure everything these days. And we will continue doing so. There are two dangers which face us that don't necessarily fit into the standard thinking of technologists: 1) Ever increasing government regulation supposedly to prevent this sort of scenario, but, in fact, designed to remove freedom from us (sure, tax and charge for the Internet and control all content); 2) Political morons that seek legislation to destroy our infrastructure, such as, the politician who wants to eliminate all hydroelectric dams to save the fishies because he's too stupid to understand the concept of fish ladders. In an age of hyperbole and opinion doing more damage than real threats, we have the complicating factor of obtuse obfuscation of real problems distracting us from ones that are about to nip us. The price of freedom is continual vigilance and a lot of diligent intelligent hard work.

Kevin Morrison
Kevin Morrison

sperry532@ - Y2K had to do with code that was not written to function with dates past 2000. It had nothing to do with anything you are thinking. I don't agree with the notion that a cyber attack could be as bad as Pear Harbor and yes I think this is language to push an agenda about a topic that most do not understand using a horrific time in our history. Yes these cyber bullies can do some things but as was stated anything that is of a critical nature should not be connected to the web and if there are then the idiot that allowed it should be the one swinging from a tree. Of course look at all our government does now and gets away with it.

Michael Rivero
Michael Rivero

Iran is not in the habit of starting wars. In fact they have not started a war in over 200 years; a record neither Israel not the United States can match. Nor is Iran stupid enough to carry out an overt act which would justify the long-sought invasion by the United States. Should a cyber "Pearl Harbor" happen, the most likely perpetrators are Israel and the US and the most likely target Wall. Street. Think about it. Europe is disintegrating and Wall Street has sold trillions of dollars worth of credit default swaps against Europe's debt; swaps for which they do not have cash reserves to pay claims on. The moment Greece, or Spain, or any other EU nation collapses, those default swaps come due. If the US Government simply declares those swaps null and void, the derivatives market will collapse. If the US Government simply prints up the cash to pay those trillions in claims, the resulting inflation will collapse the dollar. If the computers are taken down by those "evil Iranians" (Reg Trademark White House), in a stunt reminiscent of Tom Clancy's "Dent of Honor", nobody knows who owes what to who! And it's all Iran's fault (nudge nudge wink wink) Such a faked cyber attack would allow the money-junkies to duck the blame for the mess they have made of the US economy with their Ponzi-scheme central bank, as well as angering Americans into yet another war of conquest. And such an "attack" would justify the government taking complete control of the internet, for the sake of "National Security" (and to silence the alternative media).

kweinberg34
kweinberg34

Speeches are meant to get attention; hyperbole is all part of the metric. On the other hand, of course there are people in the world that mean to do other people harm for whatever reason (for some, it's amusement...). It is a basic responsibility of the individual to make themselves secure, just as it is a corporate responsibility to be as secure as possible. The world is still getting used to the idea that its interconnection is like living in a house with only screen doors (walls, ceilings, floors) and that privacy and security have taken on whole new meanings. Corporate entities may do a good job of securing their infrastructure, but is they don't impress upon their employees that they share some of the burden for security, the corporate entities are seriously dropping the ball. In my (limited) experience with corporate IT policy training, I have yet to hear words to the effect of, "If you do or fail to do X, Y or Z, you run the risk of crippling or killing the ability of our company to pay you". Investing the employee with some sense of ownership for security would be a good start to closing up some of the holes.

gjpc
gjpc

Having worked with and on control systems ranging from TMI to large petroleum processing installations, I have always been terrified of the the minimal to non-existent security. This article woke me up about the planed up-coming cyber warfare attack. Listening to Mr. Panetta, it is not going to be pretty. You see, like Pearl Harbor, the Gulf of Tonkin and September 11 this attack is being planned right now by our very own leaders of the US Military Industrial Complex, or in current times should I just say the US Government? The timing is perfect, we are just about to put another Madison Avenue groomed puppet into the white house. Dick Cheney's Project for the New American Century is already underway. Witness the US cyber attacks upon Iran's peaceful nuclear industry. Witness the media drums beating on how Iran, as isolated and broke as it is; is dire threat to each and every peace loving freeman alive. Witness how some PM's are appearing before the UN stating the case for an all out attack on Iran, NOW!. Listen how both adorable presidential puppets have drawn "lines in the sand". I am just wondering where Mr. Panetta is planing to drive his little cho-choo stocked full of innocent civilians and lethal chemicals off the tracks.

dhuckstep
dhuckstep

Great article, up until the point when you left your wingman... There are two obstructive parties in Washington; not only one. To use an article to promote the perspective of the left is disingenuous to the basis of the content and severity of the issue being written about.

GastonP
GastonP

This whole discussion reminds me of the 90's. When people said planes will fall from the sky, trains will stop and things will explode in year 2000. This generated an enormous amount of work for IT consultants to get all systems checked. After all, it is not a bad idea. I might just start a business auditing network security.

jsv6
jsv6

Many, many points of infrastructure control lie outside the perimeters of power plants, natural gas pipelines, petroleum pipelines, and the like. There are, for example, thousands of compressors and switches. Can they be hacked? Of course.

ProfessorLarry
ProfessorLarry

Precision guided munitions are complicated and expensive; roadside IED's are cheap and simple. The former are only in reach of nation states; the latter can be cobbled together by anyone with a grudge or an agenda. The same applies to cyber-attacks. The sophisticated software engineering in the precision-targeted Stuxnet-Flame-Gauss suite of cyber-weapons is probably achievable only by crack teams with extensive resources, but a dedicated team of terrorist hackers can pull together enough from public resources to launch effective attacks that cripple or destroy multiple facilities. They do not have to worry about collateral damage or getting the parameters just right. The purpose is chaos and fear. Droppers that only work on 1 in 10 targets and code that only throws some of the generators out of synch but rattles the windows elsewhere is quite acceptable. How real are such threats? >there’s no way to accomplish them solely via the Internet. Most things have to be done on site, and any critical systems shouldn’t be connected directly to the Net in the first place.< This is a naïve and simplistic view of industrial control systems. True, critical systems should not be connected to the Internet, although a depressingly large number are. (There are even search engines that can help you find which ones are directly accessible.) However, even the ones that are supposedly isolated by a so-called "air gap" are, in the vast majority of cases, reachable. The Second Law of Cyber-Terrorism states: "Absolute isolation of any computer system from outside connection is impossible in practice; the so-called air gap is an illusion." The Iranians learned this at Natanz. Their highly secured facility was controlled by "completely isolated" PLC's, yet the Israeli-American designed Stuxnet was able to worm its way into the controllers. How? All control software needs to be maintained to fix bugs, enhance performance, or accommodate new hardware or changing conditions; all the software used to program controllers needs to be maintained as current for similar reasons. Ultimately there is ALWAYS some indirect route that connects the PLC's on the installation floor to the outside world. Pen testers (penetration analysts) will tell you that in virtually all practical circumstances, they can find a way from the Internet to the factory floor. In the absence of regulations mandating enhanced security, little will happen because the economic incentives are all biased against investment in security--and security in ICS's is likely to be enormously expensive. Many in the cyber-security community believe that little progress will be made until terrorists--state-sponsored or otherwise--spread a major swath of darkness over the land or reduce the generators at a dozen plants to scrap metal or ignite a flaming corridor along the gas lines of the Eastern Seaboard. All of these scenarios have been shown to be possible. Bad though an extended blackout caused by disruption and corruption of the power grid may be, far worse is the prospect of doing to generators on the grid what happened to the centrifuge motors at Natanz. The Third Law of Cyber-Terrorism: Anything that rotates under computer control can be destabilized or desynchronized under computer control. (Citation on request.) An attack based on this scenario was designed as far back as 2003 (see, Web Games, Lior Samson) and a proof-of-concept demonstration conducted by DHS in 2007 (Aurora Project). In short, the attacks that Panetta dramatized are far easier to pull off than most people realize. Such warnings will continue to be called scaremongering or self-serving promotion until something happens. Then whatever administration is in office will be blamed for not being prepared. --Prof. Larry Constantine (pen name, Lior Samson)

toddah
toddah

Having worked as an industrial Sr Controls design and debug Engineer for almost 21 years and now being in Government IT for over 10 years I see the building blocks of this being put in place right now. We are seeing increasingly complex controls systems being put in place to control our infrastructure systems like water supply, wastewater treatment, emergency communications, transportation and security and the employees in most of these physical plants are at best computer illiterate having had no need for these skills in the past. So when the contractors are all done installing, debugging and proving the new systems they pull up stakes and move on to the next contract and in doing so the plant operators are left looking at complex systems through a screen of icons that are ether green, yellow or red not understanding what each of those things are in physical reality. This situation leads to these systems REQUIRING communications back to the installation contractors so they can jump in and ether correct the situation or help the operators understand what is happening. I fight on every project coming the door to try to instill some sort of security awareness to the conversation during budgeting, design and installation but in the end budget money is used for things like more police or firemen instead of operator training or including firewalls or monitoring devices to actualy watch these new systems in the budget. Thus when the new systems are up and running we see things like a charter cable modem installed in a wastewater treatment plant to circumvent IT because " we are making it to difficult for the operators and contractors to save money" by doing remote support when problems arise. we are told the operators will only hook up the "modem" when they need assistance and will physically unhook the "modem" when they are finished. THIS IS REAL LIFE IN MY TRENCH!

rcoady67
rcoady67

I have worked on many control systems. Most are on isolated networks that are not routed to the Internet. The likelihood is low that these critical infrastructure systems can be taken down easily. In most of these areas, Internet access is prevented to reduce the risk that a machine that has access to both segments can be used to bridge the gap. Probably more hype than anything, and when a politician is carrying the torch for this, it is probably to push his/her agenda.

wanderer
wanderer

My favorite is "derail passenger trains carrying lethal chemicals." Did he really say that? when did we start transporting lethal chemicals on passenger trains? Of course, Al Gore invented the internet so I guess anything is possible...

Rob3214
Rob3214

How about the risk of outsourcing companies back office to foreign powers that may switch off / corrupt systems any time ?

generalist
generalist

A Pearl Harbor in the 21st century doesn't need to be a single, catastrophic event. For instance, eroding faith in the financial system, piece by piece, is a smart black hat move. DDOS (verb) banks, financial SAAS, Wall Street, etc., and financial data movement might be reduced to a trickle, and that's just one example. What about all the other sloppy code that props up our target rich environment? Big players should forced to lock down their systems. Naive and/or greedy executives might do a lot of squealing about lost profits, but I suspect they have enough cash to solve for safety and reliability rather than short term profit.

verd
verd

The Answer to 1984 is 1776 You are the Resistance Resistance is Victory

HAL 9000
HAL 9000

But then again not everyone who wishes harm on the US is another country. Way too often those who want to Harm the US want this for Ideological Reasons which have nothing to do with winning a war they just want to damage and destroy or at the very least do as much harm as possible. Your country experienced this in 2001 and is currently still paying the price of that single attack. The person sited as responsible for that attack has sprouted thousands of followers and different groups many of which will never be known about till after they strike. You are under the mistaken impression that those who would attack want to make a Financial Benefit for themselves the reality however is that they want a Event to pin their hopes on and a successful attack is all that they require. The more International Damage that they do the better it is for their beliefs even though they may end up with less money to mount further attacks latter. ;) Col

joeller
joeller

So what your rant states is that there is no threat, but the way to stop the threat is to react preemptively. As even Ronald Reagan discovered the way to defend yourself is not to attack, but to ensure an attack never happens. Thus his rapproachment with Gorbachov. Yesterday's enemy becomes tomorrows allies. Look at US history. Boogey man England became our closest ally. Germany and Japan are allies after nearly being bombed into the stone age. China was turned from our arch enemey into an ally against the Soviets. Russia provided support for Desert Storm against their former client. even Vietnam is now considered a valued trading partner despite our having dropped twice as many bombs on them as all the bombs dropped during WWII, Korea, Desert Storm, Iraq, and Afghanistan combined. Those nations who are not willing to try diplomacy will follow the course of the Roman Empire. Socialist? Show me one line in Marx about the government providing money to private companies to do anything. This administration has provided more money to private industry in real terms than any since Roosevelt. If this administration were truly socialist, then everyone in the country would have at least the health care provided to the Military free of charge. Instead they ensured that the private insurance companies would have more customers and that the for profit health care providers would be ensured of being paid rather than having to provide catastrophic care with no chance of recovering their expenses.

mike.akdds
mike.akdds

Where you to walk in my office, you'd be puzzled by the dents in the brick wall. They would be from me pounding my head against it. I run into that mentality everyday, mainly from people in the headshed who are mortally afraid that they will have to write checks to pay for something they don't understand, have no desire to learn what it takes to understand and don't WANT to understand the possible threat. I can sit and do WHOIS searches on IP addresses from the router logs and bring the location up on Google mas until my eyes bleed. And it STILL isn't enough proof for these people. Yet if the network crashes because some idiot road warrior passes a trojan along with their daily sales reports because the AV is shut down because "it slows the network down", who gets the profane phone call at 3:00am? You guessed it. Me.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Shut down the electrical grid during a large winter storm and see how many casualties there are. Keep it down for a week and see what economic repercussions that has. There are things we depend on that are run by automated equipment and compromising them could have some pretty disastrous effects. If you can compromise enough of a system over a period of time (corrupt backups) and then launch a strategic strike it could take an extended period of time to bring those systems back online. Flame and Stuxnet have been though to be in the wild for over two years. They had access to large parts of critical systems. If this had been some terrorist plot it could have shut down major systems for an extended period of time and had untold effects on the local population. It's not only possible, it has been done in a targeted manner that the operators specifically worked extremely hard to impact only specific systems. Broader, generic attacks are easier and more likely. Bill

joeller
joeller

So is this going to be carried by the same government agency that carried out the two Kennedy assassinations, the King assassination, and 9/11? Or maybe the Trilateral commission and the Bilderberg Group? :roll: (eye roll)

alphaa10
alphaa10

Speaking of disingenuous approaches, it is partisan analysis to conclude when Democrats fail to capitulate on all points to the GOP, this a refusal to negotiate. The GOP opposed urgently-needed measures of cybersecurity for the same reason it demanded tax cuts for millionaires be left in place-- partisan leverage for narrow, partisan purpose. The GOP cannot be accused of either responsibility or patriotism.

sperry532
sperry532

The Y2K problem was very real. The reason it did not happen on a massive scale was that tens of thousands of programmers spent hundreds of thousands of hours reviewing and rewriting hundreds of millions of lines of code to correct the problem. As it was, there were some isolated incidents, which were reported at the time - which dropped out of the news cycle quickly because they didn't crash trains or bankrupt countries - but they nothing like what could have happened had people simply laughed and ignored the problem. BTW, NO reputable source EVER suggested planes would fall from the skies, nor things explode. These hyperbolic suggestions were circulated by uninformed people who claimed the problem wasn't real, much like what's happening now with internet security.

alphaa10
alphaa10

Exactly as you point out, what we term cyber- or digital infrastructure is literally all over the landscape. By the same token, a very low technology attack requires only a man with a backhoe (or an axe) to take out critical sections of cable, and isolate half the country. (It already has happened.)

alphaa10
alphaa10

In a document of more than a decade ago, China's People's Liberation Army published a document which stressed the importance of blinding an opponent before launching an attack. According to this approach, an attack begins with disabling connections and/or feeding incorrect information to specific points on the data infrastructure. This mode of attack is anything but brute force, and requires extensive reconnoitering of a target to bring off properly. Through the PRC's "Titan Rain" probes, such surveillance has been underway for more than a decade. To presume the cutting edge of a cyberattack would take aircraft out of the sky, blow up reservoirs and poison urban areas completely ignores how devastating interruption of power and/or communications would be. All of the above is possible by hijacking of power and data systems, but the principal damage is paralysis of the vast number of ordinary systems on which everything else depends.

mike.akdds
mike.akdds

Entirely too many times I've set up systems on a supposedly "secure" network then, upon the insistence of the owners of this "secure" network had to install some sort of remote access tech so they wouldn't have to pay for a tech to drive to the location to do something they didn't want to pay to have their people reained to do. This meant their "secure" network now had a "hole" in it. Invariably, this "hole" would turn into full-blown internet access, with employees visiting Facebook, YouTube, general web surfing and in one case an admin running a gaming server. Oh, but everything was okay, because they had a "secure" network. There is NO SUCH THING as a unhackable system. Period.

GAProgrammer
GAProgrammer

While zero outside connectivity is ideal, "we are told the operators will only hook up the "modem" when they need assistance and will physically unhook the "modem" when they are finished. " is at least a better alternative to 100% connectivity. It sounds like they took your concerns to heart.

HAL 9000
HAL 9000

But then again the Drone Center is isolated from the Internet and it was still infected by staff coming in plugging in their unsecured USB Devices and infecting the systems. Expecting the people to do the right thing without training them isn't security it's stupidity and the people in charge are on their knees begging for infections. Col

alphaa10
alphaa10

Wanderer said, "Of course, Al Gore invented the internet..." ---------- This mendacious GOP misquotation of Al Gore says far more about the abysmal personal ethics and educational level of the person who uses it, than about Al Gore. Gore, himself, did not make that claim-- the GOP did. Their spin factory simply lied in an RNC press release, hoping illiterates would pick up their partisan misquotation and pass it along. During a CNN interview, Gore said, "During my service in the United States Congress, I took the initiative in creating the Internet"-- a claim that even former House Speaker Newt Gingrich verifies as true, because Gingrich knows Gore refers to a legislative, not a technical role. Those who were listening to the Wolf Blitzer interview never thought Gore took credit for the technical side of what some mistakenly call the "web". However, Gore clearly did take early congressional leadership in pushing federal development of the nation's first high speed computer network-- the foundation of what eventually became the internet. Gore as chairman of a key science subcommittee (1986) facilitated establishment of five supercomputer centers through the National Science Foundation, centers which became the cornerstone of the Internet. To those GOP bozos who deny the importance of government in science and technology, here is an article that provides urgently needed perspective-- http://en.wikipedia.org/wiki/High_Performance_Computing_Act_of_1991 and this-- http://blogs.scientificamerican.com/observations/2012/07/23/yes-government-researchers-really-did-invent-the-internet/ and this-- http://en.wikipedia.org/wiki/Al_Gore "Internet pioneers Vint Cerf and Bob Kahn noted that, 'as far back as the 1970s, Congressman Gore promoted the idea of high speed telecommunications as an engine for both economic growth and the improvement of our educational system. He was the first elected official to grasp the potential of computer communications to have a broader impact than just improving the conduct of science and scholarship [...] the Internet, as we know it today, was not deployed until 1983. When the Internet was still in the early stages of its deployment, Congressman Gore provided intellectual leadership by helping create the vision of the potential benefits of high speed computing and communication.' "Gore introduced the Supercomputer Network Study Act of 1986. He also sponsored hearings on how advanced technologies might be put to use in areas like coordinating the response of government agencies to natural disasters and other crises. "As a Senator, Gore began to craft the High Performance Computing Act of 1991 (commonly referred to as "The Gore Bill") after hearing the 1988 report Toward a National Research Network submitted to Congress by a group chaired by UCLA professor of computer science, Leonard Kleinrock, one of the central creators of the ARPANET (the ARPANET, first deployed by Kleinrock and others in 1969, is the predecessor of the Internet). The bill was passed on December 9, 1991 and led to the National Information Infrastructure (NII) which Gore referred to as the "information superhighway."

joeller
joeller

Anyone can see from the context that Freight trains carrying lethal chemicals was meant. I worked for the railroad for 11 years. In 1981, at Potomac Yards in Alexandria Va, a car load of Nuclear waste derailed in the yard, while I was working 10 feet from it because of an issue with the automatically controlled switches. More recently, on November 10, 1979 in Mississauga, Ontario, Oct 7 2011 in Tiskilwa, Ill, and July 11, 2012 Columbus, Ohio, mass evacuations were caused by explosive derailments involving toxic chemicals. One thing I learned in my many years in the Navy and supporting the Navy, the Military plans for enemy capabilities not enemy intentions, and, they always plan for what they think is the worse case scenario. While, most likely, any attack would not be a massive all-around attack, look at what happened the last time the Navy said "Oh they won't do that." in the fall of 1941. We already know the Chinese have been sponsoring cyber-attacks on DoD systems for years. We already know they are friendly with Iran. We already know Iran resents our efforts to keep them from developing a nuclear capability. We already know that Iran sponsors terrorists. We already know that terrorists are developing greater cyber capabilities. While a + b + c may not always be combined to equal d the fact that they can, should raise enough of a concern to take precautions. For those concerned about privacy, they should address issues like the so-called Patriot act, or the laws restricting the rights of consenting adults, not legitimate concerns about vulnerabilities that can be exploited in a catastrophic way.

mckinnej
mckinnej

While I think you started out right in your thought process, death by 10,000 cuts and all that, I don't think there will be an all-out war. They, meaning China, depend on us too much. Strip away their income and they will collapse, like pretty much anyone would. What we would have to worry about are the so-called rogue states like NK and Iran. They don't have much to lose. It doesn't require large armed forces or even that much money to launch a cyber attack. While I doubt they'd be able to take us out, they could certainly disrupt us for a while.

HAL 9000
HAL 9000

[b]Resistance is Exhausting.[/b] I have to want to believe that Resistance is good but after the recent events here of Ransom/Hostage Ware being reported in the Press and the people do not want to learn they simply buy new computer systems believing the [b]Marketing Spiel[/b] that they are better. The simple fact of the matter is that no matter what the untrained or worse still the person not caring what happens inside their computer is the Biggest Security Hole possible and those are the ones impossible to plug. Col

Murfski-19971052791951115876031193613182
Murfski-19971052791951115876031193613182

I thought about the suicide-bomber mentality, but didn't take it to the point that the bomber wouldn't worry about his/her entire country going under, as well. Of course, a number of the countries who would like to pull off an attack like this are kind of in the stone age anyway -- both economically and culturally -- so winding up with a medieval technology level would actually be an improvement.

gjpc
gjpc

Incontestable proven US government conspiracies: Gulf of Tonkin Iraq war Do you need a third?

joeller
joeller

The Navy's connectivity is extremely slow. To download a patch or an update could take a while. How long do you think the cyber-attackers need you to be connected?

Cmd_Line_Dino
Cmd_Line_Dino

An excellent detailed history. For those interested in a great report on how vested interests have fought to defeat any belief that climate change is real. Frontline has program "Climate of Doubt" which can be watched on their web site. Just watch it and think about what you see.

joeller
joeller

Gulf of Tonkin was not so much a conspiracy as a provocation to provide justification to continue a war in which the US was already involved. The conspiracies were the cancellation of free elections by the Diem U.S. puppet regime and the CIA backed assassination of the corrupt Diem to engineer a regime change. The ensuing war eventually brought down both the Johnson and Nixon administrations. While rumors abound that Bush stated after 9/11 "See if we can find some way to pin this on Iraq", that has never been proven. It is true the Bush administration engineered the war in Iraq, but conspiracy generally means it was done in secret. This was done in the light of day and anyone with intelligence could see it happening and predict the outcome. Unfortunately that did not include most of Congress. However, the result has made Americans a lot more gun shy about knee jerk reactions to alleged WMDs. Regarding the Iran nuclear issue, if Iran had really only wanted Nuclear plants for peaceful uses, they would have taken one of the offers by the Bush administration and other goverments to be provided with Nuclear power plants that could not be used to produce weapons grade uranium. Instead they chose to build their own centrifuges to refine uranium. (And why a country sitting on a sea of oil needs nuclear power plants is completely illogical.) Furthermore the last thing the US economy needs right now is a war and increased defense spending. Panetta understands that as do most of the people in the US which is why Romney completely changed his position in this week's debate to pretend that he was not going to cave in to the Neo Cons to start another war. And finally, it was Iran that slapped away the diplomatic overtures that the President made back in '09. Therefore, "as ye sow, so shall ye reap." A few years ago as I remember it, a computer glich caused a huge sell-off on Wall Street resulting in the biggest one day percentage drop since Black Monday in 1987. Any tampering with the financial computers as suggested by Mr. Rivero would devastate the economy and result in a Republican Congress and President. Not hardly an outcome desired by Mr. Panetta. To quote Larry Niven, "Think it through."

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Stuxnet was about 500k, but security researchers said it was unusually large. Bill

Editor's Picks