Patrick Lambert considers a recent speech by U.S. Defense Secretary Leon Panetta warning about cyberwar threats.
When talking about Pearl Harbor, especially when it's from the U.S. Defense Secretary, chances are he's talking about some very critical event. So it's no surprise that when Leon E. Panetta spoke of a possible cyber-Pearl Harbor earlier this month, it made the rounds in the media. It's clear what he meant — one huge targeted strike against U.S. infrastructural targets — but what is less certain is how likely such an event is to occur, what would happen afterward, and what type of measures can be used to prevent this in the first place? This isn't a new concept, and the U.S. Government, along with security researchers all over the world, have been thinking about such a major security scenario for a long time now. Let's see what the current status of our infrastructure security is, and what the various parties involved are proposing to fix any potential problem.
Panetta's speech at the Intrepid Sea, Air and Space Museum in New York, painted a very dark picture of what the future might hold for the Internet, should a cyber-Pearl Harbor occur. He said that several foreign actors are currently developing the technological capabilities that would allow them to carry forth such an event, including China, Russia, Iran and various militant groups. He said: "An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches." Later in his speech, he also added some varying attack scenarios, saying, "They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country."
Finally, when asked about what he would propose to prevent something like that from happening, he pointed to a recent cybersecurity bill, which was blocked in August by Republicans.
So is the picture portrayed an accurate depiction of things to come? The answer isn't simple. On the one hand, it's true that there are likely big security holes in devices and software running some critical pieces of equipment, whether that be in the power grid, water, or other critical systems. Most of these things were designed a long time ago, before security was much of a concern — besides putting up fences and a locked gate. Then, you have corporate security, composed of servers and networks that routinely get hacked and broken into, and where sensitive information can be accessed. So Panetta, and the current U.S. administration proposed CISPA, the Cyber Intelligence Sharing and Protection Act, last year. The bill was very controversial, having the potential to breach privacy, so it's no surprise that its future remains uncertain. Meanwhile, Republicans seem to favor a more offensive stance when it comes to cyber warfare, along with responsible disclosure from the private sector.
But the real problem is that all of these issues are lumped together in order to push one agenda over the other. Talks of a cyber-Pearl Harbor, or terrorists launching attacks against U.S. infrastructures, are usually full of hyperbole and very few facts. For example, while it's true that some of the scenarios described by the Defense Secretary sound horrifying, there's no way to accomplish them solely via the Internet. Most things have to be done on site, and any critical systems shouldn't be connected directly to the Net in the first place. Yet, we don't see a lot of bills before Congress asking for tougher laws on fence manufacturers. This isn't to say no new regulation is needed. It's true that it often isn't in a company's best interests to admit they have been victims of a security breach. Forcing these types of disclosures can only be a good idea, if done correctly.
As for the actual attack surface on critical systems, that also can vary, depending on what is considered critical. We definitely have had examples of defense contractors being hacked, and important documents being stolen. But could an organized entity do more direct and immediate damage? How secure are the really important systems? It's hard to say, because the conversation is always so muddied by various interest groups. An employee at a national laboratory gets a virus on his laptop, and the press claims the laboratory was broken into. Some financial websites suffer a denial of service attack, and suddenly it becomes U.S. banks under attack. A nuclear plant suffers a software glitch and suddenly it's the power grid that's in trouble. This isn't to say we should make light of the situation, but before any real, actual solution can be found, the problem has to be well defined, and IT pros should be brought into the conversation, not just politicians.
No one expected Pearl Harbor, and the simple truth is that no one knows for sure whether a cyber-Pearl Harbor could happen. But in order to get a good idea, we need to focus our attention on the real problems: things like critical servers running 20-year-old code, sensitive servers being fully accessible from the Internet, and policies that promote hiding the fact that something bad has happened, instead of disclosing it responsibly. When that can be done, then we will know where we stand, and we'll be able to counter any potential cyber threat.
What do you think? Are dire warnings like those of Panetta just scare tactics, trying to push a particular agenda (CISPA) or are they a genuine wake-up call to those responsible for the safeguarding of critical systems?