Premise A: "Something must be done."
Premise B: "This is something."
-----------
Conclusion: "This must be done."
I call bullshit.
I do believe that key pieces of global computer infrastructure are at risk of attack. But the threat will not be eliminated by scaremongering, or by handing POTUS the ability to 'shut down the internet' in the case of an emergency (a situation which would arguably lead to more catastrophic failures than any 'cyber attack').
The obvious thing to do when facing a direct military threat is to step up defense forces (missiles, infantry, warships, whatever) in the area you're expecting to be attacked in. But no such obvious solution exists in the case of 'cyberwarfare'. You can't just 'build a digital fortress' with a pile of bricks. I've yet to hear a sound explanation of how legislation will protect computer infrastructure.
Despite our protestations, the governments of the US, UK, Germany and whoever else probably will pass cyberspace protection laws, that only deprive us of freedoms we've grown accustomed to, do little to secure anything, and drive up barriers to entry in more industries.
It is certainly interesting times in that if country A sends even a remote controlled plane into country B, then country B can deem that as aggression and proceed. In the digital age attacks akin to that happen all the time yet we are only told they happen and that we need to react.
There is nothing evident that the consumer public at large can relate to as there is no physical object or clear damage.
Then there is the aspect that a attack from country B upon country A done on the internet is nothing to do with country B in any intended form and is the product of a few people sat at home who have no official right to be doing the attack. The internet allows criminals to expand beyond there physical comuter reach and extend globaly. How do you seperate a milatary attack from a lone gunman or criminal collective? With great difficaulty alas and with that, everything gets labels at the country level and deemed as a official attack.
In a Worls that even at war has standards and a code that is followed, then it is about time perhaps that such a convention/standard was globaly agreed upon to encompass the digital age. Certianly agree that hospitals IT systems are a no go area, I know many a evil black hat hacker adheed to this moral code already, some things are just not cricket. But as a global official agreement, there is nothing.
This sadly lends itself to a World that can be manipluated and in that laws that proctect movies and music far outway the ones to protect Hospitals and patient data and in that the level of money to enforce this is very much biased in one direction sadly. It is the new think of the children meme used as an excuse to enforce control and with that we have the think of the internet attacks has now become the norm. Certainly think about and process them, but in a fair way and not by putting up a large stop sign and thinking that is how you control those doing the bad things when it only impacts those who are upstanding more than not. Can even cause somebody upstanding to become disalusioned and with that add to the issue that is never realy addressed directly.
The threat of a "cyber-Pearl Harbor" is completely unfounded and ridiculous, but frankly that's what I'd expect from Liberman. Hackers are extremely good at taking down specific sites that have specific issues with their security, not disabling entire swaths of networked systems. When some sect of Anonymous decided to attack Israeli computers during Pillar of Defense for instance, they claimed victory because they took down nearly 500 Israeli systems...which were just random Israeli websites with major security flaws, mainly grocery stores, locksmiths, and one government website dealing with economic investment. Such an operation is not difficult, yet accomplishes nothing. Actually attacking large numbers of computers used in the US, especially those used for defensive capabilities, is essentially impossible, because each one requires a different attack, assuming there isn't some massive as hell security hole sitting in the middle of ubiquitous server software, which I'd say is unlikely. Sure you can take down the Texas Water Utility, but you couldn't take down the utilities of every water system in the United States simultaneously without spending a significant amount of time on it and hope nothing changes once you crack one and move on to the next. Nobody, not even China, has the personnel to hit all of our major systems at once.
Hell, Not even taking down the DNS network would do all that much, as most computers that form the backbone of our medical and financial systems use IP addresses, instead of URL's, as their primary method of connecting to other servers. The military doesn't even use the main IP system, they have their own.
As most people who actually work within this world know, the primary way of gaining access to systems are social engineering, system defaults, and insecure handling of access information. The world has gotten smart enough now where practically all of our important infrastructure are very well guarded against these attacks. That isn't to say they don't happen, but it's rare, too rare for the possibilities of a full-scale "cyber-attack."
These attacks did not have to be initiated from within the United States or even a few miles offshore. Cybersecurity experts believe Iran is the likely culprit in both attacks, and we fear this is just the beginning.
The headlines before the attack on Pearl Harbor turned out to be delusional. No one can reasonably entertain such a delusion about our adversaries’ capacity to attack us in cyberspace today.
Time has almost run out in this session of Congress, and President Obama will soon issue an executive order that will establish cybersecurity standards for critical infrastructure according to the statements of his top cabinet officials.
For the most part, I was along for the ride on this op ed piece. However, when the authors started suggesting Iran might in some way be behind a Pearl Harbor event, I lost interest. When they suggested new legislation that might hinder my ability to use computers without actually improving security for the US, they lost me completely.
The harsh reality is that such an attack does not require extensive computer skills. Earlier this year, The Washington Post reported on an overseas hacker who gained control of a small Texas water utility using Internet tools available to anyone.
I really dislike statements like this. The latter does certainly not imply the former. There surely wasn't a "Texas Water Utility Taker-downer" published on the Internet. A would-be attacker still needs to understand how to exploit security vulnerabilities. While resources for learning such skills can be found online, it's not as plug-and-play as the Times is portraying it.
Who is going to declare war with the strongest military power and most warlike nation on the planet? I believe in having minimum standards for cyber security in order to provide reasonable security for data but this seems incredibly alarmist. It seems like it should have the headline: "War on Terror II: This time it's going cyber!"
It's absolutely true that SCADA systems are horrifically insecure and there is very little incentive for a private company to upgrade security. It costs a lot and doesn't give ROI (yet).
Something must be done, sooner would be better than later.
I would rough out a plan like so:
* CIP companies must upgrade their security, which will be audited by Federal pentesters.
* Their security upgrade will be funded partially through grants.
* Failure to implement security will incur fines sufficient to ruin the company, without exemption.
* Audit findings will incur fines scaled according to the severity of the audit finding.
Note that CIP companies are in a different class than other companies. These companies ensure that life goes on. Water treatment plants, electrical utilities, other similar installations. These companies by their nature ought to be subject to a more careful eye by the public, because the public depends on them.
"In invoking Pearl Harbor, we’re not trying to be alarmist — we’re borrowing an analogy the defense secretary, Leon E. Panetta, himself used in an Oct. 11 speech about what a catastrophic cyberattack might look like."
We're not trying to be alarmist; we're parroting someone trying to be alarmist.
Precisely. This reminds me of, albeit less dramatic, fear mongering akin to Colin Powell announcing to the United Nations that the USA has proof that Iraq has WMDs. Of course when we showed up in Iraq, Colin Powell ended up looking like a fool because his facts were so incorrect (few remembered Colin's address at the time though).
Scaring people to manipulate them...I see it happening, I just rarely understand to what end.
Not sure what your point is - considering it's a democratic bill, and the President is going to use imperial power to enact most of the legislation through executive order anyway. And we all know the Chamber of Commerce (the "bad guy" in the op-ed) is anti-republican.
I sort of tuned out after about two paragraphs once my "scary-boogie-man-justifications" meter redlined, but I could imagine something along the lines of PCI compliance being a reasonable first step. The government or whoever would establish a set of baseline security standards, and then private and public agencies that appear to be risk targets are required to meet those standards. If (IF!) it were kept relatively straightforward - this could provide a lot of value with a minimum of additional government.
I'm not familiar with HIPPA privacy regulations - those also might be a reasonable place to start.
Earlier this year, The Washington Post reported on an
overseas hacker who gained control of a small Texas
water utility using Internet tools available to anyone.
Why is any critical piece of infrastructure connected to the internet at all? Disconnect and use sneaker-net instead.
Because utilities are connected across vast geographical areas. Usually, you can get by with local control in isolated stations, but some applications (such as synchrophasors on the power grid) need wide area networks for control. And it is much cheaper to ride the internet in some parts than it is to build your own isolated wide area network infrastructure (which still wouldn't be immune to physical access).
The idea is to encrypt everything, use a firewall, and have user account control. There are standards for how to do this safely (NERC-CIP). And isolate every network from the net unless it's absolutely necessary.
Right now we're in a state of flux. The industry will mature as younger engineers with computer backgrounds and an understanding of IT (like me) take over.
If someone gained access to just the synchrophasors, could they shutdown the whole plant down? Or is this just the point of "leakage" into other parts of the system? Can the phase synchronization still not be done by hand? I'm just trying to understand the example more.
These are large scale engineer projects, and it's been said before that trad. engineers are more rigorous in their methods and approach to solutions, as compared to software engineers. And yet, they are taking shortcuts (the internet) which do not live up to the engineering standards of the rest of the system.
For me, the only real solution is to use an isolated network. Yes, there will always be the risk of physical access, but that exists with every solution. By removing critical hardware/software from the internet, you reduce your number of attacks dramatically.
Synchrophasors are timestamped data from individual measuring devices on the power grid, such as relays. If you can control those devices on a live system you absolutely can do a lot of damage. However, there are often several layers between those devices and the phasor data concentrator. And more security between the PDC and the public internet.
Synchrophasors' value is in comparing voltages across entire synchronous regions[1] to maintain stability and prevent events like the 2003 Northeast blackout. As such, they're essentially national in scale. How do you get information across the country (in roughly real time) without the internet? As you can imagine, replicating huge chunks of the internet is cost prohibitive to even the largest utilities.
Believe me, networking is taken extremely seriously in my industry (electric power), and no device is connected to the internet unless it absolutely has to be. There are plenty of valid concerns; however, progress must still be made. I'm interested to see how this all plays out, and to play my own small part in the development of networked utility infrastructure.
So far, the power grid has been safe from the types of nuisance attacks the water utility in the article saw. I really don't know why water pumps and sanitation systems need to be online. I have a hunch we electrical engineers have a leg up on civil engineers when it comes to computer security. ;)
Generally what you want to do is have your internal networks gated by hardened devices communicating over VPN. Disconnection from the Internet is simply not practical anymore, but snooping and attacks can be significantly mitigated. My fine employer works in this area and sells these sorts of devices, I would be happy to email interested parties links to our whitepapers and devices. :-)
Yeah, but Stuxnet may also have been the most advanced piece of malware that has ever been made, it used 5 different zero-day 'sploits. Getting owned by that isn't humiliating, it is to be expected.
Getting owned by some of the shelf hacker tool -- say metasploit or nmap -- is embarrasing.
This has puzzled me as well, surely there must be a better reason than convenience to the operators? Though I guess more severe security naivetes have happened.
One would have hoped that with an alarmist title like "At Dawn We Sleep" the topic would be about something very frightening, like the collapse of the oceanic ecosystems, the melting polar ices or the rapidly increasing global temperature. We already know that freak weather incidents like Katrina and Sandy will become much more common in the future and will take many more lives than any "cyber terrorism" ever will. After the war on Communism, drugs and terrorism why can't America declare war on climate change?
I do believe that key pieces of global computer infrastructure are at risk of attack. But the threat will not be eliminated by scaremongering, or by handing POTUS the ability to 'shut down the internet' in the case of an emergency (a situation which would arguably lead to more catastrophic failures than any 'cyber attack').
The obvious thing to do when facing a direct military threat is to step up defense forces (missiles, infantry, warships, whatever) in the area you're expecting to be attacked in. But no such obvious solution exists in the case of 'cyberwarfare'. You can't just 'build a digital fortress' with a pile of bricks. I've yet to hear a sound explanation of how legislation will protect computer infrastructure.
Despite our protestations, the governments of the US, UK, Germany and whoever else probably will pass cyberspace protection laws, that only deprive us of freedoms we've grown accustomed to, do little to secure anything, and drive up barriers to entry in more industries.