As an analyst, and now as a consultant, I raise issues of digital
and physical security: let’s talk about them, in plain terms, and
collectively move to do something. As a member of the security
digerati, I think we should be helping people, and we have to either
step up with a better way forward, or get the hell out of the way.
When 60 Minutes ran its piece
on Cyber terrorism on November 6
I was among the people who was pleased that the network was revisiting
the subject. I thought producer Graham Messick and correspondent Steve
Kroft did an outstanding job of defining the problem and pointing to
specifics
without diving too deeply into the Fear, Uncertainty and Doubt
column. They raised these points, which included the statement that
hackers had attacked and disabled the power grid in Brazil, in a
manner that allowed my mom — literally — to get it.
I was saddened to see immediate backlash from amongst the
security digerati against the report. “Not Hackers!” they
shouted. It was alleged that government stooges infiltrated the
report, pushing a government agenda. Here were people who break
things for a living – people paid to highlight deficiencies in
security by bypassing it and showing how it was done – arguing that
things hadn’t been broken, and that everything is fine.
I was talking this out with Josh Corman at The 451 Group, and he said, “Fellas, what doesn’t matter is whether the particular incident was caused by hackers. What matters is the impact of an outage, and whether the attack described is in the realm of the possible.” Amen, brother.
Rather than delve into a
point-by-point rebuttal, I proffer this: whether Brazil’s blackout
was caused by soot, hackers or a misplaced dolphin, the attack described
is very much in the realm of the possible. Last year, I suffered
through eight days of no power after an ice storm slammed the
northeast; today my house has a 17KW generator, and three weeks
backup of food, water, firewood, fuel and other emergency supplies.
We could not have dialed 911 even if we had wanted to, as the storm
took down phone lines as well. At that point, did we care if it was
hackers or Jack Frost? Nope. That doesn’t stop me from putting in
basic defenses against things which are possible. And it shouldn’t
stop utilities from patching trivially exploited holes in our
critical infrastructure defenses just ‘cuz nobody’s exploited them
yet. Personally I believe that these holes have been exploited, but
the argument holds either way.
No one in the business of
network or physical security can argue that the security of our
critical infrastructure needs improvement, nor can we argue that we
deal in issues that zoom right past a mainstream audience. The 60
Minutes report’s proposed solution did seem to point towards
increased regulation, but don’t we have to
admit that the private sector has dragged its feet in taking steps to
prevent some of the most widely understood and trivially exploitable
vulnerabilities? Government has been unusually helpful and
forthcoming in its quest of late to educate, update and increase
defense of critical infrastructure (notwithstanding, as my friend Will Gragido at Cassandra Security points out,
Los Alamos Laboratories – and he’s right, too. But I’m not saying this
is a small problem, just that we should be working and using our
platforms as thought leaders to solve it)
Our industry needs open, frank
and positively-motivated discussion about these issues. We security
professionals know the state of things, the level of difficulty in
attaining knowledge and resources to effectively mount the kind of
attack that 60 Minutes alleged took place. Could my mom have gained
better insights about the context behind the threat by reading the Northrup
Grumman Report on Capability of the People’s Republic of China to
Conduct Cyber Warfare and Computer Network
Exploitation?
Absolutely. Would she ever? Of course not. She’d be lost at the very
first sentence, which reads,
This paper presents a
comprehensive open source assessment of China’s capability to conduct
computer network operations (CNO) both during peacetime and periods of
conflict.
Mom? Mom?
Rather than attacking Messick
and Kroft for a report that brought the issue to the comprehension of
millions, and set the stage for a more informed and reasoned debate, let’s raise the level of discourse and ask the tough
questions: How hard is it to exploit vulnerabilities in our system?
How can we make it harder? What help is there for private industry to
raise its bar?
I’ve railed against the Payment Card Industry Data Security
Standard, as a ruleset meant to set a floor becoming the ceiling.
Critical infrastructure security is even more important – lives
literally hang in the balance of us getting this right. From chemical
and petro-chemical companies which depend on the grid for the
mission-critical safety processes that prevent a Bhopal on the Hudson
to the ability to care for our populace, this is important, and
important now.
Surely no one will argue that this is true. So let’s start talking
about it deliberately, raising awareness of the business, health,
public safety and societal impact that a trivially exploitable critical
infrastructure raises.
While private industry may ask itself about the
cost of sensible defenses,
I pose a different question: What is the cost of wrong?
