Leon Panetta, Secretary of Defense, recently stated that the United States could be facing Pearl Harbor if it doesn’t revamp its security. This time the threat doesn’t come from physical fire fights with opponents overseas, instead it stems from the Internet. Panetta’s goal is to help pass the new Cyber Security bill, H.R. 3623 (“Cyber Intelligence Sharing and Protection Act”).
https://www.youtube.com/watch?v=QVzgPDXJisI
Summed up briefly, the new bill hopes to enable federal law enforcement with the ability to be able to access corporate computer systems in times of need. CISPA’s opposition claims that the resolution hurts individual privacy online. We’ll let you – the reader – decide on whether or not the pros outweigh the cons. To read the resolution in full please click here.
Many feel that Panetta’s comments are an over-exaggeration of a very real problem. As security expert Bruce Schneier stated on October 19th, “[t]here’s an enormous amount of money and power that results from pushing cyberwar and cyberterrorism: power within the military, the Department of Homeland Security, and the Justice Department; and lucrative government contracts supporting those organizations. As long as cyber remains a prefix that scares, it’ll continue to be used as a bugaboo.” (Schneier on Security, 10/19/2012)
Similarly, I feel as Bruce Schneier does: although there’s a very real security threat (APTs), comparisons to Pearl Harbor or 9/11 serve only to incite fear. They aren’t based on any rational understanding of how actual computer networks work. That being said, I do believe industry control systems are at risk by forces from within as well as from without.
Over 2,000 lives were lost during the Japanese assault on Pearl Harbor. To compare a future cyber-assault to Pearl Harbor is a bit of a stretch. Despite the Secretary of Defense’s claims to the contrary, computer systems worldwide are NOT all integrated in a Terminator-style way. They may be in the distant future, but they aren’t now.
Can you DDoS systems on a network? Yes. The problem is that not all industry control systems are online or interconnected. And if they are, they must have something exploitable in order to be compromised. On top of that it is worth reminding readers that a DDoS isn’t “hacking into” anything, it is the flood of bogus traffic to an open and receptive server. Actually hacking “into” something requires systems-specific exploitation.
Panetta points to DDoS assaults such as the latest JP Morgan-Anonymous attack, but those attacks against a web server aren’t going to result in the inability for that bank to do business. E-commerce sites face greater risk from this form of attack.
Air traffic control and power grid monitoring systems are typically closed and separate from the internet. While these systems are sometimes networked on intranets or by secure other means, they aren’t actually accessible to us or an attacker. Panetta’s claims are lumping industry control systems in one big category when they should be understood on an individual basis (SCADA security is an excellent topic that well exceeds the scope of this post).
Do similar assaults pose a problem for corporate interests and cost companies revenue? Absolutely.
If the CISPA was designed to protect corporate interests alone, it would go a long way to easing the public’s opinions of the bill. The source of contention comes from CISPA giving the government power over corporate computers (in the mind’s of many citizens, anyway). Keep in mind companies like Google store your search queries in their database for a certain amount of time, identifying marks such as an IP address are removed eventually).
There probably are important systems that are connected to the Internet and need safeguarding. But to say the exploitation and disruption of such systems would cause an apocalyptic scenario is downright ludicrous. Such systems are the exception not the rule.
Proponents make mention of Stuxnet and yet rumors that Stuxnet was designed by a super power have been prevalent. Many point to the U.S. working in concert with the Israeli government to disrupt specific Siemens industrial equipment (after all, it clearly targets one ‘type’ of system). This is similar to one of the new incident Panetta mentions, a virus that targeted a very specific oil system. With Stuxnet, the rootkit is absolutely useless outside of the environment it was created to exploit: for more information see Operation Olympic Games.
You better believe the new CISPA bill is being pushed for political reasons. That doesn’t necessarily mean it’s bad either, it’s just unfortunate that the only time people “need protection” is during an election year. Positive future legislation will assist companies and stress importance of securing key infrastructure while, at the same time, ensuring that such systems aren’t accessible to the public.
Corporate espionage and enemy penetration from within a company’s own network is a very real danger but it’s beyond the scope of CISPA. Such issues are still not as prevalent as Secretary Panetta is making them out to be. Keep what Bruce Schneier says in mind when reading the news:
“But while scare stories are more movie-plot than actual threat, there are real risks. The government is continually poked and probed in cyberspace, from attackers ranging from kids playing politics to sophisticated national intelligence gathering operations. Hackers can do damage, although nothing like the cyber-terrorism rhetoric would lead you to believe.”
– Schneier on Security, 10/19/2012
I’m not a politician and I don’t care how you vote. I only care about the facts. I don’t like when people are “scared” into action especially if they aren’t given all the facts. Cyber security and safety online is an issue which transcends political parties: stay informed is important and I urge everyone to read multiple news sources online for information.
Again, while cyber-threats are real, they’ve been portrayed in the news recently in a slightly over-dramatic way. With proper insight and understanding we can safeguard necessary systems without spreading unnecessary fear.
Sources
Video: BBC News. “Leon Panetta warns of cyber Pearl Harbour” (posted by BBC24News on YouTube), October 12, 2012.
Aitel, Dave. “The The Cybersecurity Act of 2012: Are We Smarter Than a Fifth Grader?.” Huffington Post, August 3, 2012.
Schneier, Bruce. “Stoking Cyber Fears.” Schneier on Security blog. October 19, 2012. Note: As always, Schneier has links to multiple sites/essays of interest concerning this matter.
H.R. 3523: Cyber Intelligence Sharing and Protection Act (CISPA)
Related Neuralhub Posts
“LOIC DDoS & The Nature of Anonymous Attacks“, October 2, 2012.
“Link – In the News: Chinese Attackers Hit White House“, October 2, 2012.
“National Cybersecurity Awareness Month” @ Neuralhub, October 2, 2012.
Edit: A friend asked me for clarification a while after I wrote this. He asked if I was suggesting that Advanced Persistent Threats do not exist. I positively do not believe that. I was disagreeing with likening cyber attacks to Pearl Harbor (even as a metaphor for something extremely tragic). As technologies advance so too will the risks: this assessment can change with time. Advanced threats pose a very real problem to industry and national security and I personally agree with efforts to combat them.