Cyberthreats? They’re an undercurrent throughout the newspapers and other print media, broadcast news, and the internet itself. The most ominous part of the discussions we find there? The subtext…an almost universal sense that even experts don’t know where things are heading/what to expect. The entire realm of cyberthreats is terra incognita.
That’s cause for dismay, because as the human race, we do very little well the first time. In fact, the Russians have a proverb on this…one they apply to eldest children. I’m an eldest child. Are you? If so, you’ll hate this proverb, even as you recognize its truth. Are you a younger sibling? You’re gonna love this:
The first pancake is a lump.
Meaning, that first pancake is cooking while we’re trying to get the pan greased, the griddle temperature just right, etc., etc. Might as well toss that first one away! Fellow oldest children, while we were trying to become people, our fathers and mothers were learning how to parent. Not always the best combination!
Here’s another picture, a similar idea, this one coming from a Gary Larson cartoon. The drawing shows a dog on a high wire, tightrope walking on its hind legs up top under a big circus tent. There’s a huge throng of people far below. The caption: the crowd was going wild, but suddenly Rex remembered that he was an OLD dog, and this was a NEW trick.
Haven’t we strayed away from the subject of cyberthreats? Not really.
As human beings, we do best at those things where we get a lot of practice. As the previous post mentioned, when it comes to hazards, many of these have been around throughout the course of our history. Recognition of and respect for the power of earthquakes, or volcanic eruptions, or cycles of flood and drought, is built into our DNA. What’s new, and much of the reason why natural hazards continue to pose such a problem, are relatively recent changes in our life style (occurring over the last hundred years or so, versus ten thousand years). Drought and flood? Not such a problem when you’re nomadic. The animals you’re hunting or herding know where to go, and all you have to do is pick up and follow them (a little oversimplification here…). But when you build a city alongside a river so that you can ship goods by river and sea? Floods and drought pose a big risk. Tornadoes? A challenge to the rural Midwest – widely scattered farms and ranches – but truly overwhelming for a town or city like Joplin or Tuscaloosa. Earthquakes? Bad enough if you live in a tent. Catastrophic if you’re in a high-rise complex on landfill.
And, when it comes to cyberthreats, we’re babes in the woods.
Richard Clarke spoke eloquently to this subject at the recent World Conference on Disaster Management, held in Toronto. A former civil servant, who rose to top-level national security roles in both the Clinton and Bush II administrations, he has an interesting bio, worth a look. He’s also the author or co-author of several books on this topic; for example, e.g. Cyber War: The Next Threat to National Security and What to Do about It.
Here’s the kernel of his remarks to the WCDM.
Clarke started by saying this threat affects 100’s of millions of people every year. Every day we see a new large institution or firm attacked, including Sony, the Pentagon, Lockheed-Martin, the personal computers of world leaders, and so on. He made the link to his emergency-manager audience, rightly noting that when future events come, the world will be turning to emergency managers for help, and not under the most favorable circumstances.
Clarke then stepped back, asking the audience to see the threat in terms of four (overlapping) baskets, or circles on a Venn diagram.
Cyber crime. This used to be the pranks of teenagers, but is now province of big cartels, making billions of dollars each year. Most countries try to stamp out such groups operating within their borders, but there are troubling exceptions. Some countries harbor such groups with the unwritten understanding that they won’t operate domestically. More sinister, according to Clarke? Countries such as Russia who harbor such groups with the unwritten understanding they can call on them when needed. He claimed Russia called on this help during problems with Estonia and then again during the invasion of Georgia, which was accompanied by cyber attacks. He said we have to find ways to put pressure on such rogue national behavior.
Cyber espionage. Clarke pointed out that before the emergence of IT, industrial espionage would amount to a few physical pages of material either pilfered or copied. Today, he said, a terabyte of data or information can be stolen overnight.
Cyber activism. People hacking just to prove they can. Hacking the U.S. Senate, or the CIA. Activists have political views about secrecy, the environment (do climategate and East Anglia come to mind?), etc.
Cyber-war. According to Clarke, this hasn’t happened very much, but it’s out there. He noted that President Obama has established a Cyber Council, headed by a four-star general. The US Navy has its “Tenth fleet,” which has no boats or missiles, but attack software. And, he emphasized, this is not just about ones and zeroes, but destroying real stuff. He spent quite a bit of time talking about the Stuxnet worm. This worm specifically looked for Siemens equipment, specifically looked for supervisory control and data acquisition (SCADA) software, and also specifically looked for centrifuges (sleeping if it didn’t find all these conditions met). But when it did find itself in such a system it succeeded in destroying 10% of the Iranian centrifuges at Natanz enriching uranium to weapons-grade purity. This Wikipedia link provides a lot of background detail. Remarkably, the attack seems to have set back the Natanz work only a few months.
Clarke went on to emphasize that SCADA software is everywhere. Most internet traffic is machines talking with other machines. Controlling water supplies. Electrical grids and power plants, even nuclear plants. Aviation and other forms of mass transportation. The financial sector – from the largest trans-national transactions to those ubiquitous ATM’s. He spoke of an example, a test given to hackers, to see if they could gain access to an electrical generator, change its generation from the 60Hz compatible with the grid to other frequency. The hackers had little trouble damaging the generator and putting it out of operation. He spoke of other examples, not due to hacking, where SCADA failures had led to airline shutdown, Metrorail crashes, etc.
Clarke also claimed that the Stuxnet software is now out there, and in multiple hands. It ought to be possible for motivated people to modify it. He then painted a picture for emergency managers – a scenario in which they might be called upon to respond to a widespread cyber emergency — with a large population thrown back into the 19th century, and EM’s lacking access to any of the tools they now rely on, such as communications, computing, even basic electricity (as emergency generators ran out of fuel there would be no more fuel available). He pointed out the critical infrastructure that would be damaged – the generators, transformers, would include many items unavailable off-the-shelf. Waiting for replacements would take months. Given this threat, Clarke decried the lack of exercises allowing emergency managers a chance to look ahead at what they might be up against.
He was also careful to acknowledge that his was but one voice, and that some experts thought his fears extreme. However, in the room, his logic was compelling, the talk thought-provoking.
Meanwhile, however, the drumbeat of news on cyberthreats continues. The latest? A USA Today article this morning noting that LulzSecurity, one of the bigger hacking groups, may be pausing or shutting down, possibly because authorities are closing in. [Lulz? Related to LoL…which often refers to laughing at some else’s discomfiture. Readers of my generation – think schadenfreude.]
He closed noting that some 20 or so nations have cyber commands, contingents in their military actively exploring the development and use of cyber weapons.
For more, see a related article in The Economist.