US Prepares for Eventual Cyberwar

The New York Times is reporting on preparations in the works by the US government to prep for a 'cyberwar'. Precautionary measures are being taken to guard against concerted attacks by politically-minded (or well-paid) hackers looking to cause havoc. Though they outline scenarios where mass damage is the desired outcome (such as remotely opening a dam's gates to flood cities), most expect such conflicts to be more subtle. Parts of the internet, for example, may be unreachable or unreliable for certain countries. Regardless, the article suggests we've already seen our first low-level cyberwar in Estonia: "The cyberattacks in Estonia were apparently sparked by tensions over the country's plan to remove Soviet-era war memorials. Estonian officials initially blamed Russia for the attacks, suggesting that its state-run computer networks blocked online access to banks and government offices. The Kremlin denied the accusations. And Estonian officials ultimately accepted the idea that perhaps this attack was the work of tech-savvy activists, or 'hactivists,' who have been mounting similar attacks against just about everyone for several years."

Re:Isn't this blown out of proportion, again?

[garoo]

Not all that unusual. I was visiting a water treatment/chlorination plant in the UK a few years ago (for complex reasons related to archaeology rather than anything particularly on-topic, so it is likely that we got the Cliff Notes version). They pointed to the computer that controls the water chlorination and said 'we control this via this modem right here'. Presumably there are all sorts of security controls around actually accessing via said modem, given that we are talking about a PC controlling the quality of the drinking water supplied to maybe 20,000 people.

This doesn't matter very much anyway. TFA seems to have confused 'you can connect to it remotely via some mechanism or another' and 'anyone connected to the internet can just ssh right in/DDOS it'. FUD.

It's not just the Internet

[vtcodger]

***Isn't this blown out of proportion, again?***

Probably not out of proportion. The military has separate secure communications, but civil society doesn't. And many of our key networks aren't exactly robust. We've had incidents in the past of phone networks going down because of bad software upgrades to switches. And of power distribution networks going down for no very good reason and taking many hours to get back up. And satellites going out.

So what happens when a technically savvy bunch of folks with a point to make starts off by hijacking Microsoft Update to zombiate millions of PCs, uses other update services to brick all sorts of devices, then simultaneously goes after the DNS servers; North American power grid controls; and every satellite link they have previously found a vulnerability in? What if they can take down major parts of the cell phone network? Probably they can DOS the financial service network providers if they can't hack into them -- No functioning ATMs and likely no functioning banks and likely few functioning stores of any kind. And they reprogram a lot of the nation's traffic signals to turn all lights green permanently. They do the same for the railroads. And they turn off the natural gas distribution system -- in January. And they shut down the aquaduct pumping stations feeding Southern California. ... etc, etc, etc. And finally, they shut down as much of the phone system as they can get to.

A serious attack by a technically savvy attacker with significant resources and a good plan can very likely do most of those things and a great many more.

If an attacker can do even a quarter of that, it'd take any industrial country a week to get back up after a fashion, and months to really get things back under control. So, no, it's probably not blown out of proportion.

***I mean who the FUCK would be stupid enough to have the controls for a Dam connected to the internet?***

What is the cheapest and most cost effective way to control a remote power facility? And who says cyber attacks are limited to the Internet? If your dam is 300 miles away, you're going to need remote access -- at least for monitoring and quite likely for command and control. Seems to me like most, maybe all, of the technologies to do that -- internet, phone network, satellite, radio links, etc--are open to interception and attack. Even if you can't break into the control link, you likely can deny service in one way or another.

Re:It's not just the Internet

[mcrbids]

So what happens when a technically savvy bunch of folks with a point to make starts off by hijacking Microsoft Update to zombiate millions of PCs,

What makes you think they have to hijack MS Update? It seems to be a problem right now, today. Anybody who thinks this is something new is clueless. It's a problem right now, today.

A few things that can help:

1) Stop using systems that are inherently flaky. (EG: MS Windows) Move on to something that's proven to be resistant to viruses and the like. MacOSX, Linux, BSD, and other *nix variants are a good bet for the immediate future, but I'd wager that the best bet would be to revive DEC VMS! The security on that system is just simply awesome, and its reliability is second to none. Get somebody with chutzpah like Steve Jobs to make it work, and it would. Very well.

2) Demand basic, reasonable security policies in force at ISPs. The federal govt should require that ISPs should use basic technologies to ensure that packets appear to come from the right network, malformed packets are rejected, etc. and it should also provide reasonable initial funding so that they can comply with this law without undue hardship.

Another interesting thought - computers have gotten complex enough that the average person can no longer maintain them. So what if there was a way that the average person could outsource this administration to somebody else? There's quite a few ways this might work:

A) The "pool service" model - some local techie shop periodically accesses your computer (either physically or remotely) and performs a routine maintenance, fixing security holes, ensuring updates are done, performing backups, etc.

B) The "terminal" model - rather than store all your data/files on your local machine, your local machine becomes a dummy terminal, and you access your data and programs remotely. Something like the "terminal" that was common on mini and mainframes in the 1980s. Think Google office? This may be where Microsoft goes with their 'Windows Live' service, and where Linux goes routinely with X11.

C) The "Updater" model - almost in place now, you pay a subscription fee to have software downloaded automagically that takes care of security issues. The main point here is that for this to work, it has to provide a strong assurance of quality, which this does not.

Man, got windy on this post. Hope you enjoyed it!