Slashdot Mirror


A Cyber-Attack On an American City

Bruce Perens writes "Just after midnight on Thursday, April 9, unidentified attackers climbed down four manholes in the Northern California city of Morgan Hill and cut eight fiber cables in what appears to have been an organized attack on the electronic infrastructure of an American city. Its implications, though startling, have gone almost un-reported. So I decided to change that."

24 of 461 comments (clear)

  1. Redundancy, redundancy, redundancy... by explosivejared · · Score: 5, Insightful

    We should also consider whether it might be necessary to harden some of the local infrastructure of our communities. The old Bell System used to arrange cables in a ring around a city, so that a cut in any one location could be routed around. It's not clear how much modern telephone companies have continued that practice. It might not have helped in Morgan Hill, as the attackers apparently even disabled an unused cable that could have been used to recover from the broken connections.

    Always assume the enemy knows the system. Hardening wouldn't hurt, but redundancy is the most important thing. Hardening a system tends to make it that much more vulnerable to a single insider. Redundancy mitigates this effect. Having such a small group be able cause so much disruption from such a relatively simple act makes it obvious that the city placed way too much on a single point of failure remaining in tact. Have redundant fiber. Have auxiliary wireless setups. Maintain a base of ham volunteers. Multiply your points of failure.

    Personally, I think this sort of lax infrastructure security has become endemic. The 'war on terror' rhetoric we were fed for so long has us looking for the next suicide jet-liner attack or what have you, completely distorting any real conception the public had of real-world modern security risks.

    --
    I got a catholic block.
    1. Re:Redundancy, redundancy, redundancy... by Red+Flayer · · Score: 4, Insightful

      Multiply your points of failure.

      I'm not sure that means what you think it means :)

      Reducing single points of failure is what is needed, which is not the same thing as multiplying the places it is possible to have failure.

      But all the methods you describe have merit, but they also have a huge drawback -- cost. It's hard to get private entities to absorb the cost of redundant fiber, etc, since they will see very little gain from them.

      So is the answer to nationalize our fiber infrastructure? Is that the only way we can make our systems secure?

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
    2. Re:Redundancy, redundancy, redundancy... by Bruce+Perens · · Score: 4, Insightful

      Redundancy of means, not just points. That means not just relying on the wired communications infrastructure or things that depend on it like cellular, for your emergency services.

      Redundancy isn't always economically efficient, but we have to do it anyway, and what is worse we have to keep testing it so that it keeps working. This is hard to do if you are a private company with your stockholders baying at your feet for more efficiency.

    3. Re:Redundancy, redundancy, redundancy... by couchslug · · Score: 4, Insightful

      "Personally, I think this sort of lax infrastructure security has become endemic."

      That's why the incident under discussion is a good thing in the way that cracker threats and viruses are good.

      Without attacks there is little incentive to build robust systems.

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
    4. Re:Redundancy, redundancy, redundancy... by Xeth · · Score: 3, Insightful

      As with any infrastructure that has national security implications, the answer is yes. Where is the profit incentive to make you triple your costs (at least) to safeguard against an incredibly rare occurrence?

      --
      If your theory is different from practice, then your theory is wrong.
    5. Re:Redundancy, redundancy, redundancy... by Sun.Jedi · · Score: 5, Insightful

      As with any infrastructure that has national security implications

      There should not be national security implications, because there shouldn't be anything on the internet or attached to it that could threaten national security.

    6. Re:Redundancy, redundancy, redundancy... by Xeth · · Score: 4, Insightful

      You seem to be thinking solely in terms of classified information. That part is easy. The problem is that civilian telecommunications links have become the backbone of our economy. And I don't just mean that in a capital growth sense, I mean that they form the core of the financial transactions that keep day-to-day operations running. Losing those links has the capability of causing as much harm to the U.S. as losing a power plant or piece of military hardware.

      --
      If your theory is different from practice, then your theory is wrong.
    7. Re:Redundancy, redundancy, redundancy... by mi · · Score: 3, Insightful

      No one else can really compete with their fiber network, partly because they have a government grant to do it.

      Right there you hit the nail on the head, and did not notice it! I emphasized it for in the quote above — the government distorts the market with its grants and subsidies, which ought to stop — providing telecommunication services has long ago stopped being about good service, and became about winning government grants.

      This needs to change, but you, instead, want more government meddling... Yes, you want small town government to take over, what federal government is doing, but there is no difference in principle. Business ought to compete for the customers, not for government subsidies. That's the point.

      --
      In Soviet Washington the swamp drains you.
  2. Hams FTW by ipX · · Score: 5, Insightful

    Ham radio operators save the day once again... 'nuff said.

  3. Terrorists? Probably not. by Sir_Lewk · · Score: 5, Insightful

    Lets not all go blaming terrorist organizations on this one.

    My money is on unionized workers facing layoffs or payroll cuts. They would best know how to hurt the system and this sort of sabotage being linked to unions is not exactly unheard of.

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  4. Re:Terrorists? Probably not. by Red+Flayer · · Score: 3, Insightful

    Lets not all go blaming terrorist organizations on this one.

    Define terrorism.

    Now define terrorist organization.

    If an organized group of people orchestrated this attack in order to bring attention to some goal, wouldn't that make them a terrorist group?

    Admittedly, an attack on property is not the same as an attack on people, but yet... to me this seems textbook.

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  5. Cyber(?) Attack by Duradin · · Score: 5, Insightful

    So now a "cyber" attack includes the physical destruction of hardware/infrastructure without any exploitation of any programming logic?

    1. Re:Cyber(?) Attack by Darth_brooks · · Score: 5, Insightful

      Four words: Denial of Service Attack. You want the hospital's network cut off from the outside world for 8 hours? Congrats. Done. This was Indiana Jones vs. the Scimitar-wielding Arab. I'd like to this this whole situation has encouraged people to start thinking a little bit more outside the box when it comes to infrastructure planning and what "mission critical" really means.

      For example, my last employer took mission critical to heart. They were the regional blood bank, so that mentality was infused (tee hee. I made a pun.) into every aspect of the organization. Microwave links between our sites (and several customer sites. If need be we had the capacity to route traffic in and out through locations that were physically 5-10 miles away), generator power up the wazoo (including written contracts that put us second in line behind the hospital for diesel fuel. on top of the ample reserves we kept on site. Don't know why we weren't natural gas, though I assume that was more capacity than anything else), redundant external power connections to independent grids (which paid off handsomely one day), pneumatic tube connections to two hospitals and a couple other local sites, and a disaster preparedness plan that could have been leather bound and used for Law Office commercials if it wasn't being updated so often.

      Infrastructure and disaster planning require some in depth "disaster porn" level of thought. It's hard to excuse civic services for not being ready to handle this sort of outage. Between that job and working in SE Michigan during the '04 blackout, I've learned a lot about just how ready some places think they are vs. how ready they really are to handle a disaster, be it man made or otherwise.

      --
      There are some people that if they don't know, you can't tell 'em.
  6. Re:Terrorists? Probably not. by Sir_Lewk · · Score: 4, Insightful

    Well, I'd certainlly concede that this could be classified as terrorism but I was refering more to the "ZOMG TALIBAN" kind of terrorists. Modern media interpretation of the word. ;)

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  7. Re:Terrorists? Probably not. by MightyYar · · Score: 4, Insightful

    wouldn't that make them a terrorist group?

    I'd presume that some amount of "terror" would need to be created for one to be considered a terrorist. But maybe I'm old-fashioned.

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
  8. Re:Terrorists? Definitely not. by Anonymous Coward · · Score: 5, Insightful

    If an organized group of people orchestrated this attack in order to bring attention to some goal, wouldn't that make them a terrorist group?

    No.

    What makes a terrorist group a terrorist group, is that they inflict, you know, terror .

    Cutting some cables isn't going to (and, in fact, didn't) send the general populace into a panic.

    Yes, it's an inconvenience, but unless they are trying to instill terror in the general populace, they're not terrorists.

  9. Not a cyber attack by sunderland56 · · Score: 3, Insightful

    This sounds like a good old physical attack to me, not a cyber attack. Bashing in someone's computer with a hammer is not the same thing as a infiltrating it with a computer virus/worm/etc.

  10. Re:Terrorists? Probably not. by Sponge+Bath · · Score: 4, Insightful

    My money is on unionized workers...

    I think it was management, upset that so few people wore Hawaiian shirts on casual Friday.

  11. Re:Terrorists? Probably not. by couchslug · · Score: 4, Insightful

    ""ZOMG TALIBAN" kind of terrorists. Modern media interpretation of the word. ;)"

    Shortly to turn into "ZOMG Wobbly Anarchist Union Menace to be cleansed with fire and legislation" if formerly-gruntled union workers are found to be the cause...

    --
    "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  12. Oh, Bruce by fm6 · · Score: 4, Insightful

    Bruce makes some good points, but he consistently undercuts himself "information" that is poorly sourced, poorly explained, or just plain wrong.

    The question I'm most interested in is why the "internal only" network at Dominican Hospital went down. Bruce doesn't explain this, and I can't find a reference to it elsewhere. I suspect that he just has his facts wrong — Dominican is part of Catholic Healthcare West, and I'd be very surprised if the computers at Dominican didn't rely on servers in a central CHW facility.

    That's still a dangerous vulnerability, just like Bruce says it is. But he'd be more persuasive if he checked his facts.

    And dude, everybody but you knows that that internet technology research was funded by DARPA. Some DARPA personnel are in the Army, but DARPA has never been part of the Army.

    And can we please stop repeating that idiotic myth about the Internet being designed to survive a nuclear attack? It isn't and it wasn't designed to be. The basis of the myth is that early proposals harped on the superior survival characteristic of a decentralized network versus the star topology networks of the time. Not quite the same thing.

  13. Yeah I don't buy it. by Chris+Burke · · Score: 4, Insightful

    I guess it's kinda reasonable to use the term for an attack on the "cyber" domain (by going after its physical substrate) as well as for attacks that occur within that domain. Either way, it screws up people's access to comms.

    I don't think it's reasonable, at least not enough that we should accept it and start using "Cyber Attack" to refer to the target of the attack rather than the means. The reason basically boils down to the opposite of attack, which would be Cyber Defense, and what was mentioned earlier on /., the Pentagon Cyber Command.

    If we accept this meaning of Cyber Attack, then that means that an airplane that drops a bomb on an ISP is a "Cyber Attack", while bombing any other form of infrastructure would be a "regular attack". Logically this would also mean that an anti-aircraft gun that is placed near an ISP is a form of "Cyber Defense". Except that isn't logical, it makes no sense. Anti-aircraft defenses should not be under the purview of Cyber Command regardless of where they are located.

    No. I insist that the adjective "Cyber" before the word "Attack" should indicate the means, not the target, in the same way that Cyber Defense should mean securing computer networks, not preventing physical assaults that may or may not happen to hit internet infrastructure.

    This was nothing more than plain ol' sabotage. It's the same as them destroying a sewage line, except the impact was different. If it was a power line, that too would have cut off many forms of communication, is that a cyber attack? No. It's an attack.

    --

    The enemies of Democracy are
  14. Society is cooperative in nature by mcrbids · · Score: 5, Insightful

    Sure, you can do things like reducing single-points-of-failure, beefing up security, but you can do this only to a point. At some point, you realize that society is, by nature, cooperative, and if you remove that basic assumption of cooperation, society will fail.

    There aren't any exceptions to this. There are just too many possible things that can be destroyed by people who desire a society or civilization to perish.

    You can salt fields. The Romans did this thousands of years ago, and the areas they ravaged are, to this day, incapable of meaningful agriculture.

    You can poison drinking water. LSD is pretty easy to make cheaply, and a single pound of it thrown into a public water system would cause mass insanity.

    This list is infinite: You can destroy power lines, you can cut fiber cables, you can make a bomb out of fertilizer and destroy a building or the Golden Gate Bridge or any of a quintillion other things that are both easily done and highly destructive.

    A society is secure when its population are generally happy with it continuing. When a society reaches the point where enough of its population are disenfranchised with it, it will becomes incapable of maintaining the critical infrastructure necessary for a complex civilization. Adding security measures such as multiple points of failure quickly become reasons NOT to fix why anyone would want the civilization to perish in the first place - and thus actually make the civilization LESS secure.

    And that's just the simple truth of it. So, if we want to be secure, we need to clear up the reasons why people would want our culture to fail. These include things like

    A) Not torturing people.

    B) Allowing other countries to be sovereign in their own affairs.

    C) Not being overly greedy with our wealth. Exploitation is only good for the short term - it's a long-term destabilizing force and that's bad for everyone.

    Really, I don't get it. You get people who swear by our Constitution yet somehow think that torturing is OK. Perhaps they should read the 4th and 5th ammendments? This issue is a deep, dark stain on the freedoms we are otherwise so quick to espouse.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re:Society is cooperative in nature by mctk · · Score: 4, Insightful

      I believe the correct phrase is: "Be excellent to each other" -Bill S. Preston Esq.

      --
      Paul Grosfield - the quicker picker upper.
  15. Public Safety Nets by kilodelta · · Score: 3, Insightful

    Pretty easy to take out public safety trunked systems too. All you need is a hammer and some nails.

    In my city the repeaters are on telephone poles. Just punch a hole through the feedline. If the repeater designer knew their shit they'll detect the high SWR an shut down the oscillator and amplifiers. But I can tell you, I've seen lots of gear that has no such SWR protection.

    You don't even have to go that far. A little conductive grease, or even water in a connector will also reflect lots of RF power back to the emitter.

    It is virtually impossible to protect any given communication medium. You must have several independent means of communication.