Slashdot Mirror
Nobody Is Sure What Should Count As a Cyber Incident
chicksdaddy writes: Despite a lot of attention to the problem of cyber attacks against the nation's critical infrastructure, The Christian Science Monitor notes that there is still a lot of confusion about what, exactly, constitutes a "cyber incident" in critical infrastructure circles. The result: many incidents in which software failures affect critical infrastructure may go unreported.
Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however. His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.
While official reports like this one about the San Bruno pipeline explosion (PDF) duly note the role software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event. Weiss says he has found many other, similar omissions that continue even today. He argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. "San Bruno wasn't malicious, but it easily could have been," Weiss notes. "It's a nonmalicious event that killed 8 people and destroyed a neighborhood."
Passcode speaks to security experts like Joe Weiss, who claims to have a list of around 400 incidents in which failures in software and electronic communications lead to a failure of confidentiality, integrity or availability (CIA) — the official definition of a cyber incident. Few of them are considered cyber incidents within critical infrastructure circles, however. His list includes some of the most deadly and destructive public sector accidents of the last two decades. Among them: a 2006 emergency shutdown of Unit 3 at the Browns Ferry nuclear plant in Alabama, the 1999 Olympic Gas pipeline rupture and explosion in Bellingham Washington that killed three people and the 2010 Pacific Gas & Electric gas pipe explosion in San Bruno, Calif., that killed eight people and destroyed a suburban neighborhood.
While official reports like this one about the San Bruno pipeline explosion (PDF) duly note the role software failure played in each incident, they fail to characterize them as 'cyber incidents' or note the cyber-physical aspects of the adverse event. Weiss says he has found many other, similar omissions that continue even today. He argues that applying an IT mindset to critical infrastructure results in operators overlooking weaknesses in their systems. "San Bruno wasn't malicious, but it easily could have been," Weiss notes. "It's a nonmalicious event that killed 8 people and destroyed a neighborhood."
it is a cyber incident. That is all.
Probably the first hurdle to pass in defining "cyber incidents" (and setting aside the overuse of the cyber- prefix in the present day and age) is the fact that non-technical, and in some cases even non-IT Security people really don't have a good basis for discerning what is or isn't significant. I'm reminded of one news article where the NYPD (or some similar state/local agency) announced that they suffered something like 500,000 "cyber attacks" from Chinese and other IP addresses in the span of several months. The nature of those attacks?
Port Scans.
Further complicating this is the fact that there's a lot of money involved. "There are lots of attacks, so you should buy my services" or "My agency gets attacked, so I need funding for security" are common themes. That's not to say there isn't a threat, or that attacks don't occur; just that some people have an incentive to turn up the threat meter, which makes establishing a clear answer more difficult. It's very easy to play with the definitions to turn out numbers of "incidents" without sufficient context. I easily see untold numbers of bad things in any given day; but most of those are automatically handled by the existing systems. Should those be counted, or are we only concerned with things that actually cause noticeable impact beyond my monitoring screen?
Lastly, when we say "incident", are we talking about operator/programmer/etc error, or are we talking about deliberate malicious action? By Weiss's definition, we're including the former, but that's quite a stretch to equate them to "attacks." Even if those incidents should probably be of concern, though, do they fall under Security's purview, or should they have been handled by some other business unit? As an IT Security professional, my job is to protect the network - it's not to make sure that everyone in the company is doing their jobs correctly.
According to modern convention a 'cyber event' is any event where government or private industry is exposed to extended and unwarranted yet catastrophically revealing scrutiny that serves to radically alter a citizen or consumers outlook on the state or the product respectively. These incidents are generally prosecuted rigorously in a kangaroo court, and involve numerous fisa submissions and foia redactions.
by contrast if a substantial subset of consumers experience the unauthorized release of their personal credit card, social security numbers, addresses, and bank information then this is just an 'incident' or a 'breech.' it involves 'data security' and 'unintentional disclosure' and is in no way a cyber event, although the FBI will be invoked just as predictably as a benediction at sunday mass in order to maintain the illusion the company affected has some purchase in the matter.
the ultimate difference being "cyber events" are ginned up to sell wars and products. data incidents and breeches are to be forgotten as fast as the public can, and covered quite minimally by the news media.
Good people go to bed earlier.
that means ever-dam-thang.
The "critical infrastructure results in operators overlooking weaknesses in their systems" is to be expected with the removal of local staff on site 24/7 replaced by automated or vast networked systems.
That reduced expensive union staff and allowed a smaller set of skilled workers to do the jobs of many. Great for profits as paying for less workers but the huge networks used might not always be dedicated and hardened or secure.
So vast amounts of maintenance, observation and operational use is expected to move along random networks.
In the past a real person doing shift work sat at a site and had control using a closed network. Now that network might reach a tri state area on many different networks with years of code and complexity.
The huge amounts of cash floating around after incidents is the new boondoggle. The networks need fixing, upgrading and a new cyber bureaucracy can point to cyber intrusions to get more political power, budget growth.
The real fix is in more maintenance, more staff and the correct use of real internal networks.
Working, well understood critical infrastructure is not difficult. Nations around the world can secure their own sites. Low quality networks over vast areas is not the best way to keep thinking about the issue.
Domestic spying is now "Benign Information Gathering"
Really anything that has to do with online, sexual harassment should qualify. I don't see why we should restrict it.
I art more snarky, and terse than thou. I art Slashdot!
There's a cabal of irresponsible (at best) and insane (at worst) organizations that publicly disclose the private information of citizens and members of government to further their own financial and political ends. We call them businesses.
RIP Glenview / Claremont Drives, went to elementary school up the street from that explosion. I've always wondered if I once knew someone who perished.
Isn't 'cyber-incident' the sort of bullshit term that is more or less designed to be slippery, and thus useful for both alarmism and obfuscation as the situation requires?
It's vague enough that the most harmless script-kiddie probing for easy targets could theoretically be totted up as a 'cyber incident', regardless of harm, if you were attempting to make the world out to be a place so dangerous that your budget definitely needs to increase; but also allows some classes of security failure to not be 'cyber'(if, say, social engineering was employed at some point); and also leaves considerable flexibility over what qualifies as an 'incident'(potentially pulling tens or hundreds of individual occurrences under one 'incident' if you are trying to look more competent, or breaking out every record spilled in one DB breach if you are attempting to look more embattled).
Why try to define it if we can just set it on fire, salt the ashes, and pretend it was never coined?
..any incident that involves control and feedback systems.
Escher was the first MC and Giger invented the HR department.
Wow, to classify the 1999 Bellingham Pipeline Explosion a "Cyber Incident" is a BIG stretch. That was an industrial accident, with mechanical failure as a significant component. Just because there was computer monitoring equipment, does not mean it was a "Cyber Incident".
should involve these guys.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
A growing number of elite athletes competed in Nike footwear. Runner Mark Covert was the first athlete to wear Nike shoes across a finish line. Nike shoes got their first endorsement by a professional athlete when Romanian tennis personality Ilie Nastase signed on to wear Nikes on the court. It is a time for Nike to increase visibility Nike Free pas cher . The year 1984 saw the signing of basketball megastar Michael Jordan to an endorsement contract, followed by the 1985 release of his signature shoe, the Air Jordan. Originally, the NBA banned this new shoe because it didn't match the league's dress code, but the ban simply served to give the design a higher profile and extensive publicity. So Nike with Jordan come across. In Jordan times, it is a little hard for Jordan to choose Nike shoes, but after long time consult, Jordan choose Nike shoes as basketball shoes. Since then Nike becomes famous, however, Nike Jordan shoes just designed for Jordan is memory of that great moment.
In the time it will take me to type this post I will get at least one wp-admin request from my server (without WordPress) plus I will probably have an assortment of other odd requests looking to exploit various server weaknesses for web servers that are different than mine; Various cgi attacks and so on.
Needless to say these aren't terribly troubling, generally the worst they do is to pollute my logs with crap. The main problem with these sort of "attacks" is that fear mongers will use them to justify giving them lots of consulting money.
What does annoy me about these attacks is that while they are fairly ineffective I would still love to see a concerted effort to nail the people who do them to the wall. I see it like those people who aim laser pointers at airplanes.
That said, there are genuine attacks from sophisticated but unless the companies involved have political pull these attacks too go unpunished. What bothers me the most is that these attacks originate from a very few countries. How about we shut those countries internet connections down for a few days until those attacks stop.
Just who in their right minds connects critical infrastructure to the cybertubes? I call BS on this whole story ..
From what I've learned so far, people who use the word "cyber" should not decide about anything concerning security.
(btw, "to cyber" means "to have a dirty talk/chat online" from what I've seen how people use this awful term)
"Nobody is sure" ... yeah, right. How about coming up with some kind of scale first? There's scales to classify everything from nuclear accidents to signs of extraterrestrial intelligence.
How about if the severity is a not a polarized boolean value for.... wait for it.... shades of grey!
Here are some words to add to your dictionary for those troubled by such a story:
continuum, continuous, polarized, grey shades, black and white, degrees, magnitude.
Why OpalCalc is the best Windows calc
That couple I saw in a graveyard on World of Warcraft. Pretty sure that was a cyber incident!
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
I thought the official definition was once the event shows up as a thinly veiled plot on CSI:Cyber. Just like a regular crime used to become an important national conversation once it was an episode of Law and Order...
Certainly the free market will sort all of this out. Companies/government that fail to secure their critical infrastructure will crash and burn, those that don't profit!
That is all.
Okay for the millionth time, we DO NOT NEED NEW LAWS FOR "CYBER" ANYTHING! You know what, I won't win that uphill battle, I'm just going to assume there should be a whole new set of laws on using phones, we can call them telephony incidents!
Comment removed based on user account deletion