
At Dawn We Sleep - k2enemy
http://www.nytimes.com/2012/12/07/opinion/will-congress-act-to-protect-against-a-catastrophic-cyberattack.html
======
zacharyvoase

        Premise A: "Something must be done."
        Premise B: "This is something."
        -----------
        Conclusion: "This must be done."
    

I call bullshit.

I do believe that key pieces of global computer infrastructure are at risk of
attack. But the threat will not be eliminated by scaremongering, or by handing
POTUS the ability to 'shut down the internet' in the case of an emergency (a
situation which would arguably lead to more catastrophic failures than any
'cyber attack').

The obvious thing to do when facing a direct military threat is to step up
defense forces (missiles, infantry, warships, whatever) in the area you're
expecting to be attacked in. But no such obvious solution exists in the case
of 'cyberwarfare'. You can't just 'build a digital fortress' with a pile of
bricks. I've yet to hear a sound explanation of how legislation will protect
computer infrastructure.

Despite our protestations, the governments of the US, UK, Germany and whoever
else probably _will_ pass cyberspace protection laws, that only deprive us of
freedoms we've grown accustomed to, do little to secure anything, and drive up
barriers to entry in more industries.

~~~
Zenst
It is certainly interesting times in that if country A sends even a remote
controlled plane into country B, then country B can deem that as aggression
and proceed. In the digital age attacks akin to that happen all the time yet
we are only told they happen and that we need to react.

There is nothing evident that the consumer public at large can relate to as
there is no physical object or clear damage.

Then there is the aspect that a attack from country B upon country A done on
the internet is nothing to do with country B in any intended form and is the
product of a few people sat at home who have no official right to be doing the
attack. The internet allows criminals to expand beyond there physical comuter
reach and extend globaly. How do you seperate a milatary attack from a lone
gunman or criminal collective? With great difficaulty alas and with that,
everything gets labels at the country level and deemed as a official attack.

In a Worls that even at war has standards and a code that is followed, then it
is about time perhaps that such a convention/standard was globaly agreed upon
to encompass the digital age. Certianly agree that hospitals IT systems are a
no go area, I know many a evil black hat hacker adheed to this moral code
already, some things are just not cricket. But as a global official agreement,
there is nothing.

This sadly lends itself to a World that can be manipluated and in that laws
that proctect movies and music far outway the ones to protect Hospitals and
patient data and in that the level of money to enforce this is very much
biased in one direction sadly. It is the new think of the children meme used
as an excuse to enforce control and with that we have the think of the
internet attacks has now become the norm. Certainly think about and process
them, but in a fair way and not by putting up a large stop sign and thinking
that is how you control those doing the bad things when it only impacts those
who are upstanding more than not. Can even cause somebody upstanding to become
disalusioned and with that add to the issue that is never realy addressed
directly.

------
Petrushka
The threat of a "cyber-Pearl Harbor" is completely unfounded and ridiculous,
but frankly that's what I'd expect from Liberman. Hackers are extremely good
at taking down specific sites that have specific issues with their security,
not disabling entire swaths of networked systems. When some sect of Anonymous
decided to attack Israeli computers during Pillar of Defense for instance,
they claimed victory because they took down nearly 500 Israeli systems...which
were just random Israeli websites with major security flaws, mainly grocery
stores, locksmiths, and one government website dealing with economic
investment. Such an operation is not difficult, yet accomplishes nothing.
Actually attacking large numbers of computers used in the US, especially those
used for defensive capabilities, is essentially impossible, because each one
requires a different attack, assuming there isn't some massive as hell
security hole sitting in the middle of ubiquitous server software, which I'd
say is unlikely. Sure you can take down the Texas Water Utility, but you
couldn't take down the utilities of every water system in the United States
simultaneously without spending a significant amount of time on it and hope
nothing changes once you crack one and move on to the next. Nobody, not even
China, has the personnel to hit all of our major systems at once.

Hell, Not even taking down the DNS network would do all that much, as most
computers that form the backbone of our medical and financial systems use IP
addresses, instead of URL's, as their primary method of connecting to other
servers. The military doesn't even use the main IP system, they have their
own.

As most people who actually work within this world know, the primary way of
gaining access to systems are social engineering, system defaults, and
insecure handling of access information. The world has gotten smart enough now
where practically all of our important infrastructure are very well guarded
against these attacks. That isn't to say they don't happen, but it's rare, too
rare for the possibilities of a full-scale "cyber-attack."

------
idm
_These attacks did not have to be initiated from within the United States or
even a few miles offshore. Cybersecurity experts believe Iran is the likely
culprit in both attacks, and we fear this is just the beginning._

 _The headlines before the attack on Pearl Harbor turned out to be delusional.
No one can reasonably entertain such a delusion about our adversaries’
capacity to attack us in cyberspace today._

 _Time has almost run out in this session of Congress, and President Obama
will soon issue an executive order that will establish cybersecurity standards
for critical infrastructure according to the statements of his top cabinet
officials._

For the most part, I was along for the ride on this op ed piece. However, when
the authors started suggesting Iran might in some way be behind a Pearl Harbor
event, I lost interest. When they suggested new legislation that might hinder
my ability to use computers without actually improving security for the US,
they lost me completely.

------
prawks
_The harsh reality is that such an attack does not require extensive computer
skills. Earlier this year, The Washington Post reported on an overseas hacker
who gained control of a small Texas water utility using Internet tools
available to anyone._

I really dislike statements like this. The latter does certainly not imply the
former. There surely wasn't a "Texas Water Utility Taker-downer" published on
the Internet. A would-be attacker still needs to understand how to exploit
security vulnerabilities. While resources for learning such skills can be
found online, it's not as plug-and-play as the Times is portraying it.

~~~
JonnieCache
They are almost certainly referring to the use of <http://www.shodanhq.com/>
to look for SCADA banners.

Try it sometime if you want to gaze upon the gossamer veil twixt normal
western life and 28 days later style chaos.

~~~
ovi256
28 days later style chaos: this is what he'll experience when the US gov drops
the hammer on him for scanning "strategic" installations right ?

~~~
JonnieCache
You dont need to scan them, shodan has done it for you. That's the point.

Eg <http://www.shodanhq.com/?q=Rockwell>

But yes, as ever, don't do stupid stuff if youre not satisfied with your own
safety.

------
precisioncoder
Who is going to declare war with the strongest military power and most warlike
nation on the planet? I believe in having minimum standards for cyber security
in order to provide reasonable security for data but this seems incredibly
alarmist. It seems like it should have the headline: "War on Terror II: This
time it's going cyber!"

~~~
tomjen3
Declare war? Which century do you live in? The US has not declared war in over
70 _years_.

In fact one of the biggest issues with a cyber attack is that we may never
know where it came from.

~~~
adityab
You're joking right?

If you believe what you're saying, I am reminded of 1984.

~~~
tomjen3
June 5, 42. USA declares war on Bulgaria, Hungary and Romania.

It has not declared war since.

How do you detect that any given country is behind an attack launched by a
botnet of American computers?

Heck we still don't know that it was the US who were behind Stuxnet.

~~~
adityab
You're talking about _formal_ declarations of war.

Afghanistan? Iraq? _Vietnam_?

 _Going to war_ might not be semantically the same as _declaring_ war, but
that doesn't change a thing, within the context at hand.

------
pnathan
It's absolutely true that SCADA systems are horrifically insecure and there is
very little incentive for a private company to upgrade security. It costs a
lot and doesn't give ROI (yet).

Something _must_ be done, sooner would be better than later.

I would rough out a plan like so:

* CIP companies _must_ upgrade their security, which _will_ be audited by Federal pentesters.

* Their security upgrade _will_ be funded partially through grants.

* Failure to implement security _will_ incur fines sufficient to ruin the company, _without_ exemption.

* Audit findings will incur fines scaled according to the severity of the audit finding.

Note that CIP companies are in a different class than other companies. These
companies ensure that _life goes on_. Water treatment plants, electrical
utilities, other similar installations. These companies by their nature ought
to be subject to a more careful eye by the public, because the public depends
on them.

------
dllthomas
_"In invoking Pearl Harbor, we’re not trying to be alarmist — we’re borrowing
an analogy the defense secretary, Leon E. Panetta, himself used in an Oct. 11
speech about what a catastrophic cyberattack might look like."_

We're not trying to be alarmist; we're parroting someone trying to be
alarmist.

Right. Okay.

------
mhurron
Beat those drums. We need people ready for war.

~~~
zoba
Precisely. This reminds me of, albeit less dramatic, fear mongering akin to
Colin Powell announcing to the United Nations that the USA has proof that Iraq
has WMDs. Of course when we showed up in Iraq, Colin Powell ended up looking
like a fool because his facts were so incorrect (few remembered Colin's
address at the time though).

Scaring people to manipulate them...I see it happening, I just rarely
understand to what end.

~~~
pstuart
With the two current wars winding down America's Heros(tm) need new villains
to fight. War is good for business, remember?

------
jbattle
I sort of tuned out after about two paragraphs once my "scary-boogie-man-
justifications" meter redlined, but I could imagine something along the lines
of PCI compliance being a reasonable first step. The government or whoever
would establish a set of baseline security standards, and then private and
public agencies that appear to be risk targets are required to meet those
standards. If (IF!) it were kept relatively straightforward - this could
provide a lot of value with a minimum of additional government.

I'm not familiar with HIPPA privacy regulations - those also might be a
reasonable place to start.

------
shortlived

        Earlier this year, The Washington Post reported on an
        overseas hacker who gained control of a small Texas 
        water utility using Internet tools available to anyone. 
    
    

Why is any critical piece of infrastructure connected to the internet at all?
Disconnect and use sneaker-net instead.

~~~
drcube
Because utilities are connected across vast geographical areas. Usually, you
can get by with local control in isolated stations, but some applications
(such as synchrophasors on the power grid) need wide area networks for
control. And it is much cheaper to ride the internet in some parts than it is
to build your own isolated wide area network infrastructure (which still
wouldn't be immune to physical access).

The idea is to encrypt everything, use a firewall, and have user account
control. There are standards for how to do this safely (NERC-CIP). And isolate
every network from the net unless it's absolutely necessary.

Right now we're in a state of flux. The industry will mature as younger
engineers with computer backgrounds and an understanding of IT (like me) take
over.

~~~
shortlived
If someone gained access to just the synchrophasors, could they shutdown the
whole plant down? Or is this just the point of "leakage" into other parts of
the system? Can the phase synchronization still not be done by hand? I'm just
trying to understand the example more.

These are large scale engineer projects, and it's been said before that trad.
engineers are more rigorous in their methods and approach to solutions, as
compared to software engineers. And yet, they are taking shortcuts (the
internet) which do not live up to the engineering standards of the rest of the
system.

For me, the only real solution is to use an isolated network. Yes, there will
always be the risk of physical access, but that exists with every solution. By
removing critical hardware/software from the internet, you reduce your number
of attacks dramatically.

~~~
drcube
Synchrophasors are timestamped data from individual measuring devices on the
power grid, such as relays. If you can control those devices on a live system
you absolutely can do a lot of damage. However, there are often several layers
between those devices and the phasor data concentrator. And more security
between the PDC and the public internet.

Synchrophasors' value is in comparing voltages across entire synchronous
regions[1] to maintain stability and prevent events like the 2003 Northeast
blackout. As such, they're essentially national in scale. How do you get
information across the country (in roughly real time) without the internet? As
you can imagine, replicating huge chunks of the internet is cost prohibitive
to even the largest utilities.

Believe me, networking is taken extremely seriously in my industry (electric
power), and no device is connected to the internet unless it absolutely has to
be. There are plenty of valid concerns; however, progress must still be made.
I'm interested to see how this all plays out, and to play my own small part in
the development of networked utility infrastructure.

So far, the power grid has been safe from the types of nuisance attacks the
water utility in the article saw. I really don't know why water pumps and
sanitation systems need to be online. I have a hunch we electrical engineers
have a leg up on civil engineers when it comes to computer security. ;)

[1]<https://en.wikipedia.org/wiki/Wide_area_synchronous_grid>

------
bjourne
One would have hoped that with an alarmist title like "At Dawn We Sleep" the
topic would be about something very frightening, like the collapse of the
oceanic ecosystems, the melting polar ices or the rapidly increasing global
temperature. We already know that freak weather incidents like Katrina and
Sandy will become much more common in the future and will take many more lives
than any "cyber terrorism" ever will. After the war on Communism, drugs and
terrorism why can't America declare war on climate change?

------
kalms
"Oh noes, somebody hacked our water pump!". A bunch of fear mongering drivel.
It doesn't feel like cyber terrorism was ever ignored or neglected.

------
dspeyer
You know what other day was preceded by newspapers not predicting a Japanese
surprise attack on America? ALL OF THEM.

Nothing in this article gives reason to change my expectation of upcoming
cyberattack.

------
dspeyer
Dare I ask what the legislation he wants actually does? Is it another "kill
freedom in the name of security without actually securing anything" act?

------
fredBuddemeyer
and when we wake up we go nuclear on innocents

step 1 fear mongering like this step 2 an attack that makes good headlines
step 3 legislation requiring registration of computers (pick a means)

------
_account
It's usually safe to assume that when Droopy opens his mouth, what follows is
complete malarkey.

