White House Chronicle

News Analysis With a Sense of Humor

Cyberattack on the Infrastructure Alarms Petraeus, Coats

by Leave a Comment

War always goes for the infrastructure: take out the bridges, cut off the electricity and water supplies. All that used to be done with artillery, tanks and bombs.

Going forward, it will be done by computers: Cyberwar.

Every day the early skirmishes — the tryout phase, if you will – are taking place. There are tens of thousands of probes of U.S. infrastructure by potential enemies, known and unknown, state and non-state. A few get through the defenses.

Jeremy Samide, chief executive officer of Stealthcare, a company which seeks to improve cyberdefenses for a diverse set of U.S. companies, sees the cyber battlefield starkly. He says the threat is very real; and he puts the threat of serious attack at 83 percent.

Jeremy Samide is chief executive officer of Stealthcare.

As Samide looks out across the United States from his base in Cleveland, he sees probes, the term of art for incoming cyberattacks, like an endless rain of arrows. Some, he says, will get through and the infrastructure is always at risk.

Director of National Intelligence Dan Coats issued a warning in July that the alarms for our digital infrastructure are “blinking.” He compared the situation to that in the country before the 9/11 terrorist attacks. The situation, he told the Hudson Institute in a speech, is “critical.” Coats singled out Russia as the most active of the probers of U.S. infrastructure.

Samide says probing can come from anywhere and Russia may be the most active of the cyber adventurers.

A common scenario, he says, is that the electric grid is target one. But considerable devastation could come from attacking banking, communications, transportation or water supply.

Retired Army Gen. David Petraeus, a former director of the CIA and current chairman of KKR Global Institute, in an article coauthored with Kiran Sridhar and published in Politico on Sept. 5, urges the creation of a new government agency devoted to cybersecurity.

Samide and others endorse this and worry that the government has much vital material spread across many agencies and not coordinated. Behind Petraeus’s thinking is one of the lessons of 9/11: Government departments aren’t good at sharing information.

Conventional wisdom has it that the electric grid is super-vulnerable. But Politico’s cybersecurity reporter David Perera, who consulted experts on the feasibility of taking down the grid, somewhat demurs. In a Politico article, he concluded that the kind of national blackout often theorized isn’t possible because of the complexity of the engineering in the grid and its diversity.

The difficulty, according to Perera, is for the intruder to drill down into the computer-managed engineering systems of the grid and attack the programable controllers, also known as industrial control systems — the devices which run things, like moving load, closing down a power plant or shutting off the fuel supply. They are automation’s brain.

Perera’s article has been read by some as getting the utilities off the hook. But it doesn’t do that: Perera’s piece is not only well-researched and argued but also warns against complacency and ignoring the threat.

John Savage, emeritus professor of computer science at Brown University, says, “I perceive that the risk to all business is not changing very much. But to utilities, it is rising because it appears to be a new front in [Russian President Vladimir] Putin’s campaign to threaten Western interests. While I doubt that he would seek a direct conflict with us, he certainly is interested in making us uncomfortable. If he miscalculates, the consequences could be very serious.”

Samide warns against believing that all probes are equal in intent and purpose. He says there are various levels of probing from surveillance (checking on your operation) to reconnaissance (modeling your operation before a possible attack). Actual attacks, ranging from the political to the purely criminal, include ransomware attacks or the increasing cryptojacking in which a hacker hijacks a target’s processing power in order to mine cryptocurrency on the hacker’s behalf.

The threats are global and increasingly the attribution — the source of the attack — concealed. Other tactics, according to Samide, include misdirection: a classic espionage technique for diverting attention from the real aim of the attack.

The existential question is if cyberwar goes from low-grade to high-intensity, can we cope? And how effective are our countermeasures?

Today’s skirmishes are harbingers of the warfighting of the future. — For InsideSources

Crime, War and Mischief Are the Internet Norms

by Leave a Comment

By Llewellyn King

The big news coming out of the G7 meeting in Japan will not be about establishing international norms for cybersecurity. That will only get an honorable mention at best. But maybe it should get greater attention: the threat is real and growing.

Consider just these four events of the recent past:

The electric grid in Ukraine was brought down last Dec. 23 by, it is believed, the Russians. Because of its older design, operators were able to restore power with manual overrides of the computer-controlled system.

The Hollywood Presbyterian Medical Center in Los Angeles was ransomed. This crime takes place when a hacker encrypts your data and demands a ransom, often in untraceable bitcoin, to unlock it. The hospital paid $17,000 rather than risk patients and its ability to operate.

While these ransom attacks are fairly common, this is the first one believed to have been launched against a hospital. Previously hospitals had thought patient records and payment details were what hackers would want, not control of the operating systems. Some of the ransoms are as low as $3,000, with the criminals clearly betting that the victims would lose much more by not settling immediately, as did the medical center. The extortionists first asked for $3.6 million.

In a blockbuster heist on the Internet, the Bangladesh central bank was robbed of $81 million. The crooks were able to authorize the Federal Reserve of New York to release the money held in an account there. They would have got away with another $860 million, if it were not for a typing mistake. In this case, the money was wired to fraudulent accounts in the Philippines and Sri Lanka.

Target, the giant retailer, lost millions of customer records, including credit card details, to an attack in February 2014. Since then, these attacks on retailers to get data have become common. Hackers sell credit card details on what is known as the “black web” to other criminals for big money.

Often the finger is pointed at China, which will not be at the G7. While it may be a perpetrator, it also has victim concerns. There is no reason to think that Chinese commerce is not as vulnerable as that in the West.

China, with the help of the Red Army, is blamed in many attacks, particularly on U.S. government departments. But little is known of attacks Chinese institutions sustain.

Governments want to police the Internet and protect their commerce and citizens, but they are also interested in using it in cyberwar. Additionally, they freely use it in the collection of intelligence and as a tool of war or persuasion. Witness U.S. attempts to impede the operation of the centrifuges in Iran and its acknowledged attacks on the computers of ISIS.

As the Net’s guerilla war intensifies, the U.S. electric utility industry, and those of other countries, is a major source of concern, especially since the Ukraine attack. Scott Aaronson, who heads up the cybersecurity efforts of the Edison Electric Institute, the trade group for private utilities, says the government’s role is essential, and the electric companies work closely with the government in bracing their own cyber defenses.

Still, opinions differ dramatically about the vulnerability of the electric grid.

These contrasting opinions were on view at a meeting in Boston last month, when two of the top experts on cybersecurity took opposing views of utility vulnerability. Juliette Kayyem, a former assistant secretary for intergovernmental affairs at the Department of Homeland Security who now teaches emergency management at Harvard’s Kennedy School of Government, said she believed the threat to the electric grid was not severe. But Mourad Debbabi, a professor at Concordia University in Montreal, who also has had a career in private industry, thinks the grid is vulnerable — and that vulnerability goes all the way down to new “smart meters.”

The fact is that the grid is the battleground for what Aaronson calls “asymmetrical war” where the enemy is varied in skill, purpose and location, while the victims are the equivalent of a standing army, vigilant and vulnerable. No amount of government collaboration will stop criminals and rogue non-state players from hacking out of greed, or malice, or just plain hacker adventurism.

Governments have double standards, exempting themselves when it suits from the norms they are trying to institutionalize. Cyber mischief and defending against it are both big businesses, and the existential threat is always there. — For InsideSources

Cyberwar and Little Black Boxes

by Leave a Comment

 

Computer war has grown up. It has moved from the age of the equivalent of black powder to the equivalent of high-explosive shells — not yet nuclear devices but close.

Enemies with sophisticated computer technology, money and determination can now contemplate the possibility of taking down the electrical systems of large swaths of the nation. Just a small interruption in power supply is devastating; as has been demonstrated by the recent power outages in 10 states, caused by severe weather.

The world as we know it stops when power fails; gasoline cannot be pumped, air conditioning and all other household appliances cannot be used, plunging us into a dark age without the tools of a dark age – candles, firewood, horses and carts.

At the center of this vulnerability is a device most of us have never heard of but is an essential part of modern infrastructure. It is the programmable logic controller (PLC).

In appearance the PLC is usually a small, black box about the size of a woman's purse. It came on the scene in the 1960s, when microprocessors became available, and has grown exponentially in application and deployment ever since. The full computerization of the PLC put it silently butvitally in charge of nearly every commercial/industrial operation, from assembly lines to power dispatch.

These devices are the brain box of everything from air traffic systems to railroads. They replaced old-fashioned relays and human commands, and made automation truly automatic.

The revolution brought on by the PLC is an “ultra-important part” of the continuing story of technological progress, according to Ken Ball, an engineering physicist who has written a history of these devices.

Now the PLC — this quiet workhorse, this silent servant — is a cause of worry; not so much from computer hackers, out for a bit of fun through manipulating a single controller, but from the wreckage that can be achieved  in a government-sponsored cyberattack with planning and maliceaforethought.

Such an attack could be launched for diverse purposes against many aspects of our society. But the most paralyzing would be an attack on the electrical system; on the controllers that run power plant operations and the grid, from coal to nuclear to natural gas to wind turbines and other renewables.

Such a coordinated attack could bring the United States to its knees for days or weeks with traffic jams, abandoned cars, closed airports and hospitals reliant on emergency generators while fuel supplies last.

For this to happen, the hostile force would need to able to get around many firewalls and what are called “sandboxes,” where malware is trapped when detected.

The evidence of how effective attacks on controllers can be lies in Iran and two U.S./Israeli programs (worms), which have been used against the nuclear enrichment plant at Natanz. The first worm was launched specifically at a single type of controller, made by the German companySiemens, and deployed in the Natanz plant.

A slip let some of the worm be detected on the Internet by American security companies like Symantec. They named it Stuxnet.

So far Stuxnet has been able to cause the destruction of about 1,000 of the 5,000 Iranian centrifuge enrichment devices. This was done by running them at unsafe speeds, while telling the operators that all was well.

A second worm, called Flame, has been trolling though Iranian computers, sending back critical information on military and scientific secrets. This fiendishly clever operation was launched under President George W. Bush with the code name Olympic Games. But it has been ramped up by President Barack Obama, according to David Sanger of The New York Times.

How safe are our computers and those little black boxes that control everything from traffic lights to chocolate manufacture? I am told by a former technology expert at the CIA that cybersecurity is the top worry of defense planners: It is “ultra” critical, he told me.

Also on the commercial side, many companies are working with clients to protect their systems. Benjamin Jun, vice president of technology at Cryptography Research, Inc., is one of the civilian sentries guarding networks, and by extension controllers for private clients. Jun says invaders are looking for flaws and complexity does not necessarily make a system less vulnerable.

We now live in a world in which devastation can be inflicted by the evil on the unprepared without a shot being fired. – For the Hearst-New York Times Syndicate