4 November 2014

MURDER BY INTERNET: MAJOR CYBER ATTACK WILL CAUSE SIGNIFICANT LOSS OF LIFE BETWEEN NOW AND 2025

October 30, 2014 

Murder By Internet: Major Cyber Attack Will Cause Significant Loss Of Life Between Now And 2025

The above title should come as no surprise to those of you who have been reading the numerous articles I have written and posted on this subject. Indeed, what might be surprising is that these experts think that a black swan-type cyber event that could kill millions is still perhaps a decade away. It could come sooner. More on that later.

Patrick Tucker, writing on the October 29. 2014 website, DefenseOne.com, begins by noting that leading cyber security experts believe that “between now and 2025,” a black swan type cyber attack “will be large enough to cause significant loss of life; or, property losses/damage, theft at levels of tens of billions of dollars,” according to more than 60 percent of technology experts interviewed by the Pew Internet And American Life Project. “But other experts interviewed for the project, “Digital Life In 2015,” released yesterday (Wed./October 29), “said the current preoccupation with cyber conflict is a product of software merchants looking to hype public anxiety against an eternally unconquerable threat.” Maybe. Hopefully.

“It’s the old phantom of the “Cyber Pearl Harbor,” a concept commonly credited to former Defense Secretary Leon Panetta (actually I think it was his Deputy, William Lynn who was sounding the alarm on this before Mr. Panetta); but, this concern is actually as old as the world wide web,” Mr. Tucker writes. “It dates back to security expert Winn Schwartau’s testimony in Congress in 1991, when he warned of “an electronic Pearl Harbor,” and said “it was waiting to occur.” “More than two decades later, we’re still waiting,” Mr. Tucker observes. “The Pew Report offers, if nothing else,” he adds, “an opportunity to look at how the cyber landscape has changed [since that warning over two decades ago]; and, how it will continue to evolve between now and 2025.”

Potential Infrastructure Vulnerabilities

“A key concern for many of the experts Pew interviewed is infrastructure, where very real cyber vulnerabilities do exist; and, are growing,” Mr. Tucker contends. Stewart Baker, former General Counsel for the National Security Agency; and, a Partner at the Washington D.C.-based law firm Steptoe and Johnson told Pew, “Cyber war just plain makes sense. Attacking the power grid, or other industrial control systems is asymmetrical and deniable…and devilishly effective. Plus, it gets easier every year. We used to worry about Russia and China taking down our infrastructure. Now, we have to worry about Iran and North Korea. Next up, Hizballah and Anonymous,” Mr. Baker said.

Jeremy Epstein, a senior computer scientist working with the National Science Foundation as the Program Director for Secure and Trustworthy Cyber Space, said, “Damages in the billions will occur to manufacturing and/or utilities — but, because it ramps up slowly, it will be accepted as just another cost (probably passed on to taxpayers through government rebuilding subsidies and/or environmental damage), and there will be little information to motivation for the public sector to defend itself.”

“Today,” Mr. Tucker writes, “cities around the world use supervisory control and data acquisition (SCADA) systems to manage water, sewage electricity, and traffic lights. Last October, researchers Chris Sistrunk and Adam Crain found that these systems suffer from 25 different [significant?] security vulnerabilities,” [not the least of which many of these major transformers are in remote areas, and/or lightly protected]. And, it’s not unusual for them to have the same security passwords that came direct from the manufacturer. As writers Indu B. Singh and Joseph N. Pelton pointed out in The Futurist Magazine, “the failure to take even the most basic security precautions leaves these systems open to remote hacking.”

“It’s one reason why many security watchers were hopeful that the Obama Administration’s Cyber Security Framework, released earlier this year, would force companies that preside over infrastructure components to take these precautions; but, many in the security community were disappointed that the guidelines did not include hard mandates for major operators to fix potential security major [vulnerabilities] flaws.” I am guessing one reason was cost. We have placed so much burden on our private sector with excessive regulations, mandates like Obamacare and minimum wage hike, and on and on, that at some point, businesses will stop creating jobs and/or growing…and taking prudent measures such as these — until a problem occurs. But, I digress.

“But, some political leaders say that the response from cyber threats has outpaced that of government. Just ask Rep. Mike Rogers, R.-Michigan, Chairman of the House Intelligence Committee, who recently said that private businesses were increasingly asking government to defend them from cyber attacks — from other nation-state actors; and, even launch first strikes against those nations,” Mr. Tucker added. “Most of the offensive talk is from the private sector, they say we’ve had enough,” Rogers said at a recent Washington Post cyber security summit.”

“SCADA vulnerabilities look quaint compared to the exploitable security gaps that persist in The Internet of Things,” — as more and more components are linked and networked together. “Current threats include economic transactions, power grid, and air traffic control. This will expand to include others such as self-driving cars, unmanned aerial vehicles, and building infrastructure,” said Mark Nall, a Program Manager for NASA said.

“Other experts told Pew that military contractors, facing declining business for tanks, and missiles, have reportedly overblown the threats posed by cyber attacks to scare up an enemy for the nation to arm against,” Mr. Tucker wrote. “This concern is exaggerated by the political and commercial interests that benefit from us directing massive resources to those who offer themselves as our protectors. It is also exaggerated by the media because it is a dramatic story,” said Joseph Guardin, a Principal at Microsoft Research. “it is clear our leaders are powerless to rein in the military industrial complex; whose interests are served by having us fearful of cyber attacks. Obviously, there will be some theft; and, perhaps someone can exaggerate it to claim tens of billions in losses; but, I don’t expect anything dramatic…and, certainly don’t want to live in fear of it.”

“Guardin is joined by other experts who agree the future of cyber attacks will resemble those of today; big headlines, to little effect. Data and intellectual property theft will happen, possibly causing inconvenience to consumers and revenue loss for corporations; but, the digital apocalypse is not nigh,” Mr. Tucker argues.” There will have been major cyber attacks, but they are less likely to have caused widespread harm. There will be stealth attacks to extract information; and, exploit it for commercial and political gain. Harm to an enemy is only a desire of less sophisticated individuals. Anyone who amasses the ability to mount a major cyber attack, better than their opponent…also doesn’t want to lose their position of advantage. They are likely to shift to strategies of gain for their own position; rather than explicit harm to their victim, which would alert the victim and close off their channels of attack — thus setting back their advantageous position,” said Bob Briscoe, Chief Researcher in Networking and Infrastructure in British Telecom.

“Still others, such as lead researcher for GigaOM Research, Stove Boyd, said the growing cyber capabilities of states like China almost promise bigger cyber attacks of growing international importance.” “A bellicose China might ‘cyber invade’ the military capabilities of Japan and South Korea as part of the conflict around the [south] China sea, leading to the need to reconfigure their electronics — at huge cost. Israel and the United States have already created the Stuxnet computer worm to damage Iran’s nuclear refinement centrifuges, for example. Imagine a world dependent on robotic farm vehicles, delivery drones, and AI-managed transport; and, how one country might opt to disrupt the spring harvest as a means to damage a neighboring opponent,” Boyd said.

“However real or overblown the threat, the military is rapidly ramping up protective measures. Many of which are in line with what Pew researchers predicted,” Mr. Tucker added.

Cyber Security’s Future: Battle Of The Botnets

“What are some of the tools that we will use to defend networks and individuals from the cyber boggy-men?,” Mr. Tusker asks. Nall looks to even smarter, more self-directed, cyber-defense systems.” “In addition to current methods for thwarting opponents, growing use of strong, artificial intelligence to monitor and diagnose itself, and other systems, will help as well.”

Vint Cerf, a research pioneer who was instrumental in the creation of the Internet, notes that “systems that observe their own behavior; and, the behavior of the users may be able to detect anomalies and attacks. There may well be some serious damage in the financial sector, especially,” he said.

“Roboticized cyber-defense is a project that the military is already pursuing through the Defense Advanced Research Projects Agency’s Cyber Grand Challenge, a capture-the-flag style of competition to develop “automated security systems,” to defend core assets, in other words — programs that detect and respond to threats with minimal human intervention.”

“I hope you start to see automated cyber defense systems that become commercial,” DARPA Director, Arati Prabhakar told the crowd at the Washington Post Cyber Security Summit. “A lot more work has to happen before we can show that it’s possible.”

The Lack Of A Red-Line On Cyber Threats

“Regardless of what sorts of good botnets protect us from evil botnets, cyber attacks could have growing geopolitical implications,” Mr. Tucker wrote. Sen. Jim Inhofe, R-Oklahoma, the Ranking Member of the Senate Armed Services Committee, lamented what he perceives as a formal doctrine on when, and how to launch offensive cyber operations, who said at a recent hearing: “I am concerned with the lack of progress by the administration in developing a policy for deterring the growing number of adversaries in cyber space. This lack of a cyber deterrence policy; and, the failure to establish meaningful norms that punish bad behavior, have left us more vulnerable and at greater risk to cyber aggression.”

Predicting What The Future Of Cyber War Will Look Like

“Speaking to Pentagon reporters in June, ADM. Mike Rogers, Commander of the U.S. Cyber Command, and Director of the NSA, offered his own projection for the future of cyber warfare in 2025, which would look a lot like regular warfare — with more cyber operations and activities thrown in. Soldiers on the front lines would use cyber weapons as readily as they use live ammunition [today], Mr. Tucker noted. “In the year 2025, I believe…Army commanders will maneuver offensive and defensive [cyber] capability much today as they maneuver ground forces,” Rogers said. “The ability to integrate cyber into a broader operational concept is going to be key. Treating cyber as something so specialized…so unique — something that lies outside the broader operational framework — I think is a very flawed concept.”

Signals Intelligence, Cyber War, And You

“You may believe that a major cyber attack is likely to occur between now and 2025, or you may view the entire cyber menace as a scheme by security software companies,” Mr. Tucker wrote. (The truth may be a mixture of both). “However one thing the threat of cyber war will certainly do is increase the amount of computer, and particularly network government, surveillance to detect ‘anomalous behaviors,’ possibly related to cyber attacks,” Mr. Tucker concludes. “The same recently released Pentagon paper on offensive cyber operations made a pointed mention of networks and the cloud as a potential source of signals intelligence of relevance to cyber operators. Networks were “a primary target for signals intelligence (SIGINT), including computer network exploitation (CNE), measurement and signature intelligence, open-source intelligence, and human intelligence.” “Make no mistake,” he writes, “signals intelligence collection means watching how individuals behave online.”

We Have Become Internet Dependent – Rather Than Internet Enabled

As usual, Mr. Tucker has a thought-provoking article, this time on the future of the cyber threat in the next decade. I am concerned about the Internet of Things and how we have become Internet dependent — rather than Internet enabled. The more networked and interconnected through a maze of a very large IT ecosystem, the more catastrophic a future sophisticated and malicious cyber attack could be. And, nation-states may be the least of our worries — though if you read the unclassified Chinese literature on unrestricted warfare — you will realize that Beijing’s military is fighting in certain scenarios — disconnected from their networks. Probably assuming that an adversary will attempt to make them deaf, dumb, and blind at the onset of a conflict. But, rebellious cyber militias, or cyber patriots may also take it upon themselves to strike a huge blow against what they see and believe is an increasingly intrusive government and corporate surveillance campaign against personal privacy.

I would also not downplay the aspects of murder by internet or the potential emergence of a ‘Dr. No’ in cyberspace. And, I also predict we’ll see our first digital serial killer — either through attacking critical care medical devices and instruments at hospitals, to nursing homes and home health care. These devices and instruments are especially vulnerable.

Finally however, the adversary isn’t ten feet tall — and, they too have flaws and vulnerabilities. And, the U.S. doesn’t necessarily — and shouldn’t be wedded to striking back in a cyber manner — in response to a cyber attack. Other measures and means should all be on the table. But, one thing we should not do is engage in group-think that wed’s us to the presumption that “they won’t do that, or they’d never do that. That is the kind of thinking that failed to appreciate the growing al Qaeda threat on the eve of September 11, 2001. Remember as Albert Einstein once wrote, “Imagination is more powerful than knowledge.” Or, the great sci-fi thriller writer Stephen King once wrote, “God punishes us for what we cannot imagine.” V/R, RCP

No comments: