The Press a Software Button & Blow Something Up in America meme is a constant in mainstream news on cybersecurity and the often very alleged vulnerability of the infrastructure. It has become so omnipresent that many implicitly believe all such assertions, often in the almost complete absence of compelling evidence.
It is unsurprising that the Congressional Research Service be asked to issue something on such matters, or that it would independently perform an analysis, because the subject is topical.
It is a short report — 13 pages — because there is no information on pipelines in the national infrastructure being damaged by cyberattack.
Since this is the case, the CRS must resort to doing what everyone else generally does when left with a paucity of material: cite from poor sources, take examples from standard industrial accidents, mention trivial al Qaeda net propaganda and discuss only generally network intrusion and the US-made malware, Stuxnet.
Problems exist with such an approach.
First, there have been no acts of terrorism perpetrated against US pipelines through cyberspace.
Small collections of news reports of cases in which Americans interested in aiding al Qaeda in the last ten years in aspirational conventional bomb plots against pipelines, which the CRS mentions, are irrelevant.
Citation of brief, mostly fact free, news reports on an al Qaeda video urging an audience to attack the infrastructure of the US electronically is not compelling evidence of anything, particularly in light of the fact that the terror organization has never demonstrated capability in this area.
It is, however, some evidence of a standard wishful, or aspirational thinking.
Wanting to attack the infrastructure through cyberspace, because terrorists may have read in western sources that it is easy to do so does not confer a capability or demonstrate a vulnerability.
Historically, al Qaeda has published many exhortations for followers to attack the United States in a multiplicity of ways, often reacting to mainstream western news in which experts say or imply such strikes would be easy. While the issuing of such calls has occurred with regularity it has not been backed up by significant action.
If and when a federal assessment in 2011 concluded “with high confidence that the threat to the US pipeline industry is low,” it may actually be true.
Citation of three industrial accidents caused by worker error and industrial breakdowns in the US pipeline industry do not demonstrate that the same industry is vulnerable to cyberattack.
Computer network intrusions in the pipeline industry, unless the details are specifically described, do not imply or, worse, prove the pipeline infrastructure can be damaged through remote attack.
Malware and intrusions occur everywhere there are networked computers, daily. They are security problems that must continually be dealt with, and the risk managed.
Citation of a report by a computer security company, McAfee, on the nature of threat or risk, in this case on cyberattacks against global energy companies, should always be accompanied by caveats that such reports are well known to be untrustworthy.
A recent ProPublica news article on such security software industry reports contained the quote, from researchers at Microsoft, which, as a rule, does not issue these kinds of things: “Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings.”
And if the Stuxnet virus is going to be used in a discussion to imply vulnerability in US systems, it should also be noted that it is now widely accepted that this particular piece of malware was engineered by an American military or intelligence team of programmers specifically to attack the Iranian nuclear program. While the program was successfully attacked, there are conflicting views on the degree of setback it received due to Stuxnet. Despite the presence of the malware, the program continues — as shown by this large collection of recent news cuttings.
The same team responsible for Stuxnet is also recognized to be continuing to write and dispense malware for infiltration and potential strike against various infrastructures in Middle Eastern nations with confusing and difficult to assess or cryptic results.