07.19.12
The President delivers his cyberscare story
The President delivers his digital Pearl Harbor story, not using the phrase because presumably has been told of its exposure to ridicule, in the Wall Street Journal (excerpted):
Last month I convened an emergency meeting of my cabinet and top homeland security, intelligence and defense officials. Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud. Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill.
Our nation, it appeared, was under cyber attack. Unknown hackers, perhaps a world away, had inserted malicious software into the computer networks of private-sector companies that operate most of our transportation, water and other critical infrastructure systems …
It doesn’t take much to imagine the consequences of a successful cyber attack. In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we’ve seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill …
For the sake of our national and economic security, I urge the Senate to pass the Cybersecurity Act of 2012 and Congress to send me comprehensive legislation so I can sign it into law.
It’s time to strengthen our defenses against this growing danger.
Nothing new in the lede graphs, the President resorting to the stock scary cyber-wargaming and scenario-concoction the US national security apparatus has delivered since … always.
Historically, the meme is invariant, delivering news that everything is vulnerable. The entire nation falls over from surprise cyberattack.
First, let’s deal with the alleged coordinated attack on trains, one which causes them to jump the tracks, releasing toxic chemicals everywhere.
If you think about this a little it falls apart,
The US has a rail system, like all countries, and mistakes happen occasionally. These cause accidents and derailments.
And throughout the nation there are lights on the tracks that signal switches open and closed, and warning and so on. Plus there are controllers. Plus people who react immediately to side-strep or remedy problems.
There is not one master switch for all rail, hubs are scattered all across the US, thousands of them, I imagine.
So, with one sentence, you are asked to belive there’s going to be an attack on specific trains loaded with what just happen to be specifically dangerous chemicals so that it or they jump the rails and cause a national catastrophe?
The intelligence requirements just to start thinking about that are beyond belief. This belongs strictly to the last Die Hard movie, the one where the fired Pentagon security contractor battles McClain.
“Trigger the accidents and the release of the poison gases now!” cackled the fiend from deep within his cyber-bunker, somewhere in the eastern hemisphere.
So shame on President Obama or, more likely, a staffer for putting it in. So the occasional bad rail accident from normal human error will remain more likely than hack or cyberwar attacks on the same.
The presumption that this has changed, or is about to, is senseless.
To make another counterpoint, there is little to zero evidence reservoirs and water systems can be significantly damaged by cyberattack, even if one grants the minor possibility of remote trifling with pumping systems.
The hazard posed to water supplies was worked out early in the war on terror, motivated by fears of chemical and biological terrorism aimed at them.
Water is difficult to ruin, unless one is speaking about massive oil spills, run-offs into rivers from mismanaged chemical plants or massive industrial accidents that release materials into natural waterways.
Every year such events happen throughout the US. Recovery is swift.
In addition, water purification and supply is a nationally distributed matter. There is no way to universally degrade it in the United States.
For example, my brain tells me, and it’s usually pretty good at these things, that it would be virtually impossible to affect water in Los Angeles County short of destroying the Owens Valley, the Los Angeles Aqueduct, the Colorado River and the Colorado River Aqueduct. It would take an almost irreversible blackout in California to hinder the flow of water into LA County.
What, could hackers or cyber-soldiers blow up Pasadena Water & Power or make the complex unusable and all the water unpotable?
How do you do that locally in Los Angeles, one of the most populous places in the world? Water supplies in ponds are scattered everywhere, there is no one central water supply and plant to do something to.
Theoretically, if you believe someone can turn up the addition of chlorine, so what? You can’t supersaturate water with it. There is no way to turn water into bleach in everyone’s tap from the Internet. You can’t turn it into poison in any serious way. You can only try to turn it off.
Details matter, not potential bluff by one hacker, published in hundreds of stories — truth being determined by the number of people convinced to reprint exactly the same thing — that “[said] hacker posted pictures of [a water] facility’s internal controls.”
This matter, being more of a personal publicity stunt executed through PasteBin by a hacker personally indignant at the Department of Homeland Security at what he saw to be it’s dilatory attitude toward the dangers posed to the nation’s water system.
Indeed, using one minor news story, never really followed up to make a case that the entire nation’s water is threatened, is an obvious kind of propaganda.
Further, how could cyber-soldiers or hackers make doctors stop dealing with the sick in hospitals? They’ll turn off the power and corrupt all the patient data, never mind the senselessness of doing both.
Just go with me for a minute.
They’ll take away Internet connectivity and e-mail, and put ridiculous and dangerous results in digital logs of patient records, like prescribing insulin shots for everyone except the diabetics or Viagra for people with really bad tickers. Then the staff will roll out the needles, pills and drips and put everyone into a coma.
Ahem. Do you really think that the practice of medicine hasn’t had years of experience dealing with bad or screwed up e-mail, malware, and criminal pests who get into networks?
Anyway, it is exceptionally bad to try and stampede people into believing stupid things through the use of fear, no matter how well meaning you are.
In his essay the President is working from the script that the United States can be turned off with select manipulation of a few switches. This is an absurd construct, but an old one, and something that can also be dubbed a zombie lie.
Finally, readers can take note of the placement of this in the Wall Street Journal, the newspaper of the financial system.
Attack on the financial system has become a regular part of the mythology used to influence policy makers, even though it’s to laugh. Consider the state of the economy and the predicament of the 99 percent. The financial sector might be attacked! Really?!
What, exactly, would that do to the 99 percent? Not a trick question.
From last week, mirrored at GlobalSecurity.Org (excerpted):
Cybersecurity is a serious national issue. But the implication that it is the issue or that your future is disappearing in front you due to the lack of it should put a bug up your a–…
[If] you conduct a meaningful public poll on how much average Americans really care about “the financial sector” being protected against cyberattacks, you might get an earful on how they’d like to be protected from the financial sector. Bank of America and Wall Street aren’t going to be popular again for a good long time. This is called ignoring the big picture, or historical context, and it has always had meaning for issues in national security. You cannot defend something or win the war when the little people, the locals, have little or no interest or incentive in rallying to your side.
Put another way, it’s impossible to ultimately secure an infrastructure of businesses the majority believes to be corrupt.
For the sake of a discussion that emphasizes the gravity of dealing with cybersecurity it’s just easier to quote someone higher up, like Leon Panetta: “Technologically, the capability to paralyze this country is there now.”
It works in a talks even though the people who’ve been around since the beginning quietly hoot and roll their eyes.
I didn’t care much for your decision to use computer viruses as weapons either, Mr. President.
The argument that careless connection of remote systems to the Internet has been with us for a very long time. People have been saying this for years. Exercise caution when connecting stuff that you believe to be critical.
Some people do. Some don’t. Some do it and add security or presume they have. Others just put it on-line so they don’t have to be on-site all the time. This is the way of things and it probably always will be.
So, yes, there are going to be security problems but where are they in the entirety of the big nation and is there a master map?
These are unquantifiable questions no one can really answer except to say managing the security of such things and the risk imposed is a day to day battle.
The problem arises when it is all spun, as the President has done for effect, into a message of fear, delivered from the notion that it is trivial to collapse the nation from remote access, all for the motivation toward a policy.
There are arguments and debates to be made on this to persuade people, but sincere efforts take time and aren’t served by stuff like this. Yet it has always proven convenient to go with the pungent essay seasoned with fearful examples.