07.22.12
The President’s ‘Doomsday Cyberattack … Unrealistic’
From SecurityNewsDaily, on Friday:
The president’s opinion piece, placed on an editorial page usually hostile to his administration, was aimed at Senate Republicans who had opposed an earlier version of the bill on the grounds that it would create a new regulatory bureaucracy …
Meeting stiff opposition from conservatives, the bill in its original form could not garner the 60 votes needed to break a Senate filibuster. So yesterday (July 19), Lieberman introduced a watered-down version of the bill that removes the mandatory provisions and instead makes compliance with new cybersecurity standards voluntary.
The revision offers inducements for companies that choose to comply, such as protection from liability relating to a security incident …
Digital security experts are divided over whether the bill is necessary, and even whether the dramatic scenes depicted by Obama in his opinion piece are even possible ..
“Has a major attack happened? No,” said Steve Santorelli, a security researcher at Team Cymru in Lake Mary, Fla., who’s worked in the past for Microsoft and Scotland Yard. “Are they scanning and exploring? Almost certainly someone is, but it’s not clear exactly who or why.”
“There’s going to be an attack on specific trains loaded with what just happen to be specifically dangerous chemicals so that it or they jump the rails and cause a catastrophe?” asked George Smith, an expert on national-security technology at GlobalSecurity.org in Washington. “This belongs strictly to the last ‘Die Hard’ movie.”
“They could have run a simulation based on the plot of ‘Independence Day,'” said Julian Sanchez, a research fellow specializing in technology at the libertarian Cato Institute in Washington. “That would not be a ‘sobering reminder’ that alien invasion is ‘one of the most serious economic and national security challenges we face.'”
“There is little to zero evidence reservoirs and water systems can be significantly damaged by cyberattack, even if one grants the minor possibility of remote trifling with pumping systems,” Smith said. “Water purification and supply is a nationally distributed matter. There is no way to universally degrade it in the United States.”
A number of people were cited on what manipulation through SCADA might be able to do. The arguments remain the same.
Because something is vulnerable, often just potentially so, everything is vulnerable everywhere. And we have a peeping Tom at my apartment building so just think if he were at your place and became more ambitious, wanting to get into your rooms!
Because something, read everything, is computerized, and it is so easy to act maliciously through the net, everything is at risk.
Often the concerns are sincere. Often many are simply manipulative, too. We can agree it is good to always be mindful of security. However, there was a point, one we’re now past, when the story-telling turned abusive and strained.
Example:
Despite the fact that the facility’s computers were not connected to the Internet, Stuxnet got in and changed the software on programmable logic controllers (PLCs) operating uranium-processing centrifuges, causing them to spin out of control and setting back the Iranian nuclear program by more than a year.
“Many of the fundamental problems are caused by software vulnerabilities in PLCs that are impossible to fix,” Santorelli said. “They were never designed to be secure because the folks that developed them, like everyone else, never really saw this threat coming when the systems were built a generation ago,
“It’s sobering to think that the same PLCs that Stuxnet attacked are also in the rides that we take our kids to in theme parks every weekend,” Santorelli added.
So because a complex computer virus the US government developed and sent into the world, children at Disney’s and Dorney’s through the US are menaced by stuff our many anonymous enemies might make.
Security hawk arguments always work the same way.
Because we have done something, or can do something, and insist that it is trivial to duplicate, everyone else can and will do it to us. And the consequences will always be worse. All that is man-made is eventually vulnerable will be attacked.
“The stupid stupids at the Department of Homeland Security are dangerous, so as a demonstration I will now threaten to cause more alum to be put into a smallish tank of water somewhere in Houston!” cackled the fiend from his cyber-bunker, somewhere in the United States.
Meanwhile, the country passes through a decade of decay from much more well-explained and now mundane real world happenings.
And the security fixation on proving that everything is vulnerable, that not enough defenses are in place and that the defenders are not being listened to, their work threatened, occasionally will result in the potential for giving us the pleasure of another Bruce Ivins.
Again, my counter-arguments to the President’s opinion piece are here — at Globalsecurity.Org.
Many years ago — the late Nineties — I contributed a number of opinion pieces to the Wall Street Journal, all on computer viruses and cyberwar.
One, from 1998, is here: