Did you happen to see the CBS 60 Minutes episode this past Sunday titled "Sabotaging The System?" It seems like every time there's a TV story or newspaper article about cyber security, I spend the next few days answering questions from people who either want to know if it "could really happen" or "what is being done about it." Maybe it's because I read about cyber events every day, but I just wonder Wow! how do people not know about this stuff. When he was asked about our ability to withstand an attack on the power grid, Admiral McConnell's very candid, "No. The United States in not prepared for such an attack" says it all. This 60 Minutes story is a little different and more attention grabbing because the public seems genuinely shocked that our nation's cyber-adversaries have actually penetrated our critical infrastructures and seem to have come so far ... without anyone knowing about it!
Unfortunately, most of us in the cyber security business do know, and have watched the vulnerabilities in our critical infrastructure grow over the past few years as hackers and cyber criminals became more skilled in exploiting those vulnerabilities. I talked to a few of my security colleagues yesterday and the common theme to the 60 Minutes story was one of utter exasperation; "I can't believe they let this information out in public" or "this information should be classified" and "this story has made the nation a bigger target." Hmmm. I think a different response is in order.
Maybe the public does need to know? We just finished up with National Cyber Security Awareness month in October and while it's typically 31 days focused on personal computer awareness and identity theft, maybe bigger topics like these cyber events and threats that actually pose harm to our way of life should be the focus. I'm not one for blowing things out of proportion or spreading FUD (Fear, Uncertainty and Doubt) but these threats are real and they aren't going to go away unless we begin devoting the right resources to fix the problems.
The 60 Minutes story weaved a thread of several recent cyber events including the "Aurora" project conducted at Idaho National Labs in 2006 where they proved you could exploit the Internet and cause generators connected to the power grid to self-destruct and also the Blackout Events in Brazil reportedly the result of cyber attacks. In the interest of full disclosure, a new article in Wired magazine disputes the 60 Minutes article by stating that the blackout was caused by Sooty High Voltage Insulators, Not Hackers. Jim Lewis, Director of the Center for Strategic and International Studies adds another scary bedtime story by theorizing that "we probably had our electronic Pearl Harbor" in 2007 when someone broke into DoD, Department of State, Department of Commerce, "...probably the Department of Energy, probably NASA...and downloaded terabytes of information." These are real life events.
President Obama has declared the country's digital infrastructure a strategic asset, the Department of Homeland Security just opened the new National Cybersecurity and Communications Integration Center (NCCIC), and DoD is building the new United States Cyber Command at Ft Meade Maryland next door to NSA. We obviously understand cyber security and cyber threats to our nation's critical infrastructure are important. Maybe this story will provide some new visibility that results in real action.
Ignoring the problem certainly hasn't done any good and for those who believe in 'security through obscurity,' the question is simple - is the cyber security problem in America getting better or worse? While there may be things that the public is better off not knowing, sometimes very stark words like those of Admiral McConnell when he said, "Can you imagine your life without electric power?" make people sit up and pay attention.
I'd like to know what you think. Does presenting this kind of information in the media simply let the bad guys know where our weaknesses are or does it help by shining the light where these problems may be festering in obscurity? Or is it both? Let me know.
* The views expressed are solely mine and nothing stated in or implied from the article should or may be attributed to the state of California or any of its agencies or employees.