Did you happen to see the CBS 60 Minutes episode this past Sunday titled "Sabotaging The System?" It seems like every time there's a TV story or newspaper article about cyber security, I spend the next few days answering questions from people who either want to know if it "could really happen" or "what is being done about it." Maybe it's because I read about cyber events every day, but I just wonder Wow! how do people not know about this stuff. When he was asked about our ability to withstand an attack on the power grid, Admiral McConnell's very candid, "No. The United States in not prepared for such an attack" says it all. This 60 Minutes story is a little different and more attention grabbing because the public seems genuinely shocked that our nation's cyber-adversaries have actually penetrated our critical infrastructures and seem to have come so far ... without anyone knowing about it!
Unfortunately, most of us in the cyber security business do know, and have watched the vulnerabilities in our critical infrastructure grow over the past few years as hackers and cyber criminals became more skilled in exploiting those vulnerabilities. I talked to a few of my security colleagues yesterday and the common theme to the 60 Minutes story was one of utter exasperation; "I can't believe they let this information out in public" or "this information should be classified" and "this story has made the nation a bigger target." Hmmm. I think a different response is in order.
Maybe the public does need to know? We just finished up with National Cyber Security Awareness month in October and while it's typically 31 days focused on personal computer awareness and identity theft, maybe bigger topics like these cyber events and threats that actually pose harm to our way of life should be the focus. I'm not one for blowing things out of proportion or spreading FUD (Fear, Uncertainty and Doubt) but these threats are real and they aren't going to go away unless we begin devoting the right resources to fix the problems.
The 60 Minutes story weaved a thread of several recent cyber events including the "Aurora" project conducted at Idaho National Labs in 2006 where they proved you could exploit the Internet and cause generators connected to the power grid to self-destruct and also the Blackout Events in Brazil reportedly the result of cyber attacks. In the interest of full disclosure, a new article in Wired magazine disputes the 60 Minutes article by stating that the blackout was caused by Sooty High Voltage Insulators, Not Hackers. Jim Lewis, Director of the Center for Strategic and International Studies adds another scary bedtime story by theorizing that "we probably had our electronic Pearl Harbor" in 2007 when someone broke into DoD, Department of State, Department of Commerce, "...probably the Department of Energy, probably NASA...and downloaded terabytes of information." These are real life events.
President Obama has declared the country's digital infrastructure a strategic asset, the Department of Homeland Security just opened the new National Cybersecurity and Communications Integration Center (NCCIC), and DoD is building the new United States Cyber Command at Ft Meade Maryland next door to NSA. We obviously understand cyber security and cyber threats to our nation's critical infrastructure are important. Maybe this story will provide some new visibility that results in real action.
Ignoring the problem certainly hasn't done any good and for those who believe in 'security through obscurity,' the question is simple - is the cyber security problem in America getting better or worse? While there may be things that the public is better off not knowing, sometimes very stark words like those of Admiral McConnell when he said, "Can you imagine your life without electric power?" make people sit up and pay attention.
I'd like to know what you think. Does presenting this kind of information in the media simply let the bad guys know where our weaknesses are or does it help by shining the light where these problems may be festering in obscurity? Or is it both? Let me know.
* The views expressed are solely mine and nothing stated in or implied from the article should or may be attributed to the state of California or any of its agencies or employees.
Your security colleagues are giving 60 Minutes a bit too much credit. They appear to believe that the sources are correct, accurate, and well-informed, and are NOT intentionally misleading the public. Getting 60 minutes to run this piece may very well be the coup-de-gras of Reverse Social Engineering(tm).
Mark,
It is good that you raise this question about awareness versus obscurity. As the Assistant Secretary at DHS who authorized the INL test on the generator, I and an interagency team discussed the same question - how to inform the electric sector about the vulnerabilities in their systems without providing too much information that could be used by adversaries against us. We chose a controlled, but decidely more open communication strategy because the risk of keeping it classified and having it exploited without an informed mitigation strategy was too great in our view.
When the now-famous video leaked to CNN, our strategy was suddenly accelerated -- for the better in my opinion. CNN understood the gravity of its responsibilites and covered the story in a manner I thought was extremely useful to our effort to graphically demonstrate the threat to an otherwise unconvinced electric sector, and in a manner that did not expose attack method and other sensitive information.
The 60 Minutes story generally handled the issue well too, but spotlighting speculative quotes prefaced with "we don't really know, but..." and peppered with lots of "probably's" and "electronic pearl harbor" might catch attention, but in my view is counterproductive sensationalism designed to peddle drama and alarm, and doesn't really advance a reasonable understanding of the threats we face.
Maybe we need a little less Michael Crichton and a little more Reader's Digest to get our point across and motivate constructive security behavior in the public and industry.
Greg Garcia
Mark,
A fully informed and fully engaged American people is a force to be reckoned with as history has shown. I believe that we should know about the real threats to our freedom and well being. I believe if we know about these things we can take steps personally to mitigate the impact of some of the possible attacks. I understand there is not much that I can do as a private citizen to curtail these activities but I can be vigilent, prepare my living spaces and family to be as prepared for serious power loss as we are for earthquakes, for example.
I, like many of our fellow countrymen, was shocked and appalled to find out about the events of 2007 from the 60 minutes story in 2009! As scary as that information is, I find it refreshing to be treated like an adult. If we, the people had known what we know now, maybe we provided the political will to have started to put the NCCIC in place in 2007 instead of 2 years later. Keeping this quiet did nothing to strenthen our nation against this threat.
So push forward with helping our country and Californians, in particular, protect itself and prepare itself for what it cannot protect against.
James McCann
Great post. In the information technology realm information is supreme. The more people understand the role and use of technology, and what's going on, the more likely they are to embrace purpose and responsibility.
There are certain aspects to system security that may require compartmentalization but most operational data should be shared among all levels of management and users. A simple process of defining computer/application/network purpose and what is and isn't allowed is a great 1st step. User education is a great tool to reinforce these objectives. Management is a process. Constant monitoring and tweaking (mgmt input=policy enforcement, user education, change control) is necessary to keep everything aligned and moving in the right direction.
Accidents will happen, we are human, but with situational awareness shared among the masses these circumstances can be addressed quickly and efficiently with minimal disruption. It also helps prevent simmering problems because everyone understands what "should be happening" on the network. It's interesting to note that most IT spend goes towards preventing millions of things that "shouldn't be on the network" (virus, spy, porn) while there are probably only between 30 and 100 that should. Focusing on these and making everyone aware of the status and objectives seems like a good idea to me.
Excellent posting and I want to thank you for your considerate message. I think as Americans we have a right to know what’s happening although I also understand the need to use extreme caution when determining what should be released. As a nation we watch real time reports from the battlefield where our military is fighting, so why shouldn’t we know about cyber events taking place all around us? And now that the proverbial cat is openly out of the bag, the question posed to us all as citizens of this great nation is, “What are we going to do about it?”
When I saw this 60 Minutes report, I thought a little differently than the other responders did. I felt 60 Minutes missed an opportunity. This would have been a great chance to talk about what we as citizens can do to help. And I believe there are some actions that Americans can and should take.
First of all, as Americans under threat of attack, we need a call to action. In the words of John F. Kennedy, “Ask not what your country can do for you — ask what you can do for your country.” While we can look to the White House to provide leadership and make that leadership accountable and transparent, we need to be developing our own actions. Those of us with the ability to educate our companies, communities, friends and families on just some of the basic computer security awareness techniques should do this. This isn’t going to solve the greater national problem, but it’s a start. Are people aware that their own computers can be used to launch attacks against our own nation if they’re missing critical patches or lack security software such as anti-virus or firewalls? It seems minimal, but it’s a way that I can feel like I’m doing something more then worrying about how the Executive Branch will respond.