Tuesday, February 26, 2013

"Fire Sale", Napolitano, "Cyber 9/11", is it Probable or Just Possible?

This article was originally published in January of 2013 on 10GbE.net.


We're going to zero in on a low profile Cyber Warfare story that I'm surprised saw such little media coverage. Thursday U.S. Secretary of Homeland SecurityJanet Napolitano talked publicly at the Wilson Center (a DC Think Tank) on the looming threat of a "Cyber 9/11" with the potential for a hurricane Sandy like outcome. Wow, now that's a current image that evokes fear. When I first learned of the story Friday morning my initial impression was that perhaps earlier in the week Secretary Napolitano had picked up Bruce Willis's 2007 movie "Live Free or Die Hard" in the discount bin at the Walmart and watched it a bit too late one night. The skeptic who brought this story to my attention pointed out that it was perhaps a veiled attempt to grab more budget, and create even more regulation & government oversight. 

Now I'm not just some random blogger with an opinion, and no street creed to back it up. I started hackingback in 1983 as a hobby with my TRS-80 Model III when it was still cool, and legal. "War Games" had just been released, and ethics were the only rules. Later that year I was hired by IBM Research, a company I remained with for 16 more years. During that time I'd tied many different systems together. At one point I worked side by side writing code for Davis Foulger to link Prodigy, Compuserve, AOL, and IBMPC (the IBM internal social network) together so IBMers could answer customer questions from anywhere using a single internal system. In the late '90s I designed and created a solution for the company that linked many different systems together and in 1999 it collected $2B in revenue. This effort earned me an IBM Outstanding Technical Achievement Award, but to pull this off we also created a state of the art hacking tool for Lotus Domino to certify that our system was secure, which almost landed us in jail. So I know a bit about cyber security, and linking together different systems.

So is a "Fire Sale", a "Cyber 9/11", probable or Just possible? Possible, definitely. Probable, within a reasonably defined scope, say a single city, and it would require substantial capital to motivate and assemble a team with the proper skills. The team would need to touch every power grid, water, sewage treatment, mass transit, oil refinery, financial trading, etc. system within the scope. These systems don't need to be Internet connected, people are always required to service, and inspect them, and internally they are often networked together. One would simply have to crack the case off a $100 Verizon 4G USB Cellular modem, then 3D print a new case branded to match the software product that industry runs so it would be camouflaged as a USB software license key. It could go unnoticed forever unless they did an active RF sweep. Prior to inserting this USB stick another containing a modified version of Operation Olympic Games(Stuxnet) could be used to open the security hole and inject the software, then the 4G connectivity would be used to continuously report back, and eventually carry the trigger message to bring the system down. The right mix of social hacking, posing as contractors doing repairs, or government regulators conducting inspections, even OEM system engineers doing required service could easily facilitate this objective.

George W. Bush authorized Operation Olympic Games in 2006, during Homeland Security Secretary Michael Chertoff's time in office, why wasn't this considered and addressed seven years ago? Secretary Napolitano has been in office three years now, and all of the sudden it's a priority. Our government could form it's own cyber security Tiger Team. This team could then covertly attack key industries, and report back to these firms their findings, and the appropriate counter measures. These attacks would simply demonstrate vulnerabilities, not bring down systems. Since the early '90s IBM has had it's own Security Tiger team, "Global Security Analysis Lab", that regularly trained key three letter agencies. I met with their leader in the late '90s to provide him with a copy of our IBM Internal use only Lotus Domino ethical hacking tool. 

A "Cyber 9/11" can be prevented, but regulations aren't the answer, that process is far too slow and rigid. An elite group of patriotic, well compensated, cyber professions could do in two years what the administration has ignored in the past seven years. Only time will tell.

No comments:

Post a Comment