When I read defense secretary Leon Panetta’s recent comments warning of a potential “cyber-Pearl Harbor,” I experienced, to plagiarize Yogi Berra, déjà vu all over again.
With New York’s Intrepid Sea, Air and Space Museum as a scenic backdrop, Panetta outlined the plot to a pretty fair cyberpunk novel: Well-financed computer hackers from hostile nations launch simultaneous attacks on America’s critical infrastructure in combination with a physical attack. They wipe out America’s financial networks, take down the power grid and deprive thousands — if not millions — of electricity, while our transportation system slows to a crawl and government is helpless to stop it. This cyber-Pearl Harbor would “cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.”
The only thing missing is, “Only one man can stop it…” Panetta continued with a series of scintillating “what if” scenarios:
An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches. They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.
OK, Leon, stop for a sec… Why would passenger trains carry lethal chemicals, unless you count the thousands of gallons of 7-Eleven Big Gulps that passengers carry on Amtrak every week.
At any rate, Panetta rounded up the usual suspects of American geopolitical malfeasance — China, Iran, Russia, and various militant groups. I suppose he left out North Korea, because you can’t pierce America’s vast computer infrastructure using DOS and a 2400-baud modem over a phone line.
Now, compare Panetta’s comments with those from 16 years ago during President Bill Clinton’s first term, when CIA director John Deutch warned of “electronic Pearl Harbor” attacks on crucial information systems. “The electron is the ultimate precision-guided weapon,” Deutch told a Senate subcommittee. “I’m certainly prepared to predict some very, very large and uncomfortable incidents in this area.”
I suppose I shouldn’t be surprised Deutch confused “electron” with “software.” After Deutch resigned later that year he violated national security protocols, when he took his CIA-issued laptop home and exposed classified material to the Internet. Nevertheless, sworn to safeguard the nation’s air traffic control, banking and finance systems, power plants and the military (and presumably it’s subcontractors) against crippling hacks and computer viruses, Deutch spoke of hostile nations and terrorist organizations developing technologies to penetrate American information systems. In fact, he claimed, “some already have.” Unlike Panetta, he resisted the urge to name them.
The following month, in July 1996, Jamie Gorelick, a Deputy US Attorney General, ratcheted up the rhetoric: “It’s just a matter of time before we have a cyber Pearl Harbor,” adding oil and gas, water supply, emergency services and government operations to Deutch’s list of critical areas that must be protected, because their information systems, “are so vital that their incapacity or destruction would have a debilitating impact on a regional or national level.”
Despite the FUD (“fear, uncertainty, doubt”) I probably need not point out that in the intervening decade and a half, the power grid did not short out except in brown outs during heat waves; planes did not fall from the sky; you can still drink tap water (unless you live in a county that allows fracking); the financial and banking crises were self-induced; and the only train accidents have been Amtrak’s fault. Remember the “millennium bug,” when computers were supposed to go haywire at the moment the clock struck the year 2000? Someone made a TV movie out of it. But nothing happened.
Panetta then cited the hack attacks on Saudi Arabian state oil company Aramco and RasGas, a Qatari natural gas producer, which US officials believe originated from Iran. In the Aramco hack, Panetta said the Shamoon virus replaced files with a burning US flag image and harmed 30,000 computers. How novelistic!
Panetta is deploying Tom Clancy cyber-Pearl Harbor rhetoric to advance an agenda: Legislation that would require new standards at gas and oil pipelines, power plants, water treatment facilities, the kinds of critical infrastructure where a computer attack could cause significant damage. Joe Lieberman, Independent senator from Connecticut, authored the bill, and the Democrats support it. But like almost everything that hits the Senate, Republicans, in this case led by Senator John McCain of Arizona, joined with the US Chamber of Commerce to block it. The reason? Even though the proposed regulations had been defanged and were voluntary, they claimed they were too onerous to business.
This is not to say that the US doesn’t face digital enemies. The main culprit is China, which has for years treated the US as one giant R&D lab, siphoning technology from Silicon Valley and elsewhere from thousands of miles away. One government computer security professional told me that Chinese hackers are especially good at a tactic known as “spear-phishing.” Undoubtedly you’ve received email from spammers alerting you to an issue with your PayPal account or your bank, or Facebook needs you to reset your password, or someone has posted embarrassing photos of you online — just click on the link or attachment. If you fall for it, an unscrupulous hacker could take over your account, or your computer, which he could use to penetrate your employer’s corporate network. After a little intel, the Chinese email engineers involved spoof the address of a supervisor with an attached spreadsheet labeled with the name of a project or links to a fake site that contains potent malware. All it takes is one engineer to fall for it.
China is also an active purchaser of 0days (it stands for “zero days”), unpatched and usually unknown bugs in software that an attacker can use to penetrate a computer system. But you know who’s the biggest buyer, stockpiling these exploits like digital arms? The US government, which is also perfecting offensive measures to wage war over computer networks. The New York Times reported that President Obama, in his first months in office, accelerated attacks begun during the Bush administration on computers that run Iran’s nuclear enrichment plants.
Amidst this binary code free-for-all, there are common sense strategies to prevent attacks on vital computer networks. You’ve heard of too big too fail? How about too vital to leave exposed? Chris Wysopal, co-founder of Veracode, a computer security firm, suggests standards of reliability to govern computers that control critical functions. “We have regulations around the safety of water systems, electrical systems, and transportation systems, because failures, human and natural, happen,” he says. The simplest way would be to insert an “air gap” between a computer that controls a vital function — like at a power plant — and a network connected to the outside world. That way if a network were compromised through spear fishing or other methods, a foreign attacker could not gain access to that computer unless he was physically present.
“You can have a separate network connected to the corporate network for control operators to access corporate email and internet access,” Wysopal says. A “firewall could be set up so that processes can send data out to the corporate network for billing and accounting purposes but the corporate network cannot reach back in.”
Of course, Congress would have to function for any government-private industry partnership to flourish. Meanwhile, some private businesses have been taking things into their own hands. Wysopal’s firewall is the setup for a refinery at a major oil company, which made it virtually impregnable to outside attacks. “A refinery costs about $2 billion to build so you can see why they were concerned about it blowing up.”
A former member of L0pht, the famed hackers collective, Wysopal and his cronies testified before Congress in 1998 that they could take down the entire network in 30 minutes. So listen when he now says, “We don’t need hype about this; we just need logic.”
Someone please tell that to our secretary of defense. Oh, and also what he’s talking about is nothing like Pearl Harbor, a sneak attack that wiped out most of America’s Navy and led to the US entering World War II.
Panetta doesn’t even have the right metaphor.
[Image courtesy x-ray delta one]