The Threat Is Real and Must Be Stopped: Clarifications And Rebuttal by An INFOSEC Professional
On October 17th the New York Times “Room for Debate” section had a piece by senator Joe Lieberman with the title “The Threat Is Real and Must Be Stopped” in which he describes the dire need for his legislation to be passed, which it was in fact blocked by the senate recently. In this commentary Mr. Lieberman makes assertions about the national security issues surrounding the threats to the nation over computer hacking and how “easy” it is. While some of his commentary I can agree with, such as the need to secure the nations critical infrastructure, I diverge from his assessment as it’s being as dire as he seems to think it is greatly. Why? Because I actually have been working in the computer and information security industry since the late 90’s and have first hand experience with what he’s talking about.
As a penetration tester for many years, I have seen some of the networks of some of the largest corporations as well as the US government and yes, there have always cases of egregious lapses in basic security and lack of real care on the part of companies and those who run them. In fact, more times than I can count, I worked as a consultant to show them where they were in fact vulnerable only to discover later on that nothing had changed a year or so after an assessment because the changes required were too costly or too hard to implement as perceived by the company management. In other cases, I saw companies and agencies that did in fact know their stuff and had measures in place to protect their assets and their clients. It all really depends on the company and their security consciousness. Today though, this is all the more important because of the connectivity everyone has allowed to the internet. So, while I can understand the dire nature of what Mr. Lieberman is alluding to in one respect, this does not mean that we are on the cusp of a national incident due to a point and click hack perpetrated by a “high school dropout” either.
Yes Mr. Lieberman, security of the critical infrastructure is important and yes, there must be protections put in place to prevent the hacking into of our power systems, hospitals, water facilities, and the like. However, to date, there have been no major outages due to an act of nation state or “other” hacking attacks against our systems on a greater scale other than a water system in Australia, by an insider attack (i.e. a former employee who was mad) So, could these attacks happen? Sure. Could they be of the biblical proportions that you and others like Leon Panetta are screeching about recently in the press? No, not really as far as I and others I talk to within the hacking and information security community are aware of and worried about. In fact sir, we often have to bite our tongues and cover our ears when you all are speaking on the subject because you do not have the requisite knowledge to understand the underpinnings of what it is you are talking about and we do.
I surmise then that the questions for us all are these: “Is there a real problem here and what can we do to fix the problems that do exist?” Let me answer you with the following riposte. Yes, there are problems and yes, on average, I and others like me, have found that the private companies that hold such infrastructure or intellectual property (think ITAR data here) are often averse to spending the money and the time to protect these assets. It is just not a financial driver on their part because it directly affects their bottom line on the balance sheet. Why? Because security is a “cost center” Security likewise is a lot like insurance, at least perceptually to companies, because really, what are the odds that they will be hacked? For that matter, there is even insurance you can buy for such an instance, though, often these policies require that you in fact are doing your due diligence to protect your infrastructure, so, they likely have not bought it because, well, they’d then have to do all the work to secure their networks and data. So, we have a conundrum.
So Mr. Lieberman, with all of this said, let me also delve a little into the complexities of hacking the “infrastructure” that you and others seem to misunderstand. Sure, I or anyone with a little skill can go use the “nefariously named” Shodan to scan the internet for SCADA (supervisory control and data acquisition) that may in fact be online, however, this does not mean that they are inherently insecure. Yes, some have been found, likely many, that have little to no security value on them. Default passwords and setups abound, but, to date, the lights are still on and the water is still running. It has been quite a while in “internet” time since Shodan opened it’s doors as well as having ready free access to “Metasploit”, both tools common to the hacker and security community, not so arcane either, and yet, the world has not ended. I say to you sir right here, and right now, were things as dire as you and others of your ilk make it seem we would already have had a major nuclear reactor failure or massive grid implosion due to someone, nation state or otherwise, messing with the systems.
Once again Mr. Lieberman, I agree with you, the infrastructure needs protection and the companies that hold it should be regulated, or somehow mandated to uphold the security standards needed to protect it and us from destruction by means of electronic attacks. However, I do not believe that you and others railing and moaning about things which you do not really comprehend is going to make that a reality. It in fact makes you look more and more of a chicken little type of character than anything else in the hacker and information security community as I assume it does in others in the know on these matters. All of these prognostications of a dire “Cyber-9/11” or “Cyber Pearl Harbor” may give us a chuckle, but they only serve to scare people into action, and so far, in your case with this bill, it did not work did it? Perhaps it’s because it is the ridiculousness of your cases lack of solid evidence to back your statements. Or, maybe it’s just that people in general have not seen what you are saying is going to happen imminently, having happened at all elsewhere before.
At the end of the day though, all my community see’s is just another government official overstating the facts concerning a new and scary “warfare” in our ever increasing security state in hopes of passing legislation with their name on it. There are no hard facts here in your opinion piece other than the names of tools and players in recent acts of hacking. There has been a trend in the government and the military circles since the presence of Stuxnet was revealed to the world of a great “Cyber-land-grab” of sorts that I and others have been watching and worrying about though. You, and others within the government are now beating the war drum over terms like “Cyber War” when you really do have very little comprehension of what that really means and this is the scariest thing for us all to watch. So much so that now, since the senate and house could not agree on measures for “cyber security” the president is seeking a unilateral method of protection in an “Executive Order” There have been stories about how such an order could “Shut down the internet” and frankly, that’s just a bad idea.
Sir, I recommend to you, and others like you to engage the security community more and not be lead by the news cycles out there on these issues. The main stream media is not clued in on how things really work all too often and of course, like a good headline to sell air time. Take the time to really understand the dangers or lack of them in this arena of information technology. Do not just buy into those beltway bandits who might want to sell you their plans to protect the infrastructure, get committees of people like Jeff Moss and others who really know the terrain to talk to you about the issues, and really, don’t run off half cocked with ideas of what “might” happen as being the gospel of what “will” here. Your opinion piece in the New York Times was one of those times where you only had half of the picture and chose to lament how dire things are, when in all reality, they aren’t. I encourage you to engage the security community, listen to all sides, and make smart decisions instead of sounding like Chicken Little.
Scot A. Terban