The Threat Is Real and Must Be Stopped: Clarifications And Rebuttal by An INFOSEC Professional DRAFT II
Qf evfpdm jaye qpvbgs mo cubc
On October 17th the New York Times “Room for Debate” section had a piece by Senator Joe Lieberman with the title “The Threat Is Real and Must Be Stopped” in which he describes the dire need for his cyber security legislation to be passed. In this commentary Mr. Lieberman makes assertions about the national security issues surrounding the existential threats to the nation stemming from computer hacking and how “easy” it is. While some of his commentary I can agree with such as the need to insure the security of the nations critical infrastructure I disagree greatly on his assessment being as dire as he seems to think it is. Why? Because I actually have been working in the computer and information security industry since the late 90’s and have first hand experience with the systems and networks that he is going on about and there are far too many unknowns at this time to be making such prognostications such as there will be a cyber 9/11 unless we pass his bill.
The issue of just how hard or easy it would be to pull off an credible existential threat type of attack on the critical infrastrucuture today is up for debate even within the security community. The complexities of the systems involved as well as their connectivity have never really been fully investigated and should be before we start to worry about legislation to mandate check box security to protect it. The problems sir are far too complex for any bill such as Sarbanes-Oxeley or yours to tackle and in fact past experience has shown that SOX regulations as well as HIPAA are essentially useless in actually protecting networks, systems, and data. The best of intentions often still yield poor results when one fails to understand the problem at hand. I would suggest that the Senate undertake an investigation of every critical infrastructure network before they begin to mandate how they should be secured as due diligence. Without really understanding the problems you will be just adding useless oversight to private corporations that are already anathema to spending more of their capital dollars on security as it stands.
So far though Senator Lieberman I have only seen gross generalities out of you and others like you in government about how dire things are and how scared we all should be. Your hue and cry ultimately lacks any hard evidence for any of us in the security community to stand behind as that the issue is real and it is so prescient that action must be taken post haste. Nor do you really seem to be understanding the issues at hand enough to really come up with legislation that would be helpful to us securing the nation’s infrastructure properly. It seems at the most you want to have blanket rules mandating the companies protect their assets but, at what cost? At who’s control and oversight as well? Are you suggesting that the government then be in charge of penetration testing and auditing of these companies with critical infrastructure assets? If so, let me enlighten you to an aphorism you may be familiar with; “Physician heal thyself” I and others like me would personally like to see the government take their own networks to task before mandating private companies security standards and oversight. Currently many government networks are a security shambles and can be attacked very easily while private companies are in fact much harder because they oft times take security much more seriously than the .gov space does. So sir, please clean your own house before you demand to see mine clean and send officials to insure that it has been done.
Senator, in the end I frankly think that you have your heart in the right place, others may see your machinations as more of an attempt to keep yourself relevant in the Senate and the news cycles. Either way, your actions such as the opinion piece in the N.Y. Times only serves to whip up the FUD (Fear, Uncertainty, and Doubt) within the general populace by using scary language and innuendo about how the scary hackers out there are going to turn off their lights and water. An example of this is the following quote from your piece:
National security experts from Republican and Democratic administrations — privy to our best intelligence and analysis — all agree this threat is real. So, I am mystified by claims that it is not. Free, downloadable hacking tools, like the nefariously named Metasploit and Shodan, are becoming more powerful and easier to use every year. A researcher who used one of those tools found over 10,000 industrial control systems connected directly to the internet. Many of the systems, which run critical networks like hospitals and power plants, had little to no security.
The language here is disingenuous sir and simplistic while being overly melodramatic. While you make claims that there is credible intelligence, you share none of it with us to show that there is in fact a reality to your claims. The over-classification issue today is in fact quite out of hand but that is only one issue here. The second issue that you fail to address is the likelihood of an attack actually happening and being successful. It’s another case of “Trust us, we’re the government” and for myself and others like me in the security industry smacks of knee jerk reactions at best and at worst grabs for power over the security space. Do you even understand the intricacies here or are you just listening to those in government security who have failed to address their own issues with regard to computer security? Are you now in fact a security expert? If you are, then I can buy your confusion concerning those, like myself and others, who call your comments into question. Until you prove yourself as having any real in depth insight into this problem I will continue to call you on your credibility on this matter sir.
I would also like to take you to task over the comments above about the “nefarious” software you are lamenting about and the facts over internet addressable ICS/SCADA systems. While the names of the software may be foreign and scary to you, the names have nothing to do with their being scary sir. Perhaps it’s the function of them that should scare you and that is what you need to impart instead of taking artistic license with your diatribe. Both software packages are available on the interent and have have been for some time now. To date, there has been no massive attack on our infrastructure because of them nor have you cited in fact they have been used to do so. So, once again your hyperbole is wonderfully scary, but the facts once again escape you. While you mention that there are 10 thousand internet addressable ICS/SCADA systems online you fail to mention any information as to how many were in fact vulnerable to attack. Do you even know? This is an important statistic that you are failing to give the reader and it seems perhaps you have no clue as to the meaning of what you saying. As an old co-worker at IBM used to say to me “A fool with a tool is still a fool” and it’s quite true. Sir, you are a fool with a tool and you lack the understanding to even use the tool.
In closing Senator, let me just give you some constructive criticism. If you want to help us all and protect the infrastructure stop being Chicken Little and start being an advocate to understand the truth of the matter concerning computer security. Stop the jingoism and begin drafting plans to have studies performed on the whole of the infrastructure to understand just how vulnerable it is and what can be done to protect it. As far as I and others are aware of there has never been a proper threat assessment carried out on the whole entirety of the systems you are worried about. As Marcus Aurelius said “Of each particular thing, ask what is it in itself? What is its nature?” Lets first define the problem and then seek to fix it. By imposing laws willy nilly such as SOX, you may have the intent of protecting the systems but instead may be placing undue burdens on corporations as well as ineffectively attempting to secure the nations infrastructure.
Until such time as you and others like you really understand the problems and allow for further study, none of us will be any more secure than we are today. Even with your new and wonderful legislation in place were it to make it through a vote.
Scot A. Terban, CISSP