The Threat Is Real and Must Be Stopped: Clarifications And Rebuttal by an INFOSEC Professional FINAL DRAFT
As the New York Times deigned not to respond to my opinion piece I am posting the final draft here and linking to it from the NYT comment section of the opinion piece by Sen Lieberman.
On October 17th, the New York Times “Room for Debate” section ran a piece by Senator Joe Lieberman with the title “The Threat Is Real and Must Be Stopped” in which Lieberman argued the dire need for passage of his cyber security legislation . In this commentary, Sen. Lieberman makes assertions about the national security issues surrounding the existential threats to the nation stemming from computer hacking and how “easy” it is. While I can agree with some of his commentary – such as the need to ensure the security of the nation’s critical infrastructure – I disagree greatly on his assessment of the gravity of the situation. Why? Because I have actually been working in the computer and information security industries since the late 90s and have firsthand experience with the systems and networks that he’s going on about. There are far too many unknowns at this time to be making such prognostications as “there will be a cyber 9/11” unless we pass his bill.
Even within the information security community, there is disagreement on the issue of just how hard or easy it would be to pull off a credible, existential threat type of attack on our critical infrastructure. The complexities of the systems involved, as well as their connectivity, have never really been fully investigated. They should be thoroughly assessed before we start to worry about legislation to mandate “check box security” to protect it. To Senator Lieberman: the problems, sir, are far too complex for any bill such as Sarbanes-Oxley or yours to tackle. In fact, past experience has shown that regulations such as SOX and HIPAA are by themselves essentially useless in actually protecting networks, systems, and data. The best of intentions often still yield poor results when one fails to understand the problems and threats at hand. I would suggest that the Senate undertake an investigation of every critical infrastructure network before they begin to mandate how they should be secured as due diligence. Without really understanding the problems, you will be just adding useless oversight to private corporations to whom security spending is already anathema.
But so far, Senator Lieberman, I have only seen gross generalities out of you and your peers in government about how dire things are and how scared we all should be. Especially to those of us in the security community, your hue and cry ultimately lacks any hard evidence that the issue is so real and your warning so prescient that action must be taken post haste. Nor do you seem to understand the technical, legal and political issues at hand well enough to draft legislation that would be helpful to those of us who secure the nation’s infrastructure. As best I can tell, you want to have blanket rules mandating that companies protect their assets – but at what cost? Under whose control and oversight? Would you suggest that the federal government take charge of penetration testing and auditing of those companies with critical infrastructure assets? If so, let me direct you to an aphorism you may have heard: “Physician, heal thyself.” My peers and I would love to see government entities take their own networks to task before regulating private companies’ security standards and oversight. Currently many government networks in the U.S. and abroad are a security shambles and can be attacked very easily, while private companies are often much more difficult to attack. This is businesses tend to take information security much more seriously than the .gov space does. So sir, please clean your own house before you demand the right to send officials to check on mine
Senator, in the end I frankly believe your heart is in the right place. Others may see your machinations as more of an attempt to keep yourself relevant in the Senate and the news cycles. Either way, your actions such as the opinion piece in the N.Y. Times only serves to whip up FUD (Fear, Uncertainty, and Doubt) within the general populace by using scary language and innuendo about how the scary hackers out there are going to turn off their lights and water. An example of this is the following quote from your piece:
National security experts from Republican and Democratic administrations — privy to our best intelligence and analysis — all agree this threat is real. So, I am mystified by claims that it is not. Free, downloadable hacking tools, like the nefariously named Metasploit and Shodan, are becoming more powerful and easier to use every year. A researcher who used one of those tools found over 10,000 industrial control systems connected directly to the internet. Many of the systems, which run critical networks like hospitals and power plants, had little to no security.
The language here is disingenuous, simplistic, and grossly melodramatic. While you claim that there is credible intelligence to support these threats, you cite none. (The over-classification issue today is in fact quite out of hand, but that is for another article.) The second issue you fail to address is the likelihood of an attack actually happening and being successful. It’s another case of “Trust us, we’re the government,” and for myself and my peers in the security industry, it smacks of knee-jerk reactions at best and power-grabbing at worst. Do you begin to understand the intricacies of the issue here, or are you working with received ideas from government security “experts” who have failed to secure their own assets? Are you now yourself a security expert? If so, then I understand your confusion as to some of us call your comments into question. But until you demonstrate any insight whatsoever into this problem, I will continue to call you on your credibility on this matter.
I would also like to take you to task over the comments above about the “nefarious” software you lament, and share some facts about Internet addressable ICS/SCADA systems. While the names of the software may be foreign and scary to you, their “scariness” has nothing to do with their branding. Perhaps it’s their function that should scare you, and that is what you need to impart instead of taking artistic license with your diatribe. Both software packages are freely available on the Internet and have been for years now. To date, there has been no massive attack on our infrastructure because of them or any other software, nor have you cited so much as an attempt to do so. So again, your hyperbole is wonderfully scary, but the facts continue to escape you. While you mention that there are 10,000 Internet addressable ICS/SCADA systems online, you fail to mention any information as to how many are in fact vulnerable to attack. Do you even know? This is an important statistic you fail to give the reader, and it seems perhaps you have no clue as to its significance. As an old co-worker at IBM used to say to me, “A fool with a tool is still a fool” and it’s quite true. Sir, you are a fool with a tool and you lack the understanding to even use the tool.
In closing, Senator, let me give you some constructive criticism. If you want to help us all and protect our infrastructure, stop being Chicken Little and start being an advocate for the truth of the matters concerning computer security. Stop the jingoism and begin drafting plans to have studies performed on the whole of the infrastructure to understand just how vulnerable it is and what can be done to protect it. As far as I’m aware, there has never been a proper threat assessment carried out on the entirety of the systems you are worried about. As Marcus Aurelius said, “Of each particular thing, ask what is it in itself? What is its nature?” Let’s first define the problem and then seek to fix it. By imposing laws such as SOX willy-nilly, you may intend to protect the systems; instead, you may be placing undue burdens on corporations, as well as ineffectively attempting to secure the nation’s infrastructure.
Until such time as you and your ilk really understand the problems and allow for further study, none of us will be any more secure than we are today – even with your new and wonderful legislation in place, in the unlikely event it ever makes it through a vote.
Scot A. Terban CISSP