When cyber gets physical: why we need the NSA
Cybersecurity is so important that Clinton and Trump were asked about it in last night’s debate
Tech-savvy Americans often complain about our intelligence agencies. Privacy is an exotic discussion topic, and it seems somehow liberating to oppose our government behemoths.
In fact, in academic settings it is perfectly acceptable to bemoan the NSA. You can even run your own Tor node and not worry about backlash. (Tor is an anonymization network that can be used to hide activity on the internet, whether it is related to political dissidence---or organized crime.)
Certainly, this opposition has real foundations. On the other hand, what the NSA, CIA, and FBI do is very, very important. American national security depends on cyber expertise. And I would argue that if we don’t have it, we will get burned very badly and very quickly.
Why? Because cybersecurity is no longer a thing of zeros and ones, bytes and email accounts. Hacked databases are not the most dangerous threat. Instead the danger is the imminent threat of cyber attacks---as they say---”going kinetic." That's military jargon which means “having physical effect.”
These are attacks on what researchers call “cyber-physical systems:” power plants, the traffic grid, irrigation systems, etc. It is not hard to imagine really bad cyber-physical systems attacks, and some have already happened. In particular, here are five relatively little-known cyber-physical systems attacks.
1. Russia-Estonia: 2007
Russia's cyberattacks against Estonia had a romantic beginning for something so technical. In April 2007 the Estonian government relocated a bronze statue of fallen Soviet World War II soldiers. Russia saw this as an insult, and responded in a flurry of devastating cyberattacks.
Estonia's defense minister told Wired Magazine: "The attacks were aimed at the essential electronic infrastructure... All major commercial banks, telcos, media outlets, and name servers---the phone books of the Internet---felt the impact, and this affected the majority of the Estonian population. This was the first time that a botnet threatened the national security of an entire nation."
It is true that the Estonia hacks weren't really on physical systems, but their impact was surely felt in tangible ways for "the majority of the Estonian population." Could you do your work without banks, telcos, and the Internet? Countries need technical experts to protect this critical infrastructure.
2. Russia-Georgia: 2008
The Russo-Georgian War featured a traditional invasion with hundreds of deaths and maybe hundreds of thousands of refugees. But it also featured heavy cyber bombardment. And one of the most interesting cyberattacks fell upon a real cyber-physical system.
The target was a pipeline in Turkey which also runs through Georgia, circumventing Russia. The pipeline exploded spectacularly several days before the beginning of the Russo-Georgian War.
It’s still not clear what happened. One possibility is that it was caused by a bomb. But also sensors designed to keep the pipeline safe might have been deactivated by malware. A Bloomberg article says that investigators found hackers had tapped into a security camera, navigated through a network into a Windows computer running control software for the pipeline, and then damaged the sensors. Then they were able to increase pressure in the pipeline without alerting anyone. If attackers physically came to the site and triggered the explosion, they went almost completely undetected because the hackers had disabled video monitoring systems.
The pipeline explosion shows that cyber attacks can have real physical consequences. It blurs the line between traditional warfare and cyber warfare, and makes it obvious that any national defense organization needs cyber experts.
3. US-Iran: 2009-2010
Of course the US is also engaged in offensive cyber warfare. Perhaps the most famous cyber-physical systems attack ever appears to have come from a US-Israeli partnership, and it was called “Stuxnet.”
Stuxnet was designed to disrupt the Iranian nuclear program. It targeted five plants in Iran, especially concentrating on uranium refinement. The virus was initially uploaded to computers using simple removable storage drives. Then it spread throughout the network of computers to search for the correct systems. It did as little harm as possible until it reached the process control network and the centrifuge control systems.
Then Stuxnet altered control commands in programmable logic controllers in order to damage the centrifuges slowly and almost unnoticeably. Stuxnet also generated fake feedback signals from the centrifuges in order to make it seem as though everything was running according to plan.
Iran acknowledged the attack, and some researchers suggest that it set back the country’s nuclear program by multiple years.
4. China-US: Ongoing
This one makes Star Wars seem almost tame. According to research by Digijacks CEO Alan Silberberg, the next big target of cyberattacks may be satellites.
In 2013-2014 satellites used in the US for weather forecasting, as well as satellites operated by the National Oceanographic and Atmospheric Administration were hacked, apparently by the Chinese. Then in 2016 the Australian Bureau of Meteorology was breached. The damage so far seems limited---maybe just a capability test. But Silberberg says that satellites ranging from commercial to military uses were built with hardly any view to security, and could be damaged more significantly or used for espionage.
5. Iran-US: 2013
For New Yorkers, this one is close to home. For roughly three weeks, an Iranian hacker named Hamid Faroozi allegedly had control of systems at a water dam in Rye, less than twenty miles north of Manhattan.
The US Justice Department said that Faroozi had penetrated the system thoroughly enough to gain access to the sluice gate, which controls the flow of water. Fortunately the gate was under repair at the time, so that Faroozi could not actually change its operation. Whether Faroozi meant to actually cause damage or merely to test the idea of hacking a water dam, the hack reminded authorities of the potential for cyber-physical systems attacks. Researchers say that many power plants have outdated systems which have similar vulnerabilities.
Defense is a real responsibility
So cyberattacks have the potential to cause real, physical damage. And this damage affects real physical people. At the national level, the US and other countries have mandates to protect their citizens.
The mission that the NSA, the FBI, the CIA carry out is critical. It would be only too comfortable to sit back and ridicule the intelligence agencies without considering their real responsibilities.
Does this mean that there should be no limits on what we do to protect American assets? That there is no need for accountability, and that intelligence agencies are justified in deceiving the public? We haven’t even discussed the question of whether these agencies should develop offensive capabilities, which of course they do. Does this mean that anything goes?
On the contrary, it is becoming critical to think about the definition of a cyberwar, the ethics of cyberattacks, and the boundary between national and commercial interests and actors. Some definitions are probably out there. But I doubt they are deeply considered. Cyber ethics requires professionals who can navigate legal, ethical, and political questions. This will certainly be a challenge that accompanies the technical ones.
The takeaway from these attacks is not a utilitarian justification designed to allow national security agencies to deceive citizens or operate without bounds. But it is a claim that there is a definite responsibility for a nation to protect its infrastructure and ultimately its people. Otherwise, we will get burned.
At the national level, the US has a mandate to protect its citizens. At the individual level, it is easy to discern a call for ethical and competent cyber experts.
Jeffrey Pawlick is a PhD Candidate in Electrical Engineering at the Tandon School of Engineering, New York University.
In last night’s debate presidential hopefuls Hillary Clinton and Donald Trump were asked only one narrow and specific question by moderator Lester Holt: “Our institutions are under cyber attack, and our secrets are being stolen. So my question is, who's behind it? And how do we fight it?”
Neither candidate was prepared for this curve ball, so it became a test of rhetorical improvisation. Clinton’s answer was relatively structured and was expressed in crisp sentences. First, she demonstrated that she did know something by listing two types of cyber-warriors, private and state. Second, of the latter, the main villain is Russia. And, third, Donald Trump is a friend of Russian president Vladimir Putin, and istherefore unfit to be commander-in-chief etc.
Trump’s initial response was braggadocious and irrelevant: that 200 admirals and general had just endorsed him instead of the political hacks who have led this country for ten years, etc. Then, remembering the question, he mentioned hackers from Russia and China and ISIS (Clinton missed those) and then his computer-savvy 10-year-old son and finally another suspect, “somebody sitting on their bed that weighs 400 pounds”. And, therefore, “Look at the mess that we're in.”
So, in a sense, the theme and style of those five short minutes exemplified the whole debate --and perhaps the whole campaign -- I’ve got a plan versus we’ve got a disaster.
All this is by way of introducing today’s lead article by Jeff Pawlick, a computer scientist at New York University. He answers Lester Holt’s question to a T. It’s a must-read.
Michael Cook
Editor
MERCATORNET
When cyber gets physical: why we need the NSA By Jeffrey Pawlick Cybersecurity is so important that Clinton and Trump were asked about it in last night’s debate Read the full article |
Great romantic novels: readers respond By Carolyn Moynihan A selection from our readers’ survey on books about love and marriage. Read the full article |
Books about refugees for children By Jocelyne Freundorfer Several books that approach this topic in an age appropriate manner. Read the full article |
Policies: the forgotten element in the US election By Thomas E. Patterson The stakes in November are high. Why isn't the media covering policy debates? Read the full article |
What a debate is for By Sheila Liaugminas Can we be convinced? Read the full article |
New Australian book on marriage hits censorship roadblock By Michael Cook Why are gay marriage supporters afraid to debate? Read the full article |
How kids can benefit from boredom By Teresa Belton TV, the internet and smartphone can stifle imagination Read the full article |
The real issue behind the single-sex education debate By Andrew Mullins There is no consensus that children are disadvantaged by studying in a single-sex school Read the full article |
Why your kids shouldn’t be your friends By Tamara El-Rahi Because you love them and want the best for them. Read the full article |
The declining institution of marriage in China By Marcus Roberts Further signs that China's longterm population prospects are not rosy. Read the full article |
MERCATORNET | New Media Foundation
Suite 12A, Level 2, 5 George Street, North Strathfied NSW 2137, Australia
Designed by elleston
New Media Foundation | Suite 12A, Level 2, 5 George St | North Strathfield NSW 2137 | AUSTRALIA | +61 2 8005 8605
MercatorNet: When cyber gets physical: why we need the NSA
No hay comentarios:
Publicar un comentario