return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Delta between worst-case and realistic cyberattacks narrow ]

Delta between worst-case and realistic cyberattacks narrow


It is my want to revisit projections and forecasts, mine and others, to look for accuracy in both substance and timing; are assumptions still accurate and if not, why not; what new players and tools have entered the market; and what has shifted. The assumptions and the development process are more interesting than the answer as too many people treat a situation in time as something fixed, instead of seeing it as a still frame in a motion picture (where the trick is to predict the next scene).

One such item is an August 2002 What are the real risks of cyberterrorism? that looked at "possible--though still improbable--worst-case cyberattacks, followed by more realistic threats." In two years, the delta between the worst case and realistic threats has narrowed.

While it is generally true that cyberattacks "come in two forms: one against data, the other on control systems," I would make the distinction that there are three categories: data, analysis of data, and control. Data is often of modest value, especially when data volumes are large and/or frequently changing, and time is short. Actionable information comes from the speedy analysis of data. Poor design, design driven by cost cutting, and design taking immediate advantage of newer technologies without thinking of security intrusion have conspired to create conditions in which data, analysis and control increasingly merge.

The article said that [data attacks] "attempts to steal or corrupt data and deny services" while "control-system attacks attempt to disable or take power over operations used to maintain physical infrastructure" and of those the SCADA systems (supervisory control and data acquisition) and its core RTUs (Remote Telemetry (or Terminal) Units) are key. At the time, Richard Clarke among others said that any "damage resulting from electronic intrusion would be measured in loss of data, not life."

I submit that increasing systems interconnectivity and interdependence is narrowing the gap between loss of data and loss of life. Pursuing the analysis of data as opposed to raw data allows perps to obtain insight that allows them to attack a target either directly or gain an understanding of the means to attack its control systems. If the default shutdown conditions of a control system are poorly designed, interrupting the control system is tantamount to overtaking the system (witness the failure fault paths of older nuclear reactors in the interaction of their physical design and their control systems). If the perps can spot an asymmetrical weakness they will take that path of least resistance, least cost, and least exposure.

It was cold comfort then and far more discomfiting now that the July 2002 Digital Pearl Harbor exercise could conclude that "communications in a heavily populated area" would be disrupted but "would not result in deaths or other catastrophic consequences," In a misplaced presumption of safety, it noted that the attack team "needed $200 million, high-level intelligence and five years of preparation time." If not al Qaeda, that certainly puts at least five nations and the odd drug lord as immediate contenders.

I often speak of the glide slope to the desktop of any technology, i.e., that over time all technologies become small enough and cheap enough to fit on a desktop. I would like to see the Naval War College and Gartner rerun that attack again as I wager that the cost, time, and needed sensitive information would be significantly less. Recent variants of the Sasser worm are believed to have shut down some systems and that was designed and launched by a group of German youths. No $200 million here.

Why should we be surprised? A group of teenager hackers calling themselves the Legion of Doom took control of the BellSouth infrastructure in 1989. "During the attack, the hackers could have tapped phone lines and even shut down the 911 system."

When we see as yet unidentified perps gain control of part of the TeraGrid and nearly gain an ability to launch an enormous DDoS attack, the improbable becomes increasingly likely.

While I still agree that the greatest net threat from al Qaeda remains its C3 ability, I am less comfortable with an earlier comment attributed to Richard Clarke that "Osama bin Laden is not going to come for you on the Internet." At a minimum, the net can be used in a hybrid attack in which the cyber side disrupts the ability of the defender to anticipate, identify, or respond to a physical attack.

What are the real risks of cyberterrorism?
By Robert Lemos
Special to ZDNet
August 26, 2002, 6:23 AM PT

Gordon Housworth

Cybersecurity Public  InfoT Public  Infrastructure Defense Public  


  discuss this article

<<  |  May 2020  |  >>
view our rss feed