The Exposed Backbone: The Risk of Cyber Attack by LockedGate

Computers are the exposed backbone of America’s infrastructure. They are new technology with big holes that is under attack from very skilled and motivated people who mean our country harm.  Yet, we trust them to provide almost every service our modern life requires.

I’ve spent the last 13 years as a computer security expert for a large telecom, and I would like to convince you that today your family’s ability to survive is dependent on fragile and over-trusted systems.
Preppers have historically had distrust for computing technology. Y2K was a real risk, but since it seemed to be overblown, a catastrophic computer-centric risk has fallen off the radar of many.  A cyber attack should rank up there with many other potential Black Swan risks (solar flares, economic collapse, etc).

Today, most everything the average American depends on to sustain life is run by some computer or another.  Some examples:
• Wal-mart or your local grocery store cannot provide just-in-time food delivery to it’s stores without complex computerized logistics systems.
• Your municipality cannot pipe water to your house or sewage from your house without computer-controlled pumps.
• Your bank cannot issue you paper money or process credit card transactions without computerized accounting systems.
• Your electrical and gas provider cannot provide power or heat to your house without computer controlled generation and distribution systems.

It’s important to know that there are no manual backups to these systems.  In a race for efficiency, businesses have gotten rid of any real redundancy to the automation offered by computers.  85% of “critical infrastructure” is privately managed by businesses that have no economic incentive for manual backups to these automated functions.  Simply put, if they massively fail, society massively fails.
Today, these important computer systems are under attack.  I’d like to let you know what the view is from my front row seat. First, let’s start with a brief history of cyber risks in three short acts:
1. Cyber Fun: All early attacks on computing systems seemed to start with some one saying, “Gee, I wonder if I can do that?”  Curiosity drove early floppy-net based viruses, internet-based malware like the Morris Worm, and even famous early hackers like Kevin Mitnick or Steve Wozniak. That’s not to say these hackers were right or these viruses the didn’t cause harm.  The Blaster virus may have knocked out the power grid in 2003, and the I Love You virus may have caused $5 Billion in global economic damage.   That harm seemed to be accidental, though, not motivated by profit or malice.
2. Cyber Crime: Somewhere around 2000, we started to see wide-spread malicious software written for profit.  It might be spyware that causes pop-ups, trojans that hijack your computer to send spam, or it could be more serious.  They organize these hijacked computers into massive groups called botnets that they can remote control to steal identities and empty bank accounts.    There are serious criminals and organized gangs stealing billions every year this way. This is scary stuff, no doubt.  However, you need to remember two things about attacks for profit: 1) The losses are generally covered by your bank or credit card company, and 2) hackers motivated by profit have every incentive for everything to stay up: if they crash your computer, your bank or the whole internet, they can’t make any money.
3. Cyber Attacks: Not to say that stealing is not malicious, but the for-profit hacker probably has nothing against you or your country personally.   There is an emerging type of attack in the computer security world that is much more scary.  Some call it cyber-warfare or cyber-terrorism, but I find those terms muddy the issue more than clarify.  Let’s just say they want to do bad things solely for the purpose of hurting you or hurt your country.  

We have clearly moved into a era where there is an increasing likelihood that this is a serious threat to our county’s security and your personal welfare.
We are now in the age of Cyber Attacks.  Recently, we saw the Chinese breach RSA, then leverage what the grained to break into Lockheed Martin, L-3 Communications, and Northrop Grumman.  These attackers used a  personally targeted attack called an Advanced Persistent Threat (APT).  Instead of casting a wide net to get as many computers as possible, they will write an attack to go after a select set of people an a certain company.
An APT is very hard defend against because it can be malicious software no one has ever seen before, making Anti-Virus software largely useless.   Today, most companies are largely powerless to stop an APT without radically changing how they do business.

Most of these attacks are not trying to take out infrastructure… yet.  However, the massive botnets of computers that have been built for profit could easily be used for more malicious purposes, or an APT is obvious vector of attack to critical infrastructure. It get it’s worse though. In the same race for efficiency that got rid of manual backups, companies have gotten rid of separate networks that keep critical infrastructure separate from the average employee checking his email.  This puts the Programmable Logic Controllers (PLCs) and other systems systems built decades ago and never patched on the same network as machines connected directly to the internet.  Even worse, this researchers found 10,000 PLCs directly reachable from the Internet.

Stuxnet was the shot over the bow and a wake-up call for to expect from this new era of attacks.  There has been much reported about it (including here and on 60 minutes), but here’s the important details about Stuxnet:
1. It was light years more complex than malicious software we’ve ever seen before.  It’s now “in the wild” for others reverse engineer.
2. It was written by a nation-state targeting another nation-state.  It was probably written by US or Israeli intelligence, and was definitely meant to (and probably did) cause substantial harm to the Iranian nuclear program.
3. It’s purpose was to destroy things in the physical world.  It targeted PLCs, which control everything from power plants to pipelines to dams.
From my experience and what experts are saying, we are utterly unprepared for something like this to attack America.  If something like Stuxnet was targeted against the right systems in our country, the outcome could be catastrophic.
Some people are demonstrating what can be done: one security researcher was able to unlock prison doors remotely, another with no experience with PLCs was able to cause explosions after accessing one. There is good evidence to suggest the US critical infrastructure is already being targeted.   Targeted attacks against utility providers are on the rise, with at least some “nation-state actors that have unlimited funding available and conduct espionage as they establish a covert presence on a sensitive network.”

Let me be utterly clear about one thing: the reason that America’s critical infrastructure has not been knocked out is not because it is well protected, it’s because the proper mix of motivations and capabilities has not been realized yet.  Similarly, in 1939, the reason French had not been overrun by the Germans was not the Maginot Line, it was because the German Army wasn’t quite ready to do it.
The capabilities to mount a cyber attack are spreading exponentially.  Many counties of the world are turning out very capable and very underpaid computer scientists. Motivations to hurt America don’t seem to be on the decline.

All of this leads me to agree with Brian Snow, Former NSA Technical Director, when he says he believes we are in a “Trust Bubble” (6:03 in the video) much like the Credit Derivative Bubble that recently burst in the financial markets.  This requires a little explanation.  For example, let’s think about the people and systems you trust every time you buy a book on Amazon:
• The company that designed and manufactured the parts of your computer and any computer with which you are communicating.
• The army of programmers that wrote the operating system and applications you use.
• The companies that manage the networks that all your communications traverses.
• The companies that issue certificates to encrypt your data and “sign” applications to be safe.

The problem is there is an amazing lack of analysis on the actual trustworthiness of any of these things.   Just like we trusted Wall Street with to understand the risks of CDO Swaps, we today trust computers we don’t understand designed and run by people we know nothing about to run our whole society.  This blind trust is what Director Snow calls the Trust Bubble.   He expects this bubble could burst in the next 18 months to 5 years.
Now, I don’t take a Skynet-like approach to this.  The computers aren’t going to take over.  I fear people evil people will use computing technology to hurt other people on a mass scale.
So what do we do? While there are some good things you can do to protect your personal computers and privacy, there is nothing you personally do to protect the systems that provide you phone service, generate your electricity, or deliver your water or sewer services.

Should a properly motivated and skilled attacker decide to take those out, I assure you that your bank or utility provider is not prepared to stop them, or perhaps more chillingly, recover from the attack.  How many spare generators do you imagine your power utility has on hand?  How long would it take to repair an exploded gasoline refinery?
Here’s a few things the answer is not:
• Filter everything on the internet in the name of national security.  Iran did that.  It is guaranteed not to work, and guaranteed to reduce our personal liberty.
• Patch the holes.  Patching is good, but no where near enough.  It’s is always reactive to known holes and too slow (Microsoft recently patched a 17 year old vulnerability), and many of the PLCs weren’t even built to be patchable.
• Put up more separations. Firewalls quickly turn leaky and even separating (air gapping) their computers from the Internet didn’t help the Iranians.
• Trust a government program to fix it.  Regardless of your political views, even the government agrees they are bad at this. Do you really want the TSA of Computer Security?
The only answer I know is personal resiliency.  Resiliency for your family that shouldn’t have to be reliant poorly managed computers running poorly written software to drink clean water, flush a toilet, buy something, or stay warm.   Don’t rely on your bank, utilities or government for your families survival.

What if you spent the next $20 or $200 or $2,000 you would normally spend on technology (computer, phone, car, power tool, etc) and instead invested it in things that can’t be taken away from you by a skilled hacker?
• Stored food
• The ability to heat your home while the grid is down
• Stored water and the ability to filter dirty water
• Guns and other tools to protect your family
• First Aid supplies

I’d like to close with a few words of spiritual reflection for my Christian bothers and sisters: I like technology.  I’m a geek who believes all technology from the cotton gin, to cars, to iPhones to be a gift from God.  However, I’ve learned a truth about God’s gifts, including technology:  the better a gift from God is the easier it is for it to become something we trust in more than God. I am reminded of the Psalmist when he talked about that great technology of his time, the chariot:
Some trust in chariots and some in horses, but we trust in the name of the LORD our God. (Psalm 20:7 ESV)
There is no technology that will save us — not a chariot or a computer.  Our hope is Jesus and following His wisdom and plan for us.