Read an Excerpt

Behold a Pale Farce

Cyberwar, Threat Inflation, & the Malware Industrial Complex

Trine Day LLC

A Backdrop of Metaphors

Today, we are in a stealthy cyber war in America. And we're losing.

— Congressman Mike Rogers

In November of 2011, a security researcher named Joe Weiss blogged about a report released by the Illinois Statewide Terrorism and Intelligence Centerearlier in the month. The report procured by Weiss, titled Public Water District Cyber Intrusion, claimed that a Russian hacker had succeeded in breaching aSCADA system at an unnamed water utility, destroying a water pump by turning the system on and off repeatedly.

SCADA is an acronym that stands for Supervisory Control and Data Acquisition. SCADA systems are specialized computer installations used to monitor and control equipment in an industrial setting (e.g. in a factory or power plant). A SCADA system typically consists of a central host computer, known as the Master Terminal Unit (MTU), which communicates over a network with a set of field data interface devices, the eyes and ears of the SCADA system (e.g. meters, valve position transmitters). There are a couple of SCADA sub-components that we'll see again. Specifically, SCADA systems use what are known as Remote Terminal Units(RTUs) to collect data from field data interface devices. SCADA systems also employ Programmable Logic Controllers (PLCs) to automate the operation of field data interface devices. SCADA systems are important because they're ubiquitous; the operation of our infrastructure depends upon them.

The attack described by Weiss was discovered when an outside repairman investigated the broken water pump. The repairman examined the SCADA system's log files and noticed a Russian IP address. He concluded that the system had been breached and routed his alert to the Environmental Protection Agency, which in turn contacted the Illinois Department of Homeland Security fusion center.

This DHS report didn't provide explicit details in its alert about the nature of the SCADA system that was attacked, or any forensic information (e.g. the system vendor, the attack vector, or the owner of the compromised installation). This did little to prevent Weiss from speculating that a successful attack could pose a threat to our nuclear arsenal. He told reporters:

If this is a [big software vendor], this could be so ugly, because a biggie would have not only systems in water utilities but a biggie could even be [used] in nukes. Everybody keeps asking how come you don't see attacks on SCADA systems? Well, here it is guys.

Homeland Security representatives inferred that the victim was located in Springfield, Illinois. It was later revealed that the water station in question belonged to the Curran Gardner Public Water District, just outside of Springfield.

Never Mind: False Alarm

Oddly, in a matter of days the DHS began to backtrack on its original announcement. DHS spokesman Peter Boogaard claimed that the DHS and FBI were still "gathering facts" and that:

At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.

Information provided by utility officials was even more conservative. DonCraven, a trustee of the water district, confirmed that:

The water district is up and running and things are fine. ... The water district has multiple wells, multiple pumps. There's no break in service, no lack of water. No concern of quality of water, safety of water. ... I drank the water this morning.

The alleged Russian hacker was actually an engineer named Jim Mimlitz who had been contacted on his cell phone for technical support. At the time of the alleged intrusion, he and his family were on vacation in Russia and so he logged in remotely to lend a hand. The destruction of the water pump was completely unrelated. As Mimlitz explains:

The system has a lot of logging capability. It logs everything. All of the logs showed that the pump failed for some electrical-mechanical reason. But it did not have anything to do with the SCADA system.

The result of this chain of events was a burst of press releases more inclined towards premature speculation rather than measured deliberation.

The Madness of Crowds

The previous story is a typical example of the kind of overblown rhetoric that has been embodied by a series of metaphors which have appeared in public debate over the past few years. We'll spend much of this chapter looking at a few of these metaphors. The associated hyperbole is dangerous because it strikes a raw nerve in the psychic lattice. With homage to Charles Mackay, it elicits the madness of crowds.

In the aftermath of 9/11, terror has taken center stage as the threat du jour. Consider the following statement by Barack Obama made during his 2008 Presidential campaign:

Every American depends — directly or indirectly — on our system of information networks. They are increasingly the backbone of our economy and our infrastructure; our national security and our personal well-being. But it's no secret that terrorists could use our computer networks to deal us a crippling blow.

At the end of his first term in office, President Obama ran with the cyber meme and described additional worst-case scenarios:

In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we've seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill.

Yet again, during his 2013 State of the Union Address, Obama told the country that doomsday is potentially lurking around the corner.

We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.

Humans aren't necessarily rational creatures and they tend to inflate spectacular risks that are rare. This is why people are often more scared of flying than they are of driving. When security wonks, or even the President, make intimations about cyber-terrorists fiddling with hardware in nuclear weapons it only exacerbates this pathology.

This is despite the fact that the State Department reported that in 2010 fewer than 20 U.S. citizens were killed in incidents of terror (as opposed to the 30,196 people who died in automobile accidents in 2010). In fact, in terms of raw probability, you're about as likely to be killed in an act of terrorism as you to be crushed by a heavy piece of furniture.

This is what makes all of this semantically loaded bombast so toxic: it discourages the formal process of objective risk assessment with speculative worst-case scenarios that serve only to fuel anxiety. And it's this sort of distortion that makes it difficult to effectively protect ourselves.

An Electronic Pearl Harbor

Let's rewind all the way back to the summer of 1991, a little more than a year after Microsoft released Windows 3.0, when a security industry personality named Winn Schwartau testified in front of a congressional subcommittee about the overall state of computer security. It was there, in the halls of Capitol Hill, that the Pearl Harbor cyberwar metaphor gained traction.

He stated that:

Government and commercial computer systems are so poorly protected today they can essentially be considered defenseless — an Electronic Pearl Harbor waiting to happen.

In May of 1997, this phrase popped up again when former U.S. Deputy Attorney General Jamie Gorelick was quoted as saying that if we weren't careful we'd have, "a cyber equivalent of Pearl Harbor at some point."

But not everyone accepted this metaphor. For example, in February of 2000, during a photo opportunity with members of the hi-tech industry, then President Bill Clinton ran into the Pearl Harbor metaphor when a nearby reporter asked about a series of high-profile denial of service attacks against Amazon and eBay.

Q: Would you entertain one last question, sir? We've always heard for the last four or five years that it was going to take an electronic Pearl Harbor — many of the people around this table I've interviewed over the last four or five years and they've agreed that's the kind of impact we would need for everybody to play together and work together. Is that what happened last week?

The President: Well, I hope not. (Laughter.) I think it was an alarm. I don't think it was Pearl Harbor. We lost our Pacific fleet at Pearl Harbor — I don't think the analogous loss was that great. But I think it —

Q : Was it of concern —

The President: Look, it's a source of concern, but I don't think we should leave here with this vast sense of insecurity. We ought to leave here with a sense of confidence that this is a challenge that was entirely predictable; it's part of the price of the success of the Internet; and we're all determined to work together to meet it.

All told, this is a remarkably coherent response, especially when compared to the prominent overstatements that you'll encounter in this chapter. While Clinton agreed that there was indeed a threat associated with denial of service attacks, he also acknowledged that the corresponding risk wasn't on the same scale as the Japanese bombing of Pearl Harbor.

A closer look at recorded denial of service attacks, like the 2007 incident in Estonia, affirms Clinton's stance. A Denial of Service (DoS) attack attempts to overwhelm hosts on the Internet by flooding them with client requests. They occur out in the wild when too many people visit the same web site simultaneously. A web server being subjected to an onslaught of web page requests sometimes can't keep up with the demand being placed on it and falters. It's like a waiter at a restaurant trying to service too many tables.

The worst thing that can happen as the result of a denial of service attack is that the targeted server will go down until the network engineers find a way to address the corresponding bandwidth problem, or the attack lets up. The damages incurred are almost always limited to lost revenue due to downtime, in addition to the cost of provisioning equipment and services to resume operation. In the pantheon of recorded cyber-attacks, denial of service incidents have resided on the low-impact side of the scale. None of them have involved the transfer, modification, or destruction of data.

Contrast the Estonia denial-of-service incident against the attack on Pearl Harbor which killed thousands of Americans, sunk four of our eight battleships, and irrevocably altered the course of world history. Anyone who equates a denial of service attack with Pearl Harbor is engaged in contemptible exaggeration that perverts the type of threat that a denial of service attack usually represents. Yet some people would point to denial of service attacks and liken them to out-and-out military assaults.

Looking back at the incident in Estonia, Wired columnist Kevin Poulsen observes:

We see, for example, that Estonia's computer emergency response team responded to the junk packets with technical aplomb and coolheaded professionalism, while Estonia's leadership ... well, didn't. Faced with DDoS [Distributed Denial of Service] and nationalistic, cross-border hacktivism — nuisances that have plagued the rest of the wired world for the better part of a decade — Estonia's leaders lost perspective.

Indeed, Estonia's decision makers took a stance that openly embraced hysteria. In an interview with the press, then speaker of the Estonian parliament, Ene Ergma, breathlessly exclaimed to a reporter:

When I look at a nuclear explosion and the explosion that happened in our country in May, I see the same thing ... Like nuclear radiation, cyberwar doesn't make you bleed, but it can destroy everything.

Bombast aside, temporary loss of service doesn't have to translate into a calamity, particularly when the service provider is prepared in advance. This isn't an unreasonable expectation, either. Continuity of business measures are standard fare in the enterprise, even if it's something as simple as pulling out a manual credit card imprinter when point-of-sale terminals go down.

It's also possible to take a denial-of-service attack and magnify the consequences to generate the desired visceral response. For example, in November of 2009, security software vendor McAfee released its 2009 Virtual Criminology Report which was entitled Virtually Here: The Age of Cyber Warfare. The cover of the report displays a stark black and white photo of a nuclear reactor off in the distance.

Given the absence of genuine cyber catastrophes, the report settles for dwelling on hypotheticals. As such, it extrapolates rather pedestrian Distributed Denial of Service (DDoS) attacks and uses these incidents to make conjectures about just how bad fully fledged cyberwar might be.

For example, Scott Borg, the director of the U.S. Cyber Consequences Unit (a think tank), stated that "People were provided with attack tools, targets and timing in the Georgia cyber campaign," referencing Russian defacement and denial of service attacks against official Georgian websites. These attacks accompanied more traditional warfare during the South Ossetia war. By itself, this allegation isn't really that disquieting, as DDoS attacks are commonplace. To elevate the reader's heart rate, Borg took these otherwise ordinary events and used them to hint at something much more menacing. Specifically, he warns that:

So far this technique has been used in denial-of-service and other similar attacks. In the future it will be used to organize people to commit more devastating attacks.

While the Pearl Harbor metaphor fell out of favor for a while, it was resuscitated by officials in DC to garner support for legislation or derive new sources of funding. During his confirmation hearing for Secretary of Defense in June of 2011, then CIA chief Leon Panetta advised members of the Senate Armed Services Committee that:

The next Pearl Harbor we confront could very well be a cyber-attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems.

Again, during an interview with 60 Minutes, he reiterated his doomsday vision:

The reality is that there is the cyber capability to basically bring down our power grid to create ... to paralyze our financial system in this country to virtually paralyze our country.

In this case, some context might help. Panetta's remarks on 60 Minutes were made in January of 2012 right, around the same time that President Obama was pushing his vision of a leaner military, which mandated some $487 billion in Defense Budget cuts spread over ten years. Per the Budget Control Act of 2011, the Pentagon also faced another $600 billion in cuts over the next ten years if Congress isn't able to sufficiently reduce federal spending.

A Cyber-Katrina

Of course, many other cyberwar metaphors are also in circulation. On April 1st of 2009, Senators Jay Rockefeller (D-W. Va.) and Olympia Snowe (R-ME) introduced the Cybersecurity Act of 2009. During their announcement of the bill, Rockefeller stated that:

We must protect our critical infrastructure at all costs — from our water to our electricity, to banking, traffic lights and electronic health records. ... As a member of the Senate Intelligence Committee, I know the threats we face. Our enemies are real, they are sophisticated, they are determined and they will not rest.

Senator Snowe further cautioned that:

Our failure to implement effective policies and procedures to protect critical infrastructure, prevent invasive intrusion and conduct an aggressive threat assessment has proven extremely consequential, putting the American information system at grave risk. It is abundantly clear we must unite on all fronts to confront this monumental challenge, if we fail to take swift action, we, regrettably, risk a cyber-Katrina.

It turns out that Senator Snowe wasn't being original when referring to a cyber-Katrina. If you peruse the initial working draft of the proposed legislation, you'll spot the following endorsement on the fourth page:

(6) Paul Kurtz, a Partner and chief operating officer of Good Harbor Consulting as well as a senior advisor to the Obama Transition Team for cybersecurity, recently stated that the United States is unprepared to respond to a "cyber-Katrina" and that "a massive cyber disruption could have a cascading, long-term impact without adequate co-ordination between government and the private sector."

Paul Kurtz is one of many recurring characters in the cyberwar milieu. At the tail end of the 1990s, he was the director for counterterrorism in the National Security Council's Office of Transnational Threats. In 2003, he was tapped to serve as the senior director for critical infrastructure protection on the White House's Homeland Security Council. During the Clinton and G.W. Bush administrations he was a member of the National Security Council. That was this guy's bread and butter: infrastructure protection.

---

Excerpted from Behold a Pale Farce by Bill Blunden, Violet Cheung. Copyright © 2014 Bill Blunden, Violet Cheung. Excerpted by permission of Trine Day LLC.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

---