Letter: Article overstates vulnerabilities
Regarding “Critical infrastructure central to cyber threat
”: With all due respect to Ben Bain, I categorically disagree with much of what is being said in his article. Rather than information systems becoming more vulnerable and more easily targeted, the opposite is happening. Some examples:
- A significant part of classified military and law enforcement communications that once ran on the Internet is now in many cases handled on a secure infrastructure that is air-gapped from the public Internet. Access is far more carefully controlled.
- Distributed attacks (e.g., distributed denial-of-service attacks) are far less effective than even five years ago. The reasons for this are many, including increased infrastructure, bandwidth and redundancy on the one hand, and far greater sophistication in detection, forensics and countermeasures on the other.
- Process control systems (supervisory control and data acquisition systems that control energy plants, water and sewer, etc.) have been in place since the 1960s and have had time to carefully evolve. In these cases, remote control is just not handled over the Internet — there’s no reason to do so and plenty of reasons not to. Most of the myriad safeguards are there not to prevent security breaches but more often to avoid simple human error, and after almost 50 years, they’ve had time to mature.
- Hospitals in particular (a good example from the article) employ redundant manual procedures in order to prevent problems. For instance, in the delivery of medication to hospitalized patients, there is never a fully automated procedure, nor will there ever be — the manual steps are there as a fail-safe. They, too, were developed to avoid human error, but they work just as well against info attacks. And this process, too, has developed over time — in this case, hundreds of years.
For the same reason your car doesn’t have a self-destruct button, there is, in the vast majority of cases, no instant kill area where attacks are likely to have serious effect. Moreover, the nature and original design strategy of the Internet (peer-to-peer, intended to avoid a lethal nuclear attack taking out the whole Net) has worked amazingly well, again over time. The very things that limit security are those that preserve operability.
I think it bears noting here that things like electricity-generating stations do not have control features that are remotely accessible over an insecure infrastructure. There is no Internet connection, there is no dial-up line, there is no radio frequency channel. They are, in every case I’ve been privy to, completely air-gapped from personnel not on site, which brings us back again to physical security measures. When one thinks about it, this makes very basic sense: There is no reason to create a method that allows nuclear-generating station workers to work off-site, for instance.
Please don’t misunderstand — there are indeed security flaws that can be attacked over the Internet. But I am not aware of one that could be conducted on the strategic level. Anyone notice that last decade’s near-continuous malware attacks have nearly ceased?
The two most common attack modalities that Bain didn’t really go into are physical (site) attacks and disinformation. Physical attacks are the easiest to implement and typically the least costly, and they can be far less complex. It bears noting that the terrorists in the 2001 attacks all obtained their identification either completely legally as residents or by bribery. No one tried to hack anything. And physical attacks have a history — and countermeasures — that go back as long as mankind’s recorded history.
As to dissemination of false information, this is clearly a more easily exploitable attack vector, although the results are a bit murky. People still tend to accept what they read on the Internet as fact (although this, too, is becoming less and less the case). Could this be used to cause damage? I think so, but not on an instantly catastrophic level.
Barring these two attack modalities, however, I cannot identify the strategic-level attacks Bain hints at, and I feel he overstates the vulnerability of various important targets.C.J. BurkeMarion, Ill.
What do you think? Paste a comment in the box below (registration required), or send your comment to firstname.lastname@example.org
(subject line: Blog comment) and we'll post it.