US Cybersecurity Hypothetically Pathetic
An operation dubbed "Cyber ShockWave" has spanked the U.S.'s cyberdefenses -- hypothetically. Under the scenario organizers dreamed up, virus-infected smartphones spread malware to their owners' PCs. From there, the attackers DDoSed telecommunications networks into submission, brought down electrical grids and bombed a gas pipeline. The verdict: America's cyberdefenses are wanting.
Feb 17, 2010 12:09 PM PT
Earlier this week, Cyber ShockWave, a simulated cyberattack on America, once again showed that the U.S.'s cybersecurity is not up to the task of protecting the country's infrastructure.
Under the hypothetical scenario cooked up by Cyber ShockWave's planners, the attack was launched through smartphones, which are becoming increasingly plausible as a potential threat.
Cyber ShockWave simulated a devastating cyberattack on the U.S. Thursday that shut down telecom networks, electrical grids and gas lines -- all within the participants' imaginations, of course. It all began with a virus infecting smartphones. The virus was then transmitted to users' PCs when they synced their computers with their smartphones. It took down wireless and wired networks through a distributed denial of service attack, sending large video files out until they flooded the networks.
Meanwhile, the Eastern U.S. saw its electrical grid go down as a heat wave struck, and pipe bombs forced the shutdown of a major gas pipeline. Large parts of the Northeast and several major cities in the Midwest were hit by blackouts.
Participants debated whether or not the President should order the shutdown of wireless and landline carriers' networks to stop the virus, and whether or not he had the right to do so. They also discussed calling up the National Guard and military to protect physical infrastructure and for crowd control.
The participants included former Secretary of Homeland Security Michael Chertoff, former Director of National Intelligence John Negroponte and former director of Central Intelligence John McLaughlin.
Their general consensus: The U.S. is woefully unprepared to deal with a cybercrisis.
About the Attacks
"We wanted to focus on three important aspects of cybersecurity -- infection of computing devices; the convergence of multiple computing functions onto single devices such as smartphones giving spyware and malware the potential to have an ever-greater impact on our lives; and the increased networking of devices and access to the Internet multiplying the effect of the infection of any single smartphone," Blaise Misztal, senior policy analyst at the Bipartisan Policy Center (BPC), told TechNewsWorld.
The use of smartphones as a vector of attack reflects real life. "You have so many people walking around with smartphones now that it's a good way to get people thinking about the vulnerability of critical infrastructure," Cris Paden, a spokesperson for Cyber ShockWave cosponsor Symantec, told TechNewsWorld.
"This scenario is a how-to for bringing the U.S. to its knees," said Rob Enderle, principal analyst at the Enderle Group. "The reality is worse than the test identified because network traffic isn't properly monitored at the moment. Anything that uses a common network, from smart traffic lights to newer power distribution systems, would cease to function properly or fail outright," he told TechNewsWorld.
"You don't have to send out large video files; you can just send thousands and thousands of tiny packets," Randy Abrams, director of technical education at ESET, pointed out. "And with apps like Google Buzz, which by default broadcasts users' locations to everyone, you just send out notices to people giving them misinformation about an attack or where it's occurring and spread panic and confusion."
Pulling in Every Direction
By the end of the Cyber ShockWave simulation, air traffic, the stock market and most financial and commercial transactions had ground to a halt, BPC's Misztal said.
There's no doubt that our cybersecurity infrastructure is inadequate. The U.S. Director of National Intelligence Dennis Blair recently told Congress that the public and private sectors need to cooperate to protect the nation's cyberinfrastructure and that the country is highly vulnerable to attacks. Other security experts have warned about this weakness.
Such weaknesses add another level of uncertainty to other political decisions. For instance, the Obama administration has made it a goal to build out the nation's cyberinfrastructure and bring faster Web access to more people. Meanwhile, the FCC wants 100 Mbps broadband access for every household within 10 years, and the private sector is pushing for faster Web access as well. Google recently announced it will offer 1 Gpbs access to select communities. [*Correction - Feb. 17, 2010]
Faster connections in more places sounds nice, but could such a build-out exacerbate the problem should an attack occur? Shouldn't the U.S. ensure its cybersecurity infrastructure is adequate before jacking up access rates?
Taking a Multi-Pronged Approach
Taking a linear approach, by ensuring security is solid first, won't work, Symantec's Paden said. "You don't have any choice but to operate on concurrent tracks," he explained. "There's an economic and educational need to roll out broadband to keep America competitive in a global, wired, Internet age."
The two have to go hand in hand. "There needs to be greater balance between new technology and mitigating the risks that come with it than exists today," Enderle said.
The BPC will present a version of Cyber ShockWave to Congress to kick off a bipartisan discussion on what sort of authority and policies can be created before a real cyberthreat strikes America.
*ECT News Network editor's note - Feb. 17, 2010: The original publication of this story stated that Google recently announced it will offer 100 Mbps access to select communities. Google's plans actually call for rolling out 1 Gbps connection speeds to select communities.