Giz Explains: Must you Worry About Cyber Attacks? [Video]

The 1st step: take out the entire transportation. Step two: the financial base and telecoms. Step three: You dispose of all of the utilities. Gas, water, electric, nuclear. that’s why they call it a fireplace sale, because everything must go.

That’s Justin Long, lecturing an audience that comes with Bruce Willis in regards to the magnificent scale of a cyber attack threatening the usa. Within the fictional universe of Live Free and Die Hard, and most other movies that contend with cybersecurity, a skilled hacker can bring national infrastructures to their knees with a minute or two of harried typing. Maybe from his parents’ basement. Definitely on a black-and-green-screened computer that beeps whenever a secret’s pressed. In other words? Not real. On no account.

Let’s do that again: The continued cyber attack brings down SecureTrade-a computer-based, electricity trading platform for the Eastern Interconnection. Coupled with several other factors already stressing the flexibility grid, this causes blackouts across the East Coast, sparks public panic, shuts down financial markets, and complicates ongoing recovery efforts. Advisers ultimately decide that the President may have to exploit his Article II Constitutional powers to nationalize utilities and make contact with out the National Guard.

Sounds like a movie, right? Well, it was. Variety of. That scenario was lifted from a report by the Bipartisan Policy Center, a think tank that ran a simulation of two large scale, plausible cyber attacks, called Cyber Shockwave. On TV. Seriously:

Notice the all star cast: Former Secretary of Homeland Security Michael Chertoff as National Security Advisor; former Director of National Intelligence John Negroponte as Secretary of State; Clinton White House Press Secretary Joe Lockhart as Counselor to the President. There were two goals for this bizarre exercise: to gauge how well America is prepared for a cyber attack (not very!), and not more explicitly, to expose the yank public what on the earth a cyber attack is. One of many reasons the televised event felt strange is the undeniable fact that on the whole, the theory of a ” cyber attack” is completely, meaninglessly abstract to a lot of people.

So, should we be worried? Do you have to be worried? Yes and no. Cyber attacks haven’t been-and sure won’t be-as spectacular or explosive as they’re inside the movies. But they still matter.

Nightmare Scenario One: Wargames

A government employee inserts a flash drive into his office computer. This stick happens to be infected with malware, which will transmit data from these classified desktops to locations outside of the secure network. The worm spreads, funneling valuable operational data to enemy regimes, who use it to zero in on sensitive locations, weapons stores and significant infrastructure, which they then systematically destroy.

This basically happened! Apart from the part where the information got used by anyone. Deputy Defense Secretary William Lynn wrote a few months back in Foreign Affairs concerning the ” most vital breach of U.S. military computers ever,” which was because of an infected USB drive used in a military base. Cleanup took over a year, and the source of the attack was never disclosed. Perhaps the info was collected by a foreign government, or maybe not. Either way, it was a near miss.

And just last week, malware wormed its way dangerously on the brink of the guts of another country’s military-industrial complex. The Iranian government finally confirmed, after much speculation, that ” several” uranium enrichment centrifuges were damaged by malicious software installed ” in electronic equipment.” What they’re opaquely alluding to is sort of certainly the Stuxnet worm, an uncongenial little piece of malware that targets specific pieces of commercial equipment. It doesn’t take an overactive imagination to draw a line between ” infected uranium enrichment hardware” and ” disaster.”

Both events were stunning failures in computer security, to make sure. But don’t move that modular bomb shelter to the head of your Christmas list quite yet. The 2008 breach of the united states security systems was a disaster in IT terms, but didn’t cause any action by foreign governments, as far as we know .

As for Stuxnet, this is sort of crazy that a section of malware made it into a couple of Siemens industrial controllers in Iran. But by most accounts, it was a widely distributed piece of software , that just happened to infect sensitive facilities in a sensitive component to the realm. It caused inconvenience, and even physical damage to an industrial facility, but not death. It wasn’t, as one German security researcher called it , ” the coming of an F-35 fighter jet on a worldwide War I battlefield.”

The verdict? A cyber doomsday is more possible than it’s ever been, however it’s not something you should be eager about every day. Or maybe a monthly one.

Nightmare Scenario Two: State-sponsored Script Kiddies

When it came time to settle on scenarios for their simulation, the Bipartisan Policy Center didn’t need to stretch its collective imagination too far. It only had to appear to the new past. In 2007, Russia was accused of targeting Estonia’s banking and media systems inside the wake of the removal of a Soviet war memorial. That same year, Symantec claimed that China had used a botnet of millions of computers to attack computers inside the U.s.a., India, and Germany. In September of 2009, attacks possibly originating from North Korea targeted South Korea’s largest newspaper, in addition as some of its largest banks. Most recently, as partially revealed inside the Wikileaks cablegate episode, the Chinese government was involved in concerted attacks on American websites, including Google. Probably the most purposes, that’s alleged, was to view dissidents’ emails.

Together, these events begin to paint a picture of the genuine cyber threat. It’s subtle, not particularly sophisticated, backed by governments and completed by vast networks of zombified computers. This is a threat to privacy, and causer of mass annoyance. It’s slightly mundane, even. Nevertheless it’s very real.

” Cyber attack is a term that gets thrown around plenty,” says Blaise Misztal, Associate Director of Foreign Policy for the Bipartisan Policy institute and planner of this year’s televised exercise. He contents that the term have to be used to describe ” attacks from foreign governments,” a distinction that drove the institute’s choice of scenarios: a botnet built from malicious smartphone apps, targeted at the nations telecom infrastructure; and a targeted attack designed to bring down an energy trading platform.

These aren’t the types of threats that keep citizens up at night. But they’re the types of threats which could cause billions of greenbacks of injury-in lost profits, troubleshooting, panic selling etc-the entire while disrupting millions of peoples’ lives in small but nonetheless noticeable ways. They’re disruptive, and designed to cause fear of the financially costly, if not visceral, variety.

The good news, then, is that modern cyberwar isn’t especially bloody, or lethal. It’s the aggravating tactics of DDOS-ing script kiddies, writ large and backed by millions of bucks.

The bad news? We’re woefully underprepared for it, at the same time as it happens. In keeping with the BPI’s report:

The cyber threat to our national security is real. The U.S. government needs updated policies, legal authorities and operational capabilities to reply to cyber attacks, whether it means defending our networks from intrusion by hackers or securing critical infrastructure.

Misztal explains that almost all of the problems encountered by the participants within the simulation came right down to a near-total incapability to communicate between the govt. and private industry, and an absence of command structure. Misztal says that it wasn’t clear ” who is to blame” in such situations, which made initial response efforts difficult. Michael Chertoff, writing after the simulation, worried that ” there’s not in place a user-friendly process to allow government cyber defenders to effectively collaborate with the personal sector to use their expertise and data in the course of the response to a cyber attack.”

Some will read language like that and spot evidence of an unwieldy, neutered security apparatus. Other will see an old man urging private citizens to offer up yet more of their civil liberties making sure that cyber attacks are manageable.

That it is the conversation we’re having about cyber attacks-security versus privacy; response versus prevention-is telling. This can be a debate about policy, minimizing economic impact and preventing the erosion of civil liberties. What it isn’t, for the foreseeable future, is a debate about life and death.

Original illustration by Gizmodo guest artist Shannon May. Try more of her work on her website .

Source

This post is tagged: Bipartisan Policy Center, director of national intelligence, homeland security michael chertoff, national intelligence john negroponte, national security advisor, secretary of homeland security