Experts: Infrastructure ‘legitimate target’ in battle for cyber supremacy
When Summer Fowler goes to sleep, the Cranberry mother of three knows computer hackers around the world are working through the night to undo the defenses she spends her days building.
Fowler, 37, is deputy technical director for cybersecurity solutions at CERT, the nation's first computer emergency response team, at Carnegie Mellon University's Software Engineering Institute. She works with Pentagon soldiers, intelligence directors and corporate titans to help them identify key electronic assets, secure them from cyber attacks and plan for what happens if someone steals them.
But at the end of the day, once her children are tucked into bed, Fowler wonders what the impact would be from a real cyber 9/11 attack on the United States.
There might be no way to make a phone call, no power for lights or heat, dwindling food supplies, only the money on hand and the gasoline in the vehicle's tank.
How long would it take for people to become desperate?
Secretaries of the Defense Department, National Security Agency and Cyber Command have warned of the potential for a cyber 9/11 or online Pearl Harbor — a devastating computer attack that unplugs the power grid, empties bank accounts and results in loss of life.
“Ultimately, it absolutely could happen,” Fowler said. “Yeah, that thought keeps me up at night, in terms of what portion of our critical infrastructure could be really brought to its knees.”
The United States, its allies and its enemies work daily to build, arm and aim online computer attacks that can be initiated at the first provocation of war. Until then, the militaries disrupt, spy, steal and cause havoc — often with the intention of sending a message.
No one can say how many successful breaches go undetected, but attackers do not always get away clean.
The FBI has caught hackers using computers in Iran to break into the systems of American Defense contractors, universities and energy companies. Homeland Security found Russians dropping destructive software into American systems for power grids, telecommunications and oil distribution.
Insiders with knowledge of the United States' offensive infrastructure declined to talk about it, but expert observers say the country leads the world with capabilities such as the Stuxnet attack on Iran's uranium-enrichment facilities in 2010.
As Russia's military gathered along Ukraine's border last year, security company FireEye of Milpitas, Calif., detected bad software erupting from both countries. The data does not reveal specific intent but “suggests strongly that computer network operations are being used as one way to gain competitive advantage in the conflict,” said the company, which has investigated hacks at places such as Target, Sony and Anthem.
In July, when Israel initiated a military campaign in Gaza, malware traffic there jumped dramatically.
Before a country's leaders even consider going to war, they must lay the groundwork for a computer attack, said Kenneth Geers, a former U.S. representative to NATO's cooperative cyber defense center in Estonia, who conducted the FireEye research.
“Because both weapons systems and critical infrastructure use computers and networks to run and operate, they are much more than legitimate targets,” said Geers, a private cybersecurity expert based in Kiev, Ukraine. “They are absolutely necessary to attack and undermine on a daily basis. … If things go bad, nobody is going to forgive you for not having done this already.”
Hype or reality?
Skeptics question whether computer attacks really could have the predicted impact.
They contend the warnings are hype designed to scare the public, raise money for the defense industry, and help cybersecurity experts win consulting contracts.
But even naysayers acknowledge that computer systems are becoming more vulnerable. As people put more information online, hackers are becoming more sophisticated.
“The risk is higher,” Nader Mehravari, a senior member of CERT's Cyber Risk Management Team said, “not only because there are more clever adversaries but because there are things that we have done to ourselves.”
CERT has played a historic role in defending the nation's online systems since the first computer virus in 1988. Its researchers uncover vulnerabilities and keep a repository of thousands of others.
One of the biggest risks comes from connecting devices to the Internet that were never supposed to go online, such as industrial control systems and factory monitors, said Joji Montelibano, the technical manager of CERT's Vulnerability Analysis Team. Operators want to check systems from remote computers and smartphones, but that provides an avenue for attack.
Project SHINE, a private research project, found more than 2 million industrial control systems connected to the Internet. More than a third are based in the United States, topping the list of countries.
“The people who conceived of this convenience did not take into account the evil that is out there,” Montelibano said.
Mike Schearer, a network analyst for the consulting company Booz Allen Hamilton near Baltimore, stood in a New York ballroom four years ago and revealed how he had peered into supposedly secure systems.
He had used Shodan — a search engine like Google, but for devices connected to the Internet. Unexpectedly, the program allows hackers to find systems that are not protected. Schearer had stumbled onto the open router for a Florida Internet service provider essentially broadcasting private communications to the public.
He alerted the Internet company and went public, figuring operators would take notice.
It didn't work.
“I'd say it's pretty much wide open,” Schearer told the Tribune-Review. “People haven't really changed their habits. We often say in the computer security world that ‘humans are the weakest link.' They really are.”
The search engine reveals countless webcams connected to the Internet, unwittingly pointed into users' homes, at factory control systems and behind the scenes of office operations. Even people who should know better get caught: The Trib found cameras focused on workers in a New Jersey computer repair shop.
Dan Tentler, a cybersecurity tester based in San Diego, conducted his own investigation of Shodan to snoop on wind farm power meters and heating systems for residential homes. He said he uncovered controls for flow valves at a French hydroelectric plant and for the power and heat boilers in a German resort town. He figured out how to alter streetlights and reroute messages from red-light cameras that record traffic violations.
Still, Tentler does not believe in the potential for a huge attack.
“I kind of hate to be that guy,” he said, “but I have to ask: If these systems have been open and vulnerable for 15-plus years, why haven't the bad guys done bad stuff yet?”
Tentler said be believes the bad guys have too much to lose to disrupt systems they use to creep up on victims. Hackers that might blow up the power grid instead could steal the designs for a power plant or stealth fighter.
That thought helps Fowler, too. She works with CERT's clients to focus less on the digital bogeymen and more on protecting their assets. Governments and corporations, she said, can do a lot more to become more secure.
“There's no reason to drop a nuclear bomb if you can come in through a door or come in through a window,” she said. “Right now, a lot of money is being made — and stolen — by these organizations. And we haven't seen the need for the big cyber 9/11 yet.”
Coming Monday: How the nation's first computer emergency response team was started at Carnegie Mellon University
Andrew Conte is a staff writer for Trib Total Media. He can be reached at [email protected]