Stephen D. Brian
Washington DC — A small sage is making noise in America that people with electric cars don’t have to worry. Colonial pipeline, They can get their “gas” from the electric company, so they will be shut down by a cyber attack. They continue to argue for more electric vehicles.
Of course, if it was the power company that was knocked out, the electric car wouldn’t run. And the power company was knocked out. The Russians killed one in Ukraine and took it offline for a while.
Unfortunately, there are relevant discussions in Washington, the CIA, and the Pentagon. The CIA has already plummeted. The Pentagon has challenged a $ 10 billion project, but is involved in a proceeding. idea? Put everything in the cloud. In other words, it creates a single point of failure ripe for attacks by national and non-state actors.
DOD and CIA cloud ventures show, above all, how stupid government officials are when it comes to security. And the Pentagon is an expert in creating monsters and single points of failure, like the F-35, which is supposed to replace all the “tactical” things in the Air Force, even if the plane isn’t in combat. .. crazy.
When it comes to cybersecurity and dealing with cyberattacks, the US government has spent hundreds of billions of dollars since 1988, but today it’s worse than ever. Also critical infrastructure including energy, transportation, water supply, food supply, telecommunications, chemicals, critical manufacturing (mostly offshore today), financial services (including US Treasury, banks and stock markets), healthcare and more. It is the same. ..
In the United States, most important infrastructure, except government and military, is in private hands, and Congress demands that the private sector meet certain networks in 1988, when the first computer security law was passed. I decided not to. Computer standard. The private sector was left free to decide for itself what the right amount of protection was.
In fact, to be fair, no one knows the right amount of protection today. Because no one really knows how to protect a computer system to some extent.
Virtually all computers used in the United States are made abroad, with the exception of highly specialized supercomputers and certain processors made for defense applications. This includes not only information processing machines, but also special controllers used in manufacturing and power grid and pipeline operations.
These are known as SCADA-based systems (SCADA stands for Supervisory Control And Data Acquisition System). Useful for power plant and pipeline operation, water supply control, transportation and critical manufacturing management, the same SCADA box is a commercial device manufactured primarily abroad.
One of the most famous SCADA systems is manufactured by Siemens, Germany. This is the same as running Iran’s uranium centrifuge and helps ensure that Iran can have nuclear weapons.
It is possible to build some security “walls” around computer networks and SCADA systems, but most of them have been compromised in some way. For example, most computer networks are open and store data unprotected. The operating system is also commercially available (off-the-shelf) and unencrypted. All network protocols and the Internet are based on globally shared standards and are easy to hack.
Even much of the Pentagon’s intellectual property is preserved without cryptographic protection due to the obsolete rules that the Pentagon follows. These rules indicate that the Pentagon does not expect to store items in encrypted form if they are not classified. The US National Security Agency (NSA) controls the encryption of the US government, and it is their belief that confidential and non-confidential information is strictly separated.
While the Pentagon is beginning to characterize some information as follows: “Sensitive but unclassified”, Not eligible for NSA-sponsored encryption. Since the Pentagon states that it is not national security information, it seems highly doubtful that the law can protect confidential but unclassified information from disclosure.
Unfortunately, this is totally nonsense. Perhaps 80-90% of Pentagon information is non-classified, much of which is related to technology and weapons system information. It’s ridiculous to say that it’s not national security information.
Significant example: China stole almost all plans and data for stealth F-35 fighters, but most of them are confidential and unencrypted, costing taxpayers more than $ 1.5 trillion. This front-line defense program has been seriously compromised. Its life cycle. What if this information is not relevant to national security?
When it comes to cyberattacks, the DOD and FBI are in a slightly more solid position in the sense that they understand the magnitude of the threat. But does the US response reflect the danger to US national security?
The Pentagon, the military sector, and other government agencies continue to buy computers and network equipment from China while trying to take security measures. Virtually all equipment is commercial.
Billions of computers, laptops, modems, tablets, cell phones, routers, hard drives, and others such as GPS and internet-enabled security cameras (with a free backdoor to connect Beijing to a U.S. military base!) Despite having purchased a large number of devices, DOD has a hardware or software inspection system. In other words, they buy the device without knowing if it is at risk or full of malware.
If your DOD is poor, you can imagine what the rest of the government looks like, or how “protected” your critical infrastructure is.
Since “ransomware” is a major threat in three respects, the Colonial Pipeline incident poses another major danger signal. The first is that the ransomware disables the computer network, including the SCADA system, and encrypts everything with unbreakable code that you have to pay to unlock it.
Second, ransomware often steals information before the network goes down due to ransom encryption. The stolen information is partially used as a threat to bribe network operators.
And the third problem is that even if you pay and pay $ 5 million in cryptocurrencies that colonials can’t track, there is no guarantee that the unlock key will work or work effectively. The colonials seemed to have paid bribes early on (without telling anyone), but the decryption keys they got were working very slowly, if any. In other words, the colonial got the shaft from the perpetrator.
Next time, let’s say the US Strategic Air Command is closed.
It is clear that commercial networks, including hardware and software, are often from foreign sources and are not the right way to protect the infrastructure that is critical to protecting national security.
Enemy countries have set up elaborate and well-trained teams that focus on specific goals and work full-time to defeat them. And a team of trained, semi-independent hackers, like those who hit the colonial, is a criminal activity. But we tolerate both.
There are some suggestions before the next disaster occurs.
- Implement a national program to create secure networks using hardware built by secure vendors
- All critical infrastructure networks require being scrutinized by a third-party audit for security with the assistance of the NSA or other security agencies that can run it.
- Scrutinize all hardware before it is used by the U.S. government or critical infrastructure components
- Chase malicious people at home and abroad and impose severe penalties on perpetrators
- Clearly inform foreign governments that sponsoring or protecting criminal activity will destroy the network
So far, at least our government has always promised to improve things (but it never seems to happen) and act as if our national security is at stake. No. It is not clear if this will continue, but it will have a devastating effect on the United States.
Stephen Bryen is familiar with technology security policy and has been awarded the Department of Defense’s highest civilian honor, the Distinguished Public Service Medal, twice.His latest book is Technology Security and State Power: Winners and Losers.