Stop the Cyberbole

2012-10-20 01:25:23 by chort

We've been hearing an ever-swelling drumbeat lately about vulnerabilities in critical US infrastructure and the "need" for government regulation to "solve" the "crisis." The latest crescendo comes from Senator Lieberman, who published an op-ed in the New York Times pushing for more legislation.

I believe this message is dangerous and misleading for several reasons, some of which have already been called-out by @krypt3ia on his blog. Here I'll expand on some of those points and add my own.

Any time I see a call for more regulation on an issue, my first instinct is to assume that's a bad idea. Government is often inefficient, and frequently poor at prescribing remedies. Due to the fact that politicians dedicate most of their time to fundraising, they lack the deep understanding of any issues they're trying to regulate. Trying to dictate solutions for problems that one doesn't understand is a recipe for disaster. Some argue that they have staff and take briefings from industry experts to become knowledgeable about issues, but see point number one that they spend most of their time fundraising. That means the briefings are often thinly-veiled trades for campaign dollars. Even if they aren't, the briefers always have their own agenda and are trying to influence a specific outcome. This is why the sane default to new regulations is no, unless a very strong case is made in favor.

Next is how a decision is made. It seems that politicians (and other humans) often arrive at an opinion first, then find evidence to back it up, rather than the other way around. Because fear is one of the strongest motivators, people have naturally found fear-based arguments to be the most likely to sway the unconvinced. Unfortunately, these tactics have been used so often for so long, people begin to become desensitized, so those selling ideas have to add more fear to make their point stronger. This leads to blurring of factual lines, conflation of multiple issues, and just generally building arguments out of lumping every bad thing together, regardless of how or if those things are even connected.

You see, details matter. As I, and many other people in the information security industry know, difference in small details often make a huge difference in outcomes. We have to know how systems work better than adversaries in order to have a hope of protecting them. When understanding lacks precision, the resulting decisions lack precision too.

For instance, let's look at some of the "facts" included in Sen. Lieberman's argument. He cites some attacks attributed to Sabu and conjures up this frightening statement "he also participated in attacks on computers belonging to the federal government, as well as the governments of Tunisia, Yemen, Algeria and Zimbabwe." Can we just step back and look at that for a second? The bulk of the argument is that he attacked third-world government computer systems. Is it any wonder they were effected?

He goes on to say "If a dropout can manage such exploits, imagine what a well-financed hostile nation or terrorist group could do." Whoa, hang on a second. This is a huge leap in logic. First of all, LulzSec got really lucky that the one target they wanted most (HBGary Federal) had a flaw that allowed access to external systems (no core systems were breached, so far as I know). With the exception of PBS, all the rest of their victims (in my memory) were purely targets of opportunity. Basically they went on a world-wide hacking spree of low-hanging fruit, and the best they could do was some sheriff offices and some third-world governments.

Next, most folks who aren't willfully blind now realize that there's a concerted, state-sponsored effort by nation-states China to steal every invention and piece of data that isn't tied-down. Yes, they're plundering businesses and NGOs left, right, and center, but they aren't intentionally causing physical damage (if they are, it's incidental in the process of destroying evidence). In my limited understanding of Chinese culture (and someone please do correct me if this is wrong), they're doing all this bold plundering because they know the US won't make a meaningful response. As long as they "only" wage economic warfare and spy on human rights activists, they won't be in serious trouble. It's not about a war of violence, it's about economic supremacy. One could argue that you need the latter to achieve the former, but there aren't any clear signs real shooting will start any time soon.

Which brings us to terrorists. Ah, the favorite boogyman of every two-bit authoritarian "guardian" out to make a name by "saving the American way of life." Are terrorists trying to think of any possible way to hurt their enemies? Sure. Have they heard of "The Interwebs" and potential to cause massive damage with "nefariously named" tools like Metasploit? It's pretty clear they have. So you would think then, with both the motive and the means, something dreadful would have happened by now, right? It turns out to be harder than it looks in movies.

While nation-states China, Israel, and the USA are capable of massive, coordinated attacks, history would seem to show they take many years, hundreds of people, and probably tens to hundreds of millions of dollars to pull off. How do I arrive at a number like that? Let's just say, for argument, that the Duqu/Flame/Stuxnet crew has been at work for 5 years, and consists of 75 people (let's say about 15 operators, 20 programmers, 5 QA, 5 IT/support, 5 exploit developers, 5 analysts, 5 doing reconn, 10 managers, and 5 other miscellaneous personnel), each with a total compensation on average of $100,000 (figure some are from defense contractors), now throw in the cost of any supplemental exploits they had to buy, and you're looking at close to $40M, before even considering the cost of working space, bandwidth, servers, software licenses, etc. Does that sound like something a bunch of young people in mountain caves can pull off?

Before someone says "ah, but Saudi Aramco," yes I know about that. First off, it was suspected to be a nation-state sponsored attack, so probably not an independent terrorist organization. Second, how much damage did it actually cause? On the surface it would look like a lot, due to the sheer number of systems. So far though there haven't been reports of significant impact to operations. With the level of access the attackers had, you would think they could have caused a lot more destruction, but they didn't. Why? Were they not aware of what else they could have done? Were they not skilled enough to pull off further escalations into less common software systems (i.e. did their knowledge start and end with Windows, and they weren't able to figure out mischief with ICS software)? Did they become overly excited at their successful penetration and start acting in absence of a real plan? Did they intentionally limit the impact to avoid substantial retaliation? We'll probably never know, but it appears that reinstalling the operation system on a number of workstations is something that can be done through sheer brute-force and is not as catastrophic as people might have thought. Also, last point here: The attackers don't seem to have been able to pull off a similar success elsewhere. We're lead to believe that the same state-sponsor may be behind a number of DDoS attacks against US financial institutions right now, but they don't appear to be accomplishing much of anything either.

So far I've lightly touched on an issue twice, that I'd now like to flesh out. Generally it seems attacks through computer systems have been limited in magnitude to those unlikely to invite harsh response. If there are so many enemies on all sides, and electronic attacks are so easy, why don't we see more of them and with more spectacular results? My guess is fear of retaliation. It's true that the United States are heavily reliant on technology for our economy. It's also true that, as home to some of the biggest software and networking companies in the world, and certainly the largest concentration of them, our citizens and businesses have been exposed to them for a very long time. Since businesses in the US are subject to US laws, use of pirated software is fairly rare. I think this is an overlooked point, but an important one. Because most US entities have licensed software, they're entitled to updates and security patches that are often not available to pirated versions. This means US businesses and users are better protected against attacks, and more able to recover from them quickly.

Yes, China are pretty good at offense--that is attacking computer systems in other countries. Where they are not so good is on defense. A high percentage of computers in China are running pirated software the either isn't eligible for updates, or the users are wary of installing updates for fear of the update disabling their illegal software. Also because of China's rampent copying, they often inherit old versions of code that had existing vulnerabilities when the stole it. The code may have subsequently been fixed, but since it's essentially "forked" their developers are unlikely to incorporate the patches. While functionality of some western systems might be mimicked, the implementations are often shoddy, leading to unique vulnerabilities (see Huawei and H3C).

If nation-states actually started causing physical damage in the US, they can be sure their own systems would be attacked in retaliation. Having exploitable infrastructure isn't a problem unique to the US. For example, one researcher (who I won't name since the comment was off-the-cuff) recently stated "I could shut down an entire railway system in China from my phone right now."

So let's disentangle things. Yes, there are vulnerabilities everywhere in critical infrastructure. Many are different enough that it would take individual attention to each site to exploit them. Could some be successfully attacked by "an unemployed, high-school dropout"? Probably yes, but it's more likely they would be targets of opportunity rather than targets picked for maximum effect. Can coordinated attacks on multiple sites, or sites of specific choosing be accomplished by extremely well-funded and trained groups? Yes, but so far such attacks have been limited to espionage, or very specific military targets as an alternative to more destructive methods. So while many sites could be exploited, it's unlikely that all the vulnerable sites could be exploited at the same time. Finally, if that did happen, it almost certainly means a shooting-war has started, or will very shortly. The attacker won't be immune from retribution.

Now that the dust has settled, do we still need governments to step in and tell organizations what to do, so that "cyber-terrorists" don't "destroy the American way of life?" I don't think so. I think US citizens should be extremely wary of the same government who brought you warrantless wiretapping, indefinite detention, and domestic surveillance drones. Any time the government's "solution" to a problem is for everyone to give up more information and submit to more intrusive surveillance, you should reject it. If the threat is so terrible and only the government knows about it, why don't they give us the information and we can act accordingly. After all, the government is supposed to serve the people, not the other way around.

Add a comment:




max length 1000 chars