A new report from McAfee--In the Crossfire: Critical Infrastructure in the Age of Cyber War--suggests that the use of cyber-attacks as a strategic weapon by governments and political organizations is on the rise. The survey follows closely on the heels of the attacks on Google and a number of other companies, which Google has declared were initiated by the government of China itself.
The exposure and vulnerability of the nation's critical infrastructure--utilities, communications, etc.--has been a source of many fictitious attacks in cyber-thrillers. Black Ice , by Dan Verton, detailed a fictitious attack, then described tests and exercises conducted by the government illustrating our lack of readiness.
The government is aware of the realities both in terms of how a well-orchestrated attack against the critical infrastructure could cripple our nation, as well as what a tremendous asset such an attack could be prior to launching a military attack against an enemy.
Critical Infrastructure Attacks
The survey conducted by McAfee, and written by the Center for Strategic and International Studies, found that the oil and gas sectors experience more DDoS (distributed denial-of-service) and extortion attacks than other infrastructure sectors.
Interestingly, the United States and China stand out as the "most feared" sources of such cyber-attacks, and respondents from China and the United States both listed the other nation as its primary concern.
The study found that more than a third of the critical infrastructure organizations do no patch or update software on a regular basis, exposing them to a wide variety of known-vulnerabilities with active exploits. It also found that usernames and passwords are still the most common form of authentication used.
Joris Evers, a security specialist with McAfee, responded to me via e-mail to explain that "the majority of respondents believe that there is a government sponsor behind the attacks on critical infrastructure in their country. Moreover, the United States was identified most frequently as the potential source of attacks, followed closely by China."
Evers went on to say "We believe that governments around the world are building up their offensive security capabilities. Leaders in this area, as identified in our 2009 Virtual Criminology Report, are the U.S., Russia, France, Israel and China, in no particular order. Cyber is part of the arsenal governmental, political, and terrorist organizations want to have at their disposal."
Reality or Hype?
Words like cyberterrorism and cyberwar have been tossed around for a number of years, but many security experts have dismissed them as hype and FUD (fear, uncertainty, and doubt) perpetuated by the media and security vendors, and aimed at fear-mongering. Perhaps that was then, this is now?
Some respected security experts, like Marcus Ranum, still don't buy it, though. In slightly more colorful language than I can quote here, Mr. Ranum informed me that he finds the whole concept of state-sponsored cyber-attacks, and reports that China has an army of "cyberspies" responsible for the Google hack, completely ludicrous.
Ranum believes that the "China" attacks may be a symptom of the explosion of Internet usage in China, combined with fear of draconian repercussions if Chinese assets are hacked. "The Chinese internet population is about the same size as the US Internet population. Let's assume that, maybe, there are about the same number of expert hackers and script kiddies. In China, if you're caught hacking your government's machines, you might be executed - killed dead. In China, if you're caught hacking the US government's machines - nobody cares. So what I think we're seeing is a thundering herd of Chinese script kiddies."
The larger threat comes from actual human beings on the inside rather than from state-sponsored cyber-attacks. Ranum says "that's how the real spies do it - Aldrich Ames, Robert Hanssen, Kim Philby, John Walker, Michael Walker, Jonathan Pollard, Katrina Leung, etc, etc. It's not the thundering herds of script kiddies that bring home the big bacon: it's the insiders. The KGB knew that. The Mossad knows that. The Chinese Ministry of State Security knows that."
Somewhere in the Middle
The reality probably lies somewhere in the middle. While it is true that each of the instances of espionage cited by Ranum was executed by insiders, it is hard to ignore that having the ability to cripple a nation's critical infrastructure prior to the launch of an actual military attack would be a valuable weapon to have in the arsenal.
Regardless of whether the attacks are state sponsored, come from Chinese script-kiddies, or are just run-of-the-mill malware attacks, critical infrastructure is called that for a reason and steps should be taken to ensure the critical infrastructure can survive a cyber-attack.