What threat to the banks, utility companies, and telecommunications companies that make up the "critical online infrastructure" of the United States worries one of the Pentagon's top cyber officials more than almost any other?
You might think it is a strategic, Stuxnet on steroids-style cyber attack designed by a rival nation with deep pockets and lots of engineers to cripple American industry. While state-sponsored attacks remain a big threat to large corporations and the U.S. government, the cyber tools available to average hackers are increasing in potency at an alarming rate. The proliferation of tools allowing anyone to easily detect where a device connects to the Internet, combined with growing ability of private hackers to discover previously unknown vulnerabilities inherent in computer systems (called zero day exploits), now poses a large threat, according to Eric Rosenbach, deputy assistant secretary of defense for cyber policy.
"It's this combination of a program, which is essentially a Google-like browser on the Internet right now that allows you to scan for vulnerabilities in the industrial control systems in the U.S. and around the world, . . . that combined with the phenomena of these black market zero day exploits and malware tools that makes me extremely nervous," said Rosenbach during a Sept. 4 interview with Killer Apps, during which we also discussed the automation of cyber defense and the holy grail of cyber security. "Because then it's not just a nation-state that wants to harm the U.S., but it could be a rogue group or some crazy individual that wants to leave their mark on history. The perspective on the vulnerabilities is there [for anyone to see], and some of the tools that you need to do it are there too. I think that is what worries us the most."
The program Rosenbach referred to is called Shodan; its website describes it as a search engine that allows users to find any device connected to the Internet -- whether that's a server, the controls of a power plant, or even a refrigerator.
Columbia University professor Abraham
Wagner, who specializes on how technology has impacted
national security, points out that there are already reports of hackers using
Shodan to find weak spots in the programs, known as Supervisory Control and
Data Acquisition (SCADA) systems, which control everything from an office
building's air-conditioning to the speed at which a uranium-enrichment
centrifuge in a nuclear plant spins.
"Tools like this certainly make hacking easier," wrote Wagner in a Sept. 13 email to Killer Apps. "The vulnerable systems are still in serious need of major security upgrades, and we are still in a ‘transitional' period where nobody seems willing to undertake the level of effort that is required. There is still an operative mentality that states it must be somebody else's problem to do it."
While basic cyber hygiene -- such as using tough-to-crack passwords and regularly updating a computer and network's security settings -- can thwart many attacks, Rosenbach doesn't think that private companies will take action until they have suffered too many costly cyber attacks, or the government can work with them to implement cyber security standards. The latter however, remains a tough nut to crack. In August, Republican senators shot down the latest attempt to legislate minimum cybersecurity standards for companies involved in maintaining critical infrastructure.