Jon.Kibler at aset.com
Tue Apr 7 22:04:53 CDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Robert Graham wrote:
> It's a power grab by the government over the Internet.
> The easiest way to do a cyber 9/11 is to cut some cables and blow up a
few data centers. Is there anything in that cybersecurity bill that
addresses the most important threat? No, of course not, because it's not
about cybersecurity, it's about a power grab.
> Chinese teenagers regularly break into computers in the federal
government, but they don't cause power blackouts. This bill puts the
computers controlling power systems under control of the federal government.
First, your perception that attacks from China are "teenagers" or
"script kiddies" is wrong. It is well documented that the State is
behind a lot of these intrusions.
I also disagree completely this is a power grab. Rather, it is an effort
to force industry to take precautions and harden critical infrastructure
from potential attack. Is it government regulation? Yes, clearly it is.
However, it is regulation that is desperately needed because industry
has been nearly completely unwilling to act in its own best interest
when it comes to cyber security.
Most of private industry, especially industrial operations such as
utilities and manufacturing, still have their head VERY deeply buried in
the sand. They have vigorously fought nearly every attempt to require
even the most trivial of security. Almost every industry with any type
of industrial control system (PLC, SCADA, DCS, etc.) is a sitting duck,
and they simply could not care less.
Someone has to hit these providers of critical infrastructure up the
side of the head with a clue-bat and force them to take action. I am not
saying that this bill is the best way to solve them problem, but someone
has to take action. I am at least glad that the Obama administration is
not in deep denial about cyber-security.
How clueless is industry? Bruce Potter gave a great example a few years
back at BlackHat, where he showed an article from an industry trade rag
talking about saving money by deploying wireless networks for industrial
control systems. In one of the excerpts from the publication was a photo
of a NEMA enclosure with the control systems WiFi MAC and IP address
clearly labeled on the enclosure door. (Bruce, if you are lurking, can
you please post a link to that photo?) Nothing has changed. Industry is
still as clueless and still could not care less.
Is cyber terrorism possible? Clearly, some parts of Al-Qaeda have deep
financial pockets. What is stopping them from funding 0-day research?
Or, renting botnets for attack deployment? For example, what would
prevent them from launching an attack such as this?
Likewise, a state actor could cause similar disruption. For example,
should China, which clearly is conducting government / military cyber
espionage / cyber reconnaissance attacks against U.S. interests, decide
to militarily attack Taiwan and wanted to distract the U.S. from
possible early intervention, it unquestionably has the resources,
finances, and ability to launch a crippling cyber attack against U.S.
critical infrastructure, possibly including military assets.
Robert, if you have a better idea how to force security accountability
by providers of critical infrastructure, I am sure the world would be
glad to hear from you.
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
c: 843-813-2924 (NEW!)
My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the funsec