Showing posts with label infrastructure. Show all posts
Showing posts with label infrastructure. Show all posts

Friday, August 01, 2008

China's Cyber-Militia

National Journal
(Excerpts from COVER STORY - China’s Cyber-Militia)

Full story:
http://www.nationaljournal.com/njmagazine/cs_20080531_6948.php

Chinese hackers pose a clear and present danger to U.S. government and private-sector computer networks and may be responsible for two major U.S. power blackouts.

by Shane Harris

Sat. May 31, 2008

Computer hackers in China, including those working on behalf of the Chinese government and military, have penetrated deeply into the information systems of U.S. companies and government agencies, stolen proprietary information from American executives in advance of their business meetings in China, and, in a few cases, gained access to electric power plants in the United States, possibly triggering two recent and widespread blackouts in Florida and the Northeast, according to U.S. government officials and computer-security experts.

One prominent expert told National Journal he believes that China’s People’s Liberation Army played a role in the power outages. Tim Bennett, the former president of the Cyber Security Industry Alliance, a leading trade group, said that U.S. intelligence officials have told him that the PLA in 2003 gained access to a network that controlled electric power systems serving the northeastern United States. The intelligence officials said that forensic analysis had confirmed the source, Bennett said. “They said that, with confidence, it had been traced back to the PLA.” These officials believe that the intrusion may have precipitated the largest blackout in North American history, which occurred in August of that year. A 9,300-square-mile area, touching Michigan, Ohio, New York, and parts of Canada, lost power; an estimated 50 million people were affected.

Officially, the blackout was attributed to a variety of factors, none of which involved foreign intervention. Investigators blamed “overgrown trees” that came into contact with strained high-voltage lines near facilities in Ohio owned by FirstEnergy Corp. More than 100 power plants were shut down during the cascading failure. A computer virus, then in wide circulation, disrupted the communications lines that utility companies use to manage the power grid, and this exacerbated the problem. The blackout prompted President Bush to address the nation the day it happened. Power was mostly restored within 24 hours.

There has never been an official U.S. government assertion of Chinese involvement in the outage, but intelligence and other government officials contacted for this story did not explicitly rule out a Chinese role. One security analyst in the private sector with close ties to the intelligence community said that some senior intelligence officials believe that China played a role in the 2003 blackout that is still not fully understood.

Bennett, whose former trade association includes some of the nation’s largest computer-security companies and who has testified before Congress on the vulnerability of information networks, also said that a blackout in February, which affected 3 million customers in South Florida, was precipitated by a cyber-hacker. That outage cut off electricity along Florida’s east coast, from Daytona Beach to Monroe County, and affected eight power-generating stations.

Bennett said that the chief executive officer of a security firm that belonged to Bennett’s trade group told him that federal officials had hired the CEO’s company to investigate the blackout for evidence of a network intrusion, and to “reverse engineer” the incident to see if China had played a role.

Bennett, who now works as a private consultant, said he decided to speak publicly about these incidents to point out that security for the nation’s critical electronic infrastructures remains intolerably weak and to emphasize that government and company officials haven’t sufficiently acknowledged these vulnerabilities.

The Florida Blackout
A second information-security expert independently corroborated Bennett’s account of the Florida blackout. According to this individual, who cited sources with direct knowledge of the investigation, a Chinese PLA hacker attempting to map Florida Power & Light’s computer infrastructure apparently made a mistake. “The hacker was probably supposed to be mapping the system for his bosses and just got carried away and had a ‘what happens if I pull on this’ moment.” The hacker triggered a cascade effect, shutting down large portions of the Florida power grid, the security expert said. “I suspect, as the system went down, the PLA hacker said something like, ‘Oops, my bad,’ in Chinese.”

The power company has blamed “human error” for the incident, specifically an engineer who improperly disabled safety backups while working on a faulty switch. But federal officials are still investigating the matter and have not issued a final report, a spokeswoman for the Federal Energy Regulatory Commission said. The industry source, who conducts security research for government and corporate clients, said that hackers in China have devoted considerable time and resources to mapping the technology infrastructure of other U.S. companies. That assertion has been backed up by the current vice chairman of the Joint Chiefs of Staff, who said last year that Chinese sources are probing U.S. government and commercial networks.

Asked whether Washington knew of hacker involvement in the two blackouts, Joel Brenner, the government’s senior counterintelligence official, told National Journal, “I can’t comment on that.” But he added, “It’s certainly possible that sort of thing could happen. The kinds of network exploitation one does to explore a network and map it and learn one’s way around it has to be done whether you are going to … steal information, bring [the network] down, or corrupt it.… The possible consequences of this behavior are profound.”

Brenner, who works for Director of National Intelligence Mike McConnell, looks for vulnerabilities in the government’s information networks. He pointed to China as a source of attacks against U.S. interests. “Some [attacks], we have high confidence, are coming from government-sponsored sites,” Brenner said. “The Chinese operate both through government agencies, as we do, but they also operate through sponsoring other organizations that are engaging in this kind of international hacking, whether or not under specific direction. It’s a kind of cyber-militia.… It’s coming in volumes that are just staggering.”

The Central Intelligence Agency’s chief cyber-security officer, Tom Donahue, said that hackers had breached the computer systems of utility companies outside the United States and that they had even demanded ransom. Donahue spoke at a January gathering in New Orleans of security executives from government agencies and some of the nation’s largest utility and energy companies. He said he suspected that some of the hackers had inside knowledge of the utility systems and that in at least one case, an intrusion caused a power outage that affected multiple cities. The CIA didn’t know who launched the attacks or why, Donahue said, “but all involved intrusions through the Internet.”

Donahue’s public remarks, which were unprecedented at the time, prompted questions about whether power plants in the United States had been hacked. Many computer-security experts, including Bennett, believe that his admission about foreign incidents was intended to warn American companies that if intrusions hadn’t already happened stateside, they certainly could. A CIA spokesman at the time said that Donahue’s comments were “designed to highlight to the audience the challenges posed by potential cyber intrusions.” The CIA declined National Journal’s request to interview Donahue.

Cyber Terrorism - America's Achilles Heel

Cyber Terrorism - Part 1
What Price for Freedom?

Series by Jim Putnam


We live in a society that dictates the need to protect our selves, families, homes, property and business. America without insurance would be like air without oxygen. It is difficult to find a single aspect of life in America in which protection is not integrated and essential.


Yet our leadership tell us that the most basic services in which our life and lifestyle depends, the infrastructure of the American standard of living, cannot be protected. The necessities of life, food, air, water, housing and transportation, are all vulnerable to terrorist attack.


We can protect the president. We can protect our money, our gold and our treasures. We can even protect our nuclear arsenal and weapons of destruction. But we cannot protect our quality of life and our people from the threat of cyber terrorism.


Former Bush Administration cyber expert Richard Clarke predicts an “Electronic Pearl Harbor” and has blasted the private sector for failing to protect our infrastructure. Yet all experts agree it is a complex issue. Cyber security seems to demand a trade off. More security can be given if we are willing to sacrifice our freedom and privacy.


America’s corporate world, especially the financial and international commerce communities, refuse to accept the government intrusion into their world of corporate secrets for fear the information will be used to tax or prosecute them. Recent examples of corporate greed and abuse suggest there is a lot to hide from the government. Yet the privacy issue is valid.


At the same time, the corporate world has been reluctant to tell us if they have been successfully hacked. To do so would acknowledge they are vulnerable. It would raise doubt as to their ability to protect their records, clients and intellectual property. It would threaten their credit rating and worst of all, it could cause their stock value to fall. Better to cover up the attack than to undermine investor confidence.


Politically, with the federal elections on the horizon and control of the White House in the balance, it is always safer to blame someone else or deflect blame than to assume responsibility. The politicians use the convenient mantra we can’t protect our infrastructure from cyber attack. They blame the private sector for failing to develop adequate security. And they accuse the private sector of refusing to cooperate and of withholding information about cyber vulnerability.


Wouldn’t you refuse to tell the government all your secrets? The government can’t keep it’s own secrets, let alone be trusted with proprietary corporate secrets. Still it is a “Catch 22” that must be overcome for the average citizen to go to sleep at night feeling secure that their essential services are protected from the hands of blood thirsty, hate filled terrorists committed to killing Americans and destroying our way of life.


Because tonight the water supply could be poisoned. Tonight the electrical grid could be shut down and air conditioners would stop working in the heat wave. Nuclear reactors could have a melt down sending clouds of deadly radiation into the air and contaminating the countryside. Air traffic controllers could be stopped from contacting the thousands of planes in the air.


Floodgates on dams could be opened sending billions of gallons of water crashing down on communities. You could wake up tomorrow and your bank records could be gone, your insurance coverage cutoff, and health care disrupted. Raw sewage could be diverted into your drinking water. Emergency calls to 911 could go unanswered.


Because our standard of living is excessive, it takes an excessive infrastructure to support it. Our lifestyle is computer and energy dependent. From the cockpit of an airplane to the control room of a nuclear reactor, the 500 digital TV channels to the cell phone attached to your ear, we need the infrastructure to feed our addiction for more.


The techniques that could be used by a single terrorist cell working through cyber space could threaten the very existence of our national infrastructure. Every single catastrophe I mentioned is possible from a few keystrokes on a keyboard. So if the politicians are not responsible, the government can’t help, and the private sector is in denial, where do you turn for help?


We need a wake up call to America, to the government leadership and the business community on the threat to our national infrastructure and what can be done to protect our resources and people. It is too late for theories and hypothetical solutions to very real problems of today threatening our standard of living and quality of life.

Cyber Terrorism - Part 2
Media Awareness?


In America there are time-honored traditions for using the media to sell you everything from the news to the latest unnecessary drug. Once upon a time you could distinguish between media’s supposedly unbiased news stories, and those selling goods, services and points of view.


That day is gone. The editorial policy of the media outlet dictates the slant of the news coverage. Revenues rule philosophy and news is no longer a service but a profit center. News content and presentation is designed for ratings, sales and advertising revenue, not objectivity and public good.


In light of this, why is news coverage of cyber terrorism generally limited to technology stories for special interest groups and safely tucked away in the egghead section? Three obvious reasons come to mind. 1.) It is a complex issue. 2.) It might scare the public. And 3.) It might upset the advertisers on the media.


Cyber terrorism is the largest single threat to the quality of life for our citizens. It represents a far greater threat than corporate corruption, government inertia, media bias or bank and phone company service charges. So why are we not being warned about it?


Sure, the cyber world is complex, isn’t all technology? How many consumers know how their air conditioner, television, automobile or computer work? How many know how their money got from a bank into the ATM to them? They don’t. You throw a switch, push a button, or turn a key and it works.


People are not stupid. They don’t need to know how technology works, just what it can do for them. They know all aspects of American life are dependent on the computer, or the electricity that powers the computer. They know we are being bombarded by microwave beams and every other form of electronic signal and frequency to support that technology.


I have a simple way to perceive the cyber world. Our physical world is three dimensional and interpreted by the physical senses. The cyber world is what is beyond the physical realm, is limited only by one’s imagination, and is interpreted by the expanded mind.


As to our concerns cyber terrorism stories would scare the public, so what! One of our constitutional freedoms has always been the right to be scared to death. Stephen King and Dean Koontz wouldn’t sell many books if the public did not want to be scared. Many movies and TV shows were successful because they were very scary.


People pay billions of dollars to be frightened. Supposedly “free” news stories on cyber terrorism would be a great bargain. Sometimes the power of the media to scare people can change our way of life, and sometimes for the better.


Finally, there is the concern that cyber terrorism stories might upset advertisers. Does anyone doubt it? Computer manufacturers, software companies, technology driven companies and companies dependent on communications and advertising for sales are all directly affected. So are services that are electronically dependent like ATM banking, credit cards, phones, etc.


Of course they don’t want stories about how their product can be hacked by terrorists, or how easily services can be disrupted. Billions of dollars in advertising revenue from these companies are poured into the media, the same media that brings you the news. Do you really think “truth” is more powerful than investor confidence or corporate stock valuation?


Those advertising dollars can buy a lot of influence, especially when the advertising and media companies are losing ratings, readers and revenues. As long as the news sources are owned by the same media companies dependent on ad dollars for valuation and survival, there could be a potential conflict of interest. The recent collapse of stock prices, lost advertising revenues, increased cable and digital competition, and fewer viewers or readers have already caused media companies major problems.


They can ill afford to lose more. In spite of all these reasons why the threat of cyber terrorism is not adequately covered by the news media, occasionally there are stories that contribute to understanding the truth. Barton Gellman, Washington Post Staff Writer, wrote a story titled, “Cyber-Attack by Al Qaeda Feared”, published June 27, 2002. It clearly identified the problem. Unfortunately, to find it you had to get to the Internet online technology section of the Washington Post, but at least it was a start.

More recently The National Journal, not the traditional news media, ran a cover story (May 31, 2008) titled China's Cyber-Militia by Shane Harris which discusses how Chinese hackers pose a clear and present danger to the U.S. government and private sector computer networks and may be responsible for two major U.S. power blackouts. The story is reprinted in the CPT.

Cyber Terrorism - Part 3
Who are the hackers?


Most experts seem to agree we face an unprecedented threat from cyber terrorism, and we are all but helpless to stop it. Who are these “hackers” poised to bring the mighty America to its knees through a cyber space assault? Webster’s New World Dictionary defines a hacker as “a talented amateur user of computers, specifically, one who attempts to gain unauthorized access to files in various systems.” I think the definition falls far short.


Hackers are the new Messiahs of the cyber universe immersed in a quest to create like God. The fact they are creating illegal ways to access other people’s files is not a concern to them, as long as they are creating. Still, there is no convenient way to stereotype hackers.


I sense there are at least three distinct types of hacker, the Idealist, the Invisible and the Insidious. Popular books and movies glorify the first type, the Idealist. Hacking secured systems is a challenge to them and when they are successful it is essential they receive proper recognition for their prowess.


The need for peer recognition and ego insure they take credit for their handiwork. But in a distorted way they are not malicious in their intent. Their goal is not the destruction of property or disrupting lives, although that may very well be the consequence of their efforts.

Far more dangerous are the Invisible types. To them successful hacking is not merely to penetrate a secured file or system, but to go undetected in the process. Thus they are able to come and go at will. Government, quasi-government and shadow government agencies fall into this category. They all want to know everything you are doing. There is no system or network in the world safe from their prying eyes.


Thanks to the digital revolution our Constitutional guaranteed Bill of Rights is now obsolete. There is not a phone call, bank transaction or Internet communication safe from big brother. Private corporations have their own Invisible hackers as well so it is not just the government monitoring your life.


Curiously, all those politicians claiming to be defenders of freedom, and that includes Republicans and Democrats, liberals and conservatives, are mostly silent about the wholesale invasion of privacy now underway.


Fortunately, the eavesdroppers are so successful at capturing all calls, emails and transactions that the sheer volume is beyond their processing capability. For now our dwindling freedom is protected more as a result of bureaucratic constipation than political action. Super computers will soon eliminate that processing limitation, and everything about your life will be an open book.


The last category of hacker, the Insidious, is the most dangerous. Insidious hackers possess the skills and resources of the Idealist and Invisible hackers, but their motivation is without conscious. To them the art of hacking is a tool to get what they don’t have but want, or for bringing about war and destruction.


Criminals and fanatics, and often they are one in the same, go beyond the game of hacking through computer security barriers. Penetrating the systems is not enough. They steal the information, divert money or damage their targets in a way they cannot be caught. Or, they become cyber mercenaries for a terrorist cause and will use hacking to wreak havoc, devastation and destruction on unsuspecting victims.


Lives destroyed and human deaths resulting are nothing more than digital statistics in a higher cause being served. Unfortunately the combined power, resources and might of the vast American intelligence, law enforcement and defense communities is of no advantage when confronting cyber criminals or cyber terrorists.


The Insidious hacker is incorporeal, without material body or substance in the cyber universe. They have no base of operations, no geographic limitations and no political boundaries to restrict them. You cannot identify them with metal detectors or profiling and you most certainly cannot stop them with current computer security techniques and technology.