Monday, April 30, 2012

You don't know what you don't know - or why Bruce Schneier's blog is worth reading daily - FROM BRUCE: JCS Chairman Sows Cyberwar Fears Army General Martin E. Dempsey, the chairman of the Joint Chiefs of Staff, said: A cyber attack could stop our society in its tracks. Gadzooks. A scared populace is much more willing to pour money into the cyberwar arms race. FROM BRUCE's READER: What I always want to ask folks who make these cyber-disaster claims is "How?". What is the use case where a cyber attack has a widespread impact on the lives of Americans? I'm not talking about a cyber attack that's news-worthy, and has "society stopped" because it's watching the drama unfold on TV. I just can't follow the hypothesis that a cyber attack can be more than a massive inconvenience. Point of calibration: last year my power was off for 5 days because a storm damaged the one-and-only electric power switching sub-station that powers my neighborhood and it wasn't easy to replace the switchgear that failed because adequate parts and skilled workers weren't available. This was a huge problem, forcing me and my neighbors to share gas generators to keep the food in our freezers cold. It cost me hundreds of dollars in food and fuel that I wouldn't normally have bought. That said, it was not an existential threat to the very tracks that society runs on in my neighborhood. Cyber disaster needs to be more than that! Case #1: Evil-doers find a flaw in the border gateway protocol and use it to flood the IP routing fabric with incorrect data. This could lead to no practical paths between systems on different subnets, and the end of the Internet as it currently stands. Outcome: Using our lights, and our phones for those folks who didn't jump to VOIP, the people who make routers have to figure out and fix the problem. It's Cisco, Juniper and a handful of other folks who already know who each other is. Press the answer onto CDs and use FedEx or the Post Office to send them to all your customers. A week later, the Internet is all better, and nobody dies. When I had to live without power, I had to live without the Internet because it seems all my Internet infrastructure runs on electricity. Case #2: Evil-doers use the Internet connected electric power infrastructure to switch off all the power in the US. I'm not even going to mention how hard this is, every electric power installation is unique, and they all use redundant sources of supply, but SCADA is a potential problem. Outcome: Lots of angry people, more than Case #1, call to complain that the power is off (unless they went to VOIP). The electric companies unplug their routers and turn the electric power back on. It probably takes 24-48 hours, because those networked SCADA devices are labor saving. Half the impact of my storm. Case #3: Evildoers mount a sustained, covert, untraceable (ok I'm in sci-fi here) attacks on the DNS infrastructure of the internet block all access to the root server infrastructure. Nobody can figure out what IP goes with "www.schneier.com" . Outcome: Write this down (204.11.246.48). Well, what really happens is that the ISP who serves you already has a non-authoritative DNS that it uses to reduce outbound bandwidth. Those folks simply become the decentralized source of your DNS. It doesn't propagate as quickly, and so now it takes a month before some new www.whacky123business.com domain name works everywhere. The Internet is less cool, and the DNS admin industry (or mafia, depending on your point of view) wants somebody's head on a platter. The rest of us are back on the internet, and maybe there is a story on page 6 when the evildoer dies in a house fire with a horse's head on his bed, to mix my mafia metaphors. Bottom line, Where's the real disaster? It's not time for the annual April 1 contest, but we need to figure out what these generals could be talking about. If it's sci-fi, then it needs to go back to the fiction section. WWII was an attempt to destroy society, and at least some folks thought the use of nuclear weapons was a reasonable tactic. I want to read the cyber problem for which folks think a 50TJ nuclear blast is the appropriate response. I just don't think it exists

No comments:

Post a Comment