Afterbytes with Marcus Ranum - Under Constant Attack
Title: Critical Infrastructure Computer Systems Under Constant Attack
Date: January 28 & 29, 2010
According to a report from The Center for Strategic and International Studies, utility companies’ and other critical infrastructure components’ computer systems are constantly under attack worldwide. The report, which was commissioned by McAfee, compiles information gathered from 600 IT and security executives at companies around the world. More than half of respondents believe that their countries’ laws are not effective in deterring cyber attacks, and nearly half believe that their countries do not have the ability to prevent cyber attacks.
Wow, did you realize that if you connect to the internet, you might come under attack?
Once again, we see the reality disconnect that is computer security. Are we to infer from the article that executives expect their government to somehow protect their internet connected systems from so many attacks? It's starting to sound like it's time to put the signs back up that read "Must be _ this tall to ride this ride." It is now and has always been the case that:
- Anyone connecting to the internet should expect to be attacked
- You pretty much can't "do anything" about the attacks
- The attacks will appear to come from someplace you have no jurisdiction over
The bottom line is as it's always been: it's your job to defend yourself, and you're crazy if you expect any kind of help from anyone. You're on your own, in other words. Of course your country's laws aren't going to deter cybercriminals - the people who are causing your problem aren't subject to your laws. Of course your government isn't going to be able to help you - the people who are causing your problem do not fear your government. It's that simple: you must be this tall to ride this ride.
Besides, the best that the government can do for anyone, at this point, is write an official harsh letter.
Since the cyberattack hype bandwagon is in full swing, I figured it wouldn't take long before corporations started looking for a cybersecurity bail-out; remember how much money was going to be saved by remote-linking those power-grid nodes over the Internet? Maybe it was a false saving after all. A couple of months ago I was chatting with a pretty clueful fellow who had worked on some of the power-grid systems, and he was bemoaning how much it was going to cost to beef up the security and flog the deeply embedded hackers out - "the customers are not going to want to foot the bill for this one!" he said. I couldn't help but reply, "well, why can't the power companies pay for it from the money that they saved by using the internet instead of private dedicated links?"
Here's another prediction for you: the corporations will be next in line with their hands out for a cybersecurity bail-out. And, let me tell you another trade secret of how to be an industry "thought leader": predict things that are already happening,
A couple of months ago, when I started tracking the "Chinese cyberwar" kerfuffle I said that it sounded like budget pumping, to me, and I stand by what I said. The recent announcement that the U.S. Navy has established a "cybercommand" like the other branches of the DoD, and thanks to the new red scare the budget faucet is flowing merrily.