Panetta Misses Underlying Problem with Cyberwhines

We can play a game we often play here at emptywheel with Leon Panetta’s address on cybersecurity last night. For each major attack he discusses or potential threat he envisions, there is an equivalent one that has or could easily happen without the cyber component.

Panetta talks about the Shamoon malware that hit Aramco infecting 30,000 computers.

But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian State Oil Company Aramco. Shamoon included a routine called a ‘wiper’, coded to self-execute. This routine replaced crucial systems files with an image of a burning U.S. flag. But it also put additional garbage data that overwrote all the real data on the machine. More than 30,000 computers that it infected were rendered useless and had to be replaced. It virtually destroyed 30,000 computers.

But how did that do more damage than the Richmond Refinery fire and subsequent spike in gas prices, likely caused by a corroded pipe neglected in a recent turnaround? How did that do more damage than the damage BP, Transocean, and Halliburton did when their negligence led to the Deepwater Horizon spill, which still appears to be leaking 31 months later?

Panetta talks about DDS attacks on banks that disrupted customer websites.

In recent weeks, as many of you know, some large U.S. financial institutions were hit by so-called Distributed Denial of Service attacks.  These attacks delayed or disrupted services on customer websites.  While this kind of tactic isn’t new, the scale and speed with which it happened was unprecedented.

How is this worse than the damage done by repeated flash crashes and other irregularities caused by high frequency trading? To say nothing of the damage done by reckless gambling during the housing crisis, which wiped out trillions of dollars in wealth?

Panetta talks about passenger or transport trains derailing.

They could, for example, derail passenger trains or even more dangerous, derail trains loaded with lethal chemicals.

Apparently Panetta is unaware that trains derail all the time, and even spill dangerous chemicals, often because of operational or maintenance issues.

To some degree we could continue this game indefinitely, always finding an equivalent threat to the imagined or real threat posed by a cyberattack.

But there is a logic to the game: it reveals not only that Panetta is fearmongering while ignoring the reality of equally or more dangerous non-cyber threats.

It suggests that he–and frankly, the rest of government trying to address this problem–misunderstands why corporations are not responding to the serial fearmongering about cyber. If corporations refuse to take obvious precautions against cyberthreats, but also refuse to take obvious precautions against non-cyberthreats, it suggests the problem is not the cyber component in the least.

The problem is that these corporations don’t want to–and in many cases refuse to–take obvious precautions against risk in general.

This suggests, then, that these corporations have not been given the sufficient combination of carrot and stick generally to mitigate obvious risks. And giving them immunity for cyber-negligence is likely not going to mitigate the threat reckless, negligent corporations pose to our society, whether because our enemies cause them to do things, or whether they do them of their own accord.

The problem is a culture that encourages corporations to skirt all accountability. No amount of fancy programmers are going to change that by themselves.

12 replies
  1. Gimme Shelter says:

    The problem is a culture that encourages corporations to skirt all accountability.

    actually, the “problem” is that corporations have so much $$$$ that they can crush anybody or anything that tries to sue them – exxonmobil employs over 80,000 attorneys – can you, as a single American, compete with that??? not a chance in hell.

    so, corporations can simply bury the american court system and simply outlast you or anything or anybody.

    american / global corporations no longer care about “risk” / social reponsibility as everything you listed in this post no longer costs them anything – no $$$, not their jobs, not their reputations, wall street does not impose any penalty – so what is to stop them??? nothing.

  2. P J Evans says:

    Actually, there’s a second cause to the gas price spike – there was a power failure at another major refinery here in CA, which cut the supply further.

  3. KWillow says:

    You know, my husband works in the field of Cyber security, and is very good. He’s often “consulted” by this corporation or bank or that, but he’s found that all-in-all, these companies/organizations mostly care about having the appearance of security, rather than real security. And when they do want the real thing, they want a program (code) built from scratch, basement to attic, rather than modifying perfectly good off-the-shelf security applications.

    In short, they’re just as careless & dumb as the Wall Street folk, probably for the same reason: they know the Gov’t will rescue them if they crash.

  4. Frank33 says:

    October 2012, the President declares it is National Cyber Games Awareness Month. We all need to help play computer games more securely because law enforcement, with Bill Gates’ backdoors, and zero day exploits, cannot do it alone.

    Cybersecurity cannot be guaranteed by government, industry, and law enforcement alone. Each of us has an important role to play in reducing the cyber threat and increasing our resilience following cyber incidents.

    To be helpful, I have color coded, the levels of threats against Critical Systems and Financial Transactions and citizens private data. Of course the Government requires total security of classified data on networks with millions of users.

    RED: This is defined as zero security for computer games played with Microsoft or any closed Operating Systems. Criminals, corporations, and Script Kiddies can easily break into and control these computer games.

    YELLOW: Open source platforms such as UNIX can fix security problems as they occur. This is partial security that allows some ability to be confident that your games will not be hacked. However these Operating Systems require skill and tricks but they can be successfully invaded. There is always the possibility that “bad actors” who pose as trusted agents, can update your games with bad games.

    GREEN: This is total computer game security. This level is invulnerable to all malevolent attackers and users can have complete confidence. Green is achieved by throwing away all computers, and cell phones and wireless devices and anything with a CPU. Critical Systems and financial transactions must be monitored by humans for level Green.

  5. Bob Schacht says:

    I interrupt your regularly scheduled, fascinating, and interesting program, with this just in: St. Louis came back from an early 6-0 deficit to win 9-7 in the ninth inning! In this game, they showed the same kind of relentless tenacity that they showed in the playoffs last year. I warned you about a month or so ago that this could happen again!

    Thanks. Now we return to the subject of this important thread.

    Bob in AZ

  6. Eric Hodgdon says:

    @Gimme Shelter: I agree, except no one and no thing is invincible. Weak spots exist. Find them and exploit them.

    They and their federal government minions declared war on the people of the United States of America.

    Gene Sharp and others use the term ‘pillars of support.’ Knock out enough pillars, and whoops they go down.

    Join the struggle, my friend.

  7. person1597 says:

    Eliminate the cpu, eh? Imagine all those digital products… gone in a flash… What would remain? Just us!

    And, maybe, old fashioned justice…(?) (Better keep the post office running!)

  8. earlofhuntingdon says:

    Accountability for corporations? Always a sick child inside the beltway, it went out when pay to play came in. Enron, MCI Worldcom and their ilk were exceptions. But what goes around comes around, so I’m happy to keep poking the public’s stick through the helmeted visor of open, responsible government.

  9. jerryy says:

    Also missing from the conversation is how much of this is brought on ourselves, by our own actions.

    Do not forget that our government employs crackers that do attack other countries in one way or another. We may not like it that some Chinese counterpart takes the equipment or code we use to break into their systems or spy on them and use it to spy on us. But it happens.

    Code that can take out an Iranian network can also take out an American network. Pretending things are onesided will ensure that one side keeps getting blindsided.

  10. masaccio says:

    Gee, no tv again this week. How’d that Irish/Tree come out for you bmaz? It looks like those Pac somethingoranothers haven’t played a team with a decent defense. Or maybe they don’t like that rain?

Comments are closed.