Dear unnamed power company/ies: Thank you for providing me an opportunity to post one of my favorite videos.
You were warned about the possibility of security threats to your systems. Repeatedly–the video above is just one such warning. What’s it take to get through to you–a clue-by-four alongside the head? A massive, lengthy power outage you can’t resolve for days or weeks, with consumers calling for managements’ heads on pikes? A complete tank of your company’s stock value? The Department of Energy on your doorstep, taking possession of your site as it investigates you?
I love this part at 32:28 into the video where Ralf Langer says,
“…many things we thought about cyberwarfare earlier just were proven wrong. …”
Everything you thought you knew about infosec/cybersecurity needs to be revisited. The assumptions you’ve been using are clearly wrong.
Now get a frigging clue and revisit your security policies. STAT. You can start with checking these:
— No USB or other external media which have not been deeply screened for infection.
— External network connections to production equipment are to be avoided at all costs. Connections between corporate business and the power grid should be closed, dedicated network. Revisiting appropriateness of traditional isolation of production networks might be worthwhile.
— No third-party contractors permitted on site that do not comply completely with power company security policies, including spot inspections. (You do spot inspections, right? Contractors are screened coming in and out of facilities, right?)
What are you doing here, reading this? Get to work. RUN.
Dear U.S. Department of Energy: Um, hello? Did your brains’ functions suffer irreparable damage from exposure to BP’s dispersants?
It’s the only excuse I can think of as to why security measures and subsequent audits of the nation’s power grid for infections and intrusions from network and external devices haven’t removed these threats.
By the way, this 2009 document making suggestions to power companies about security measures is now out of date and needs to be revisited, in light of the Senate Intelligence Committee’s authorization of cyber weapon deployment and subsequent blowback risk, let alone the case of USB devices laden with crimeware.
Dear Fellow Americans: I really hate feeling like Cassandra. I’d love to see the power industry and our government prove me wrong by preventing outages related to security breaches about which they’ve been warned. At the rate they’re going, you’re going to end up on the short end of the stick, without electricity to read my anticipated future post which I expect to entitle, “I told you so.”
You might want to contact your government representatives and ask them what they know about power grid security and if they’ve actually done anything to investigate the safety of power in their district. If their understanding is shaped by the Department of Energy’s latency, they need to be brought up to speed and pronto. Don’t wait until you don’t have the juice to read my next post on this topic.
One weaselly senator–with long-identified agendas and a pathetically thin understanding of technology–takes to the microphone. Suddenly, by virtue of wrapping his senatorial lips around a few scary words on topics about which he knows little, we citizens are supposed to quake in fear and plead for salvation.
Screw that noise. This is textbook “fear, uncertainty, and doubt” — more commonly referred to as FUD in the information technology industry.
Since the 1970s, FUD tactics have used to suppress competition in the computer marketplace, targeting both hardware and software. Roger Irwin explained,
…It is a marketing technique used when a competitor launches a product that is both better than yours and costs less, i.e. your product is no longer competitive. Unable to respond with hard facts, scare-mongering is used via ‘gossip channels’ to cast a shadow of doubt over the competitors offerings and make people think twice before using it.In general it is used by companies with a large market share, and the overall message is ‘Hey, it could be risky going down that road, stick with us and you are with the crowd. Our next soon-to-be-released version will be better than that anyway’. …
FUD has non-technology applications as well; one need only look at product and service brands that encourage doubts about using any product other than their own, in lieu of actually promoting the advantages their product or service might have.
So what’s the FUD about? Senator Joe Lieberman spouted off about cyber attacks in September last year, claiming Iran was behind disruptive efforts targeting U.S. banks.
Right. Uh-huh. Predictable, yes?
But FUD is used in situations where there is competition, one might point out. Yes, exactly; in September 2012, the case for support of unilateral attacks against Iran was up against the news cycle crush, powered by the post-Benghazi fallout and the drive toward the November general election, followed by the terror that was the “fiscal cliff.” That’s a lot of powerful, compelling competition for both attention, votes, and tax dollars, when members of a reliable but lame duck Congress could be mounting up a pre-emptive cyber war without the headwind of public awareness and resistance, or the too-inquisitive pushback from newbies in the next seated Congress. Continue reading
I sort of get the feeling that the entire legislative effort on cyberwar is going on in a classified annex.
Nevertheless, even from what we can see, we’ve got a dispute. As I noted a few weeks back, The House Armed Services Committee included a provision that explicitly granted DOD the power to conduct clandestine cyberwar activities in some situations, but required quarterly briefing on such activities.
SEC. 962. MILITARY ACTIVITIES IN CYBERSPACE.
(a) AFFIRMATION.—Congress affirms that the Secretary of Defense is authorized to conduct military activities in cyberspace.
(b) AUTHORITY DESCRIBED.—The authority referred to in subsection (a) includes the authority to carry out a clandestine operation in cyberspace—
(1) in support of a military operation pursuant to the Authorization for Use of Military Force (50 U.S.C. 1541 note; Public Law 107–40) against a target located outside of the United States; or
(2) to defend against a cyber attack against an asset of the Department of Defense.
(c) BRIEFINGS ON ACTIVITIES.—Not later than 120 days after the date of the enactment of this Act, and quarterly thereafter, the Secretary of Defense shall provide a briefing to the Committees on Armed Services of the House of Representatives and the Senate on covered military cyberspace activities that the Department of Defense carried out during the preceding quarter.
(d) RULE OF CONSTRUCTION.—Nothing in this section shall be construed to limit the authority of the Secretary of Defense to conduct military activities in cyberspace.
That seemed to be a response to earlier claims by DOD that it didn’t have to brief such things to Congress.
As it happens, that’s another of the sections of the Defense Authorization to which the Administration objects (though they did not issue a veto threat on it).
Military Activities in Cyberspace: The Administration agrees that appropriate military operations in cyberspace are a vital component of national security, but objects to Section 962. The Administration has concerns about this provision and wants to work with Congress to ensure that any such legislation adds clarity and value to our efforts in cyberspace.
The choice by administrations to conduct cyberwar under DOD’s auspices rather than CIA’s as a way to avoid oversight is something that John Rizzo (!) warned about. And the bill has already given the Administration an extra three months of secret cyberwar before it has to start briefing Congress compared to the original bill.
What kind of war is Obama waging in cyberspace it refuses to tell Congress about?
I’ve been meaning to return to our government’s contracting for persona software for a while. Last week RawStory had a good story providing details of the persona management contract the Air Force put out for bid. RS reveals that the contract was awarded to Ntrepid, a firm in LA with the kind of website that screams “cover.” And it has this from CENTCOM’s digital media engagement team.
According to Commander Bill Speaks, the chief media officer of CENTCOM’s digital engagement team, the public cannot know what the military wants with such technology because its applications are secret.
“This contract,” he wrote in reference to the Air Force’s June 22, 2010 filing, “supports classified social media activities outside the U.S., intended to counter violent extremist ideology and enemy propaganda.”
Speaks insisted that he was speaking only on behalf of CENTCOM, not the Air Force “or other branches of the military.”
While he did reveal who was awarded the contract in question, he added that the Air Force, which helps CENTCOM’s contracting process out of MacDill, has even other uses for social media that he could not address.
It’s secret, Sparks says, even the stuff that gets contracted openly.
In a post that looks like pushback against the concerns raised in the RS story, Jeff Stein has the same spokesperson reassuring us that these Cyberwar tactics won’t be directed against us.
Centcom spokesman Cmdr. Bill Speaks acknowledged in an interview last week that the Air Force had a contract for the Persona Management Software, but denied it would be deployed against domestic online protesters.
“The contract, and the Persona management technology itself, supports classified blogging activities on foreign-language Web sites to enable CENTCOM to counter violent extremist and enemy propaganda outside the U.S.,” Speaks told SpyTalk. “The contract would more accurately be described as supporting U.S. Central Command, rather than the Air Force — the Wing here at MacDill provides contracting support for us — efforts.”
Speaks said the software would “absolutely” not be used against law-abiding Americans.
Only, it looks like Stein asked the obvious follow-up question and got something less reassuring.
Update: Speaks adds, “The phrase [law-abiding] suggests that we might use it against Americans who are not law-abiding. The truth is that these activities are not directed towards Americans, without qualification.”
And how do they know that? Do they refuse to interact online with anyone whose IP address shows them to be in the US? Our Cyberwar folks do know that the InterToobz are global, don’t they? I feel like this gets us back to the old reverse targeting problems with the government’s replacement to FISA, with a very easy loophole to not “direct” fake personas at US persons, but to influence them with fake personas nevertheless.
Which brings me back to the point I always return to in these discussions: to the evidence that DOD generally is hiding its Cyberwar programs from Congress, and the Air Force in particular has issued strict guidelines prohibiting its people from telling Congress about AF Special Access Programs.