Thursday, January 28, 2010


Call reporters at really important newspapers for the dosage:

Monday morning earlier this month, top Pentagon leaders gathered to simulate how they would respond to a sophisticated cyberattack aimed at paralyzing the nation’s power grids, its communications systems or its financial networks.

The results were dispiriting. The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation. What’s more, the military commanders noted that they even lacked the legal authority to respond — especially because it was never clear if the attack was an act of vandalism, an attempt at commercial theft or a state-sponsored effort to cripple the United States, perhaps as a prelude to a conventional war.

What some participants in the simulation knew — and others did not — was that a version of their nightmare had just played out in real life, not at the Pentagon where they were meeting, but in the far less formal war rooms at Google Inc. Computers at Google and more than 30 other companies had been penetrated, and Google’s software engineers quickly tracked the source of the attack to seven servers in Taiwan, with footprints back to the Chinese mainland.

Wow, who wrote that?

John Markoff et al at the New York Times this week here.

In round one, the cyberterrorists took the 911 server down, and Harbortownians got busy signals and hang-ups instead of emergency operators. Obvious virus emails with the subject line "Download this file" arrived in my inbox. Electronic highway signs suddenly read BIOTERROR EVACUATION WARNING. A posting appeared on the city's Web site warning of a bioterror incident at the local mall. We eventually realized it was a hoax – but not before evacuating the mall. Annoying, but not worth creating a new military-industrial complex over.

Then the terrorists took the conversation offline. In round two, a couple of trucks exploded near a basketball arena. The blasts killed 100 people, injured several hundred, and destroyed the police command post, taking radio communications with it. Traffic, snarled after the mall bioterror scare, got even worse.

In round three, the hospital lost power, with only enough fuel to run backup generators for 48 hours. The police chief and the mayor started bickering over whether to implement a curfew and travel restrictions, and the city's Web site unaccountably declared a mass evacuation. Two nursing homes lost power, and patients at the hospital started dying mysteriously.

The game couldn't end soon enough. I don't think we won.

Wow, who wrote that? Some lower upper-tier journalist, Chris Suellentrop, for Wired way back in 2006.

It merited a takedown at el Reg:

In any case, what [the participant in the exercise] doesn't seem to realize, at least he gives no inkling in his writing, is that all such simulations, when run for journalists or officials, are rigged so the participants can't win.

Such things are role-playing games, and if you take part in one, your role is to be the patsy, one of the designated players allowed to go "Oh my!" as the simulation's world comes crashing down around you.

Dick Destiny won't go into it, but it hasn't seen one yet where the object wasn't to simply create an escalating disaster that flummoxed players, no matter what they did. They never take into account the natural resilience and expertise which may exist within the citizenry.

That was here in "Cyberterror sim scares pants off of Wired smarty."

I always liked that title.

That's been two hours you've been unable to get on-line now. So much for always-on, you think, as you go to fill the kettle. You turn the tap and - nothing, there's no water. And that's when the lights go out. Now the phone line is down, too. There's always the mobile - but why is it dialling 999 all by itself?

From the Guardian in 2003 here.

How exciting! How daring it is to write about the possibility of the end of everything from digital attack! It just sings its way off the page.

Code-named 'Cyber Storm II,' this is the largest-ever exercise designed to evaluate the mettle of information technology experts and incident response teams from 18 federal agencies, including the CIA, Department of Defense, FBI, and NSA, as well as officials from nine states, including Delaware, Pennsylvania and Virginia. In addition, more than 40 companies will be playing, including Cisco Systems, Dow Chemical, McAfee, and Microsoft.

In the inaugural Cyber Storm two years ago, planners simulated attacks against the communications and information technology sector, as well as the energy and airline industries. This year's exercise will feature mock attacks by nation states, terrorists and saboteurs against the IT and communications sector and the chemical, pipeline and rail transportation industries.

"The exercises really are designed to push the envelope and take your failover and backup plans and shred them to pieces," said Carl Banzhof, chief technology evangelist at McAfee and a cyber warrior in the 2006 exercise.

Cyber Storm planners say they intend to throw a simulated Internet outage into this year's exercise, but beyond that they are holding their war game playbooks close to the vest.

Individuals who helped plan the scenarios all have signed non-disclosure agreements about the details of the planned attacks. They will act as puppeteers apart from the participants ...

That was here.

In 2002, there was this by one of the coiners of devastating cyberwar scenarios, Richard Clarke:

A mock cyberwar enacted by faculty of the US Naval War College and analysts from Gartner does not appear to have fulfilled the Clancyesque predictions of mass devastation envisioned by the leading security paranoiacs of the Clinton and Bush Administrations.

The exercise, named "Digital Pearl Harbor," apparently in tribute to US CyberSecurity Czar and Chief Alarmist Richard Clarke, brought together a team of experts in several areas related to critical infrastructure for a three-day hackfest.

The red teams were divided into telecomms, Internet, electric power and finance sub-groups. To make the exercise as realistic as possible, the popular Hollywood and National Security Council cliches of brilliant geek-misfits wreaking mass mayhem from some deluxe hobbyist dungeon was abandoned. Instead, the attackers came from the upper levels of the tech world: engineers, programmers, mathematicians, many with PhD degrees and decades of practical experience to their credit.

It concluded:

To sum up, the Naval War College's Craig Koerner pointed to the need for "synergies" in making the attacks interoperable, hence feasible. For example, the group would likely attack the Internet last to preserve it for other, continuing attacks. He pointed out that while local attacks are possible, it's virtually impossible to bring off any lasting, nationwide horror. The stereotypical scenario of a crew of hackers bringing down the national infrastructure is quite ludicrous, despite the apparently perjured testimony before numerous Congressional Committees ...

Ah, say readers, I smell a whiff of DD's meddling in that. Yes, I'd been sending articles on the subject to the author -- at el Reg -- as far back as 2002.

And the entire piece is here.

As for Richard Clarke, he became even more famous, did not win an election for John Kerry by appearing on 60 Minutes to embarrass the Bush administration, and in 2007 recycled his cyberwargames into a novel, Breakpoint.

It's called synergizing.

For Breakpoint, Clarke returns to his cyberczar roots. But in this story, someone gets to do something about the digital mayhem, not just scream "electronic Pearl Harbor," make policy recommendations no one listens to and be keynote speaker at security conventions.

Clarke supplies a team of outside-the-bureaucracy do-gooders: a dauntless central heroine, one NYPD cop for muscle and one hacker, a nebbish named Soxster. Soxter's purpose is to be the magic wand, no more and no less. Whenever there are villains to be traced, or information needed when the group is against the wall in the race against the terror clock, Soxter furnishes both so the story may proceed.

Naturally, the US government is delinquent and ineffective. Clarke refers to the FBI as either feebs or fibbies.

[Finally], the power is cut off to half the nation.

A review of the book containing these passages is here. At el Reg.

Eligible Receiver is the code name of a 1997 internal exercise initiated by the Department of Defense. A "red team" of hackers from the National Security Agency (NSA) was organized to infiltrate the Pentagon systems. The red team was only allowed to use publicly available computer equipment and hacking software. Although many details about Eligible Receiver are still classified, it is known that the red team was able to infiltrate and take control of the Pacific command center computers, as well as power grids and 911 systems in nine major U.S. cities.


On the same page, an old assistant secretary of defense for the Clinton administration, John Hamre, who had been one of the early big bell-ringers for cyberwar, expresses doubts about ... well, Eligible Receiver-like stuff.

Terrorists are after the shock effect of their actions, and it's very hard to see the shock effect when you can't get your ATM machine to give you $20. When we had this last worm or whatever it was, I went down to the bank, tried to get money out of the ATM machine, and I couldn't get any money out. Well, it was frustrating to me personally, but it doesn't translate in the same way that flying an airplane into a building does ...

This was in 2003 for PBS Frontline, years after a career in the Pentagon where he'd done just the opposite -- been a fugleman for predictions of nation-busting cyberwar.

For the PBS interview, it was a bit like seeing the town whore suddenly signing up for seminars delivered by the Church Universal and Triumphant. One couldn't help but be impressed by the change while at the same time wondering how long it would actually last.

Now if it's possible, for example, to have rolling blackouts in entire cities, that, of course, does have more potential implications. That was much more likely four and five years ago. But in all honesty, I think we've done a lot to warn ourselves about this. In almost every one of these people that run big utilities, there's always some guy in the back that knows how to turn off the computer and turn on the electricity again.

Said Hamre in 2002 here.

"John J. Hamre (born July 3, 1950 in Watertown, South Dakota) is a specialist in international studies, a former Washington bureaucrat and the current president and CEO of the Center for Strategic and International Studies, a position he has held with that think tank since April 2000," says his Wiki bio here.

Remember my metaphor concerning the town whore signing up for the Church Universal and Triumphant.

How long would it last?

Oh, only a few years. Now the Center for Strategic and International Studies is one of the head floggers inside the cult of cyberwar.

Not much on the Paller-Scope today.

Alan Paller, director of research at the Sans Institute, has warned most commercial security tools are ineffective against these attacks and businesses need ... -- Computerweekly

The attacks on Google confirm the threat of pervasive and sophisticated espionage attacks on all organisations, said Alan Paller, director of research at Sans ... -- Ibid.

Cult of Cyberwar -- from the archives.


Post a Comment

<< Home