Generally, if you work with technology for a living, you notice that people have two extreme reactions to all new electronic devices. The first is surprise that they can do anything beyond their expected functions, like gasping when smartphones browsing the web offer to make calls to the numbers one clicks. The other is a belief that the new device can do pretty much anything and everything under the sun, transcending mere bits, bytes and circuitry, and becoming indistinguishable from magic. Unfortunately for us, those now terrified of cyberwarfare seem to have the second extreme reaction, and if you want to know just how paranoid they can get, check out what former bureaucrat and current security consultant, Richard Clarke, says about the possibilities of a huge cyber-offensive in his attempt at a non-fictional adaptation of a Tom Clancy novel. Unbeknownst to IT experts, computers have suddenly gained the power not only to tear through any security measure, but also overcome incompatibilities between proprietary software packages and operating systems, and air gaps, while hackers are now supposed to level playing fields for nations with small militaries with their 1337 techno-wizardry.
While this notion grabs eyeballs, sells books and magazines, and scares the living daylights out of politicians who saw the flick Live Free or Die Hard one too many times, it’s total rubbish. Cyber-espionage is a very real thing and it does happen all the time when hackers or even computer science students recruited by a military adopt common hacker tricks to peer into classified networks. They use social engineering, a widely available packet sniffer like Wireshark, or a custom built one based on the open source library on which Wireshark was built, attempt spear phishing and whaling with employees of major security contractors, or look for any gap in secured networks that may lead to valuable intelligence. But there’s a huge gap between the very real threats posed by hackers looking for information much the same way Anonymous’ Antisec collective carried out a lot of its operations, and being able to just flip a switch and bring one of the largest, best armed, and most wired nations on the planet to its knees in just fifteen minutes like Clarke prophesizes. A review of his book on a top security news blog accurately alludes to the Book of Revelations when describing his visions…
Chinese hackers take down the Pentagon’s networks, trigger explosions at oil refineries, release chlorine gas from chemical plants, disable air traffic control, cause trains to crash into each other, delete all data, including offsite backups, held by the federal reserve and major banks, [and] then plunge the country into darkness by taking down the power grid from coast-to-coast. Thousands die immediately. Cities run out of food, ATMs shut down, looters take to the streets.
He forgot cats and dogs living together and the seven-headed, ten-horned beast ridden by the bejeweled and purple-robe clad Whore of Babylon leading Satan’s digital forces in a charge across Megiddo, but not bad as far as apocalyptic fantasies go. Problem is that all of this simply can’t happen unless the entire nation runs on only one massive command and control system that can be accessed via the web. Considering that the main software package in your office has trouble talking to that of another company, much less every company that works in the same industry as you, you can probably see the problem in this logic. Try and bring down power grids across the country. You can’t. They work in disparate blocks using different SCADA machines which are made by different manufacturers and use different software. The now infamous Stuxnet worm only targeted a single system, Siemens Step 7 and looked for only one type of instruction to disrupt. If the same instruction is a different argument type in Step 8, the worm will be rendered impotent. True, there are vulnerabilities in many of those SCADA machines because the manufacturers often didn’t bother fixing them and their customers do not want to update for fear that their perfectly calibrated systems may break, costing tens of millions in repairs and downtime, but the sheer variety and number of them makes a one-size-fits-all attack impossible.
Even though it was found that thousands of SCADA machines are not really air-gapped, they were made by different vendors, have different vulnerabilities, and represent only a tiny fraction of all the SCADA machines in use right now. An army of thousands of hackers working around the clock couldn’t do even a tiny fraction of the damage Clarke envisions just because the technology they’re attacking is so disparate and varied. And to hit banking systems to empty out ATMs they would need to attack massive international funds exchange entities responsible for standardizing inter-bank communications, no easy task by any means. To disable GPS, they’ll need to task down dozens of military operated and tracked satellites, and to take down air traffic systems they would need to disable tens of thousands of radar towers across the nation, also operated by a wide variety of software and hardware. I really don’t think Clarke and those who quote his hyperbole realize just how vast our wired infrastructures are and how many millions of targets would need to be hit simultaneously to do serious or lasting damage to them in a very short span of time, many of which would be air gapped and really difficult to exploit. And when the hackers actually bump into decent security and honey nets, they’ll need hours if not a full day or two to find the appropriate zero-day exploit to continue their attack. Again, this isn’t simple stuff.
Sure it’s scary when Antisec rummages through the web and takes down the websites of the CIA and FBI, but you have to keep in mind that most of the sites hit by Anonymous members were targeted with a social DDoS tool which simply overwhelms web servers rather than actually destroying databases or interfering with how a site does business logic on the backend. Big enough websites are pretty much impossible to shut down with this method because their enormous networks could simply absorb the attacks, and tearing down posters for any major government agencies in no way compromises the data they actually keep classified on the internal networks they use in their daily work. The sites that are hit by hackers who do steal valuable information either used very lax security or didn’t update their security tools against new threats, and the hacks were the results of their complacency. For well-maintained and well-updated sites, a hack isn’t a simple matter of using a new script like a lock picker would select a different tool, it’s a slow and steady research project where the gap will be found by trial and error rather than a simple brute attack. No network and no device will ever be 100% safe and secure, but neither is every network an easy target for government hackers on a mission.