the curious case of the cyberattack that never was
The problem with the supposed Russian attack on an American water treatment plant isn't the false alarm, it's how Congress and the DHS reacted.
Supervisors at a water treatment facility in Indiana knew that something was wrong when a pump stopped working for seemingly no reason. Their concerns only grew when they checked the logs and saw that improper commands were being issued to the SCADA machine controlling the now broken pump. Even more disturbingly, the logs showed that someone from Russia accessed the machine months before. Obviously this was a case of sabotage designed to test how vulnerable American infrastructure was to a Russian version of Stuxnet. But why didn’t the hacker clean up the logs to hide his point of origin? Could it be a false flag operation? Or did he just get sloppy? Or was there no hacker at all and the logs showed a plant contractor doing his job from a family vacation in Russia, but the DHS simply ran with the hacker story instead based on no evidence of an actual hack taking place and stuck to it even in front of Congress? Yeah, I think the title of this post kind of gives this one away and the link makes the answer even more obvious…
Here are some important questions we need to ask about this incident. Why is an agency that should protect us from external threats immediately going into paranoia mode without doing any proper investigation? Why are taxpayers shelling out tens of billions of dollars on experts who can’t seem to make a few phone calls and publish their first suspicions as facts? Why does the agency which employ them renounce the report for the media but tells Congress that a Russian cyber-army was testing its weapons against American infrastructure? And why are its centers, in which data is supposed to be shared between agencies to act on threats faster, producing little to no actionable intelligence? If the DHS is basically just a piggy bank for anyone who can claim to be a security consultant, why are we footing the bill for it? Why can’t we just beef up existing agencies at a lower cost and have them access each other’s’ systems? And finally, why is it that when these questions are asked aloud do we hear nothing but excuses and talking points?