I think every free American owes Frontline a debt of gratitude so I hate to and have no right to complain, but you guys are really missing the mark on computer security. Didn't we learn anything from the Y2K hype. Anything's possible and all I've seen so far are a bunch of 'bs'ers shouting the sky is falling. One sure thing about computers is just about everybody is an expert and if you ask them they'll tell you all they know.
Humanity and social fabric is fighting a losing battle against technology. Human rights, dignity, freedom, democracy, free enterprise, affluence are all in serious jeopardy because of technology's strangle hold on the individual. We can't afford mass hysteria, ignorance, and misinformation.
You guys need a computer expert on your staff, someone who's bent towards history and the computer's effect on society. This is an issue far reaching and we need you guys, more than ever, to do a better job and not just give a bunch of self appointed experts a platform.
Bureaucratic incompetence is our most dangerous obstacle in the information age.
Bare in mind that if Ronald Reagan couldn't bring down any airplanes by firing all the air traffic controller, some yahoo with a dial-up connection isn't going to be much more successful. If Y2K didn't crash our electrical grid, why is a 'terrorist' going to be any more successful? Clarke's basic premise just doesn't hold any water.
Excellent reporting! Excellent Website!!
The more dependent a society is on complex, interdependent and open systems [techno, social the more vulnerable it is to cascading disruptions of all description. This is not a surprise; a commonly ignored fact of systems yet not new. ... Cyber war has catastrophic potential to collapse any or all our infrastructure systems communication, technical, utility, financial, social, civil, governmental. Imagine [shudder] cyber assaults in conjunction with either 'natural' i.e. SARS or 'engineered' plagues i.e. small pox. If such a scenario can be imagined by naive, sheltered, isolated Americans, then it is also probable that someone nation, organization, group, cult, whacko has already gone far beyond mere thought. No effective response possible! The vulnerabilities of the developed Western economies is too great to be adequately defended. Our categorical, moment to moment total dependency on externally sources inputs and connections is set in concrete and ultimately terminal. Combined with the collective global antimosities America has unwittingly cultivated, civilization teeters, indeed!
Thanks to FRONTLINE . . . now none can claim we didnt know
"The truth is that our race survived ignorance; it is our scientific genius [systemic vulnerabilities] that will do us in." Stephen Vizinczey
I found your show on cyber war facinatinating for several different reasons and the different slants of the e-mails in this discussion cover several of those reasons.
One of the main messages that came from the show was that the Internet is truly operated in the private sector and for the most part the Federal government has put forth the notion and stance that the private sector should be where innovation and resposibility for security on the "Net" exists and should take place.
Although I heartily agree with that message, the actions of several state governments seem to be in direct contrast to that notion. With some of the new legislation that is falling under the "Super DMCA" nomenclature several state governments such as Illinois, Colorado, Deleware and Michigan are attempting to take the federal laws meant to encourage and support private sector growth in the security of the Internet and change the meaning of those laws to completely usurp and inhibit the "private sector" work that has and is taking place at this time.
The overly broad ramifications of such ill informed legislation will have long term affects on the innovation and distribution of some of the cutting edge technology taking place in the private sector.
There is an article in Eweek that just came out about this very subject and how these erroneous and misdirected state laws are already stopping distribution of "open-source" programs such as Tom Liston's LaBrea, which is specifically designed to hinder the spread of viruses and worms such as Nimda on the Internet.
Under the guise of "helping" to secure the Internet for the users within these states these local laws are already placing severe regulation on the Internet and it's growth.
The federal governmet can take any stance it wishes with regards to not regulaing the Internet, but without following their own advice and insuring that state and local legislative bodies cannot place erroneous and harmful local regulations on the very people that are working to make sure that cyber war can be dealt with before we have any of these "major attacks" we are doomed to fail and to have to place overly broad Federal Regulation on the Internet just to counteract what the well meaning if uninformed state governmets are doing.
We continue to hear how the "Net" should not be regulated and all the while these state and local laws are being passed which accomplish that very regulation.
This could certainly be another conversation point or subject of a future Frontline show.
Your program on Cyber Security was good in bringing this issue to a higher level of awarness with industry and government. I have a little better perspective than many of the gentlement you interviewed in that I have designed, built, installed and operated several SCADA and EMS systems that now operate major portions of the United States power grid as well as some in overseas countries.
I am afraid that Mr. Clark and the Gentleman from Sandia go too far in their assesment that the sky is falling. I also take exception to the idea that Sandia can at will take down systems that I have worked on. It tests with them and other University and security agencies we have in the past identified vulnerabilities in power utility "business" systems and in each case these have been addressed although inadequately.
However, the Control Systems you directed your program at and that I have been responsible for have never been breached, to even closely, the threatening extent your interviewees would like the public to believe. They have raised a number of theoretical threat issues that have not been shown to be even close to realistic. The Control Systems are tested before going into production and are tested and audited on a daily basis while in production. Ten years ago private utilities were not taking network security issues nearly as seriously as they do today.
Another example, is that none or very few of the major Control Systems refered to in your program run on MicroSoft operating systems. Only the peripheral business systems do. In addition an engineer with the experiance of Mohammed is not capable of hacking one of these major control systems just because he worked on a similar system in a water plant. That these systems can be broken into is indeed open to debate.
Realistically however, the starting point requires one to two million dollars of hardware and software and months of dedicated effort by an individual with expert experiance in Communications, Nework, Electrical, and Electronic Engineering as well as expert level knowledge of several protocols, system configuration, Computer Engineering and Programming at barely above the machine level. A support staff of highly expert engineers and technicians are also required. In many cases the companies that are operating these systems have only one or two people on staff at any one time that are remotely capable of this task.
The most likely problem scenario would be a disgruntled Grid System Operator that intentionally could take direct action through these systems while on duty using authorized access inapropriately. Personnel evaluations of operating personnel at some companies do need to be improved. But, even here the ability to effect major portions of grids is limited to a given operating region and restoration times are a matter of hours not the totally outlandish claims of six months.
There are a lot of academics that like to think they have the expertise to accomplish this task in the real world. Very seldom can they do it without the cooperation of the company whose systems they are being asked to evaluate I would almost say never. Once these systems are evaluated there are a number of excellant tools available from companies in the US that can easily and do secure these systems against dedicated and direct attack.
I would like to highlight on example of the media and many theorists blowing this issue out of proportion. Last year it was widely reported that one major system had been hacked by a group from China. That they breached the "Business" systems network briefly before being caught is true. They did not however even get a glimmer of where the Control Systems were or the support systems that provide data for evaluation of system conditions. This company records close to 600 attacks per month and the security group there do an excellant job of responding, but once again even without them the actual systems used for Control and Decision making are kept secure.
While most media reports on cyber security are full of huff and puff, your special was the most accurate and comprehensive portrayal of the state of the security of the Internet as a whole that I have ever seen. You have been able to bring together a plethora of experts who did a good job in llustrating the threat that the Internet is under. The threats you describe are real.
Slammer was possibly the biggest and scarriest worm to ever hit the Internet. The danger and harm that it could have cause with just slight modifications to its beheviour could have had long lasting effects. The fact that the worm infected a significant percentage of all hosts in just the first 15 minutes should scare most security professionals and the governments of the world.
Thank you Frontline for a very much needed discussion on this problem. I have been thinking about these issues for the last several years as I have been learning a great deal about current network security applications. I am glad that it has found a place to be addressed.
I have seen that most of the general public have said "why would I need to have such security firewalls, intrusion detection, etc..systems for my home or small business, I don't have any enemies and even so what would they "Steal from my systems."" Your program was a much needed platform to reach these individuals or companies for awareness.
I've seen and heard a lot of talk about Unix based systems being the answer to most of these issues but, I don't feel like they are the answer, but only part. I am talking about mainly routing and firewall devicessoftware and hardware. I believe that even with SSH technology to control these systems you are still vulnerable to attacks. devices and software systems that allow remote access for administration is just plain laziness'. They should be reverted to the original idea that if a persons cannot gain "PHYSICAL" access to these machines then they are truly secure.
Open source was and is still the best answer right now, but it will have to suffer a major evolution of change to bring it to a more secure environment. This will provably lead to a more dictated software environment. These are things that must be accepted.
I will end on saying that why doesn't the government instead of threatening regulation just design their own flavor of a Unix based system to conform a standard in security software. That seems more plausible than complete domination of the software environment and will also still allow an individuals choice. freedom
As long as software development companies have no legal responsibility for selling dangerous goods, but do have a responsibility to their shareholders to make goods cheaply, they are almost forced to sell junk, and to have their PR people defend it with "all software is buggy" or "it's the fault of lazy system administrators".
All software is not equally buggy or fragile. There are known techniques to make it more secure - just ask Boeing's commercial airliner division, or high-speed train or weapons system manufacturers, for instance. Robust, bulletproof, idiotproof, software *can* be written - if you really want to.
Re: Your Homage to Richard Clarke CyberWars
I worked for Clarke a decade ago. Your expose demonstrates both his strengths and the reasons he couldn't accomplish his objectives. Clarke is Smarter Than Everyone, and he lets no one forget it. He distinguishes himself through individual intellectual achievement which is always right on. Unfortunately, he doesn't possess the skills needed to have the Powers That Be take action. He's totally incapable of coalition building, which is how you get things done in Washington, where power and money are diffused among several Federal agencies, and is particularly effective with the private sector. Clarke actually mistrusts people with those capabilities. A truly effective bureaucrat must make political leaders adopt his or her ideas as their own, and must be willing to let them take credit for them. Clarke was often stymied by people who didn't trust his motives and despised his unwillingness to be a team player.
In CyberWars Clarke once again demonstrated he is a lone wolf bent on trampling the egos of people who can actually implement his ideas. If he were truly interested in saving America from cyber disaster, he would hook up with one or several an industry associations to begin working on consensus solutions to our vulnerabilities. It's a pain to have to be courteous to business executives, and the result may not be 100 per cent. But at least with consensus you have a high percentage of implementation of whatever solutions are created.
This program was very disturbing. I remember shows in the past stating that a major terrorist attack was not a matter of 'if' but 'when'. Well, here we go again.
It was mentioned on the show that damage from a cyber attack would be financial rather than physical but I could imagine the worst destruction being societal. A large city without power or services for weeks or months could result in a breakdown of law and order and destroy the trust in government itself. This would be the ultimate triumph for Al Qaeda, the destruction of America as a society.
This almost makes me want to read the "Unabomber's Manifesto". That crazy Kaczynski guy may have had a point.
La Caada, Ca
I have been one of your most interested and loyal viewers, but
was greatly disappointed by tonight's broadcast of Cyber Wars.
Several things bothered me. I was appalled at the biased selection of "experts," all of whom had some vested interest in the promotion of cyber security agencies or related cyber security companies. There was nobody from outside this closed circle of the Military-Industrial Complex to question thegrandios assertions made or to provide perspective on whatwas being said.
More disturbing still was portrayal of the supposed cyber enemy, represented as a faceless, motiveless, demonic evil lurking everywhere and nowhere. The unseen, unknowable enemy is always at the core of conspiracy theories. And, while I do not wish to imply that your sources are paranoid, I think you have a responsibility as Frontline reporters and editors to make them give us an detailed account of the persons involved in the so-called attacks, including their motives. Without a factual asssessment of these persons or persons, their motivations and their capacities, we have no real way of knowing whether they are annoying hackers or determined enemies.
I am sorry to say that through this program Frontline has
spread fear rather than understanding...
I hope you will revisit the subject using standards of proof
more consisent with your usual standards of reporting.
Princeton, New Jersey
I have worked in IT Security in many areas for over a decade now. I found your show tonight very balanced and informative. While I have my personal favorites for OS's and tools, you did a good job keeping the show interesting to the non tech heads. It is very important to raise awareness. As stated in the show, it would be so nice to act pro-actively in a cyber war.
The threats are very real, remember that only a small fraction even get reported. The awareness and criticality are essential to the consciousness raising that must occur. As companies become liable or at least responsible; everyone will take the threat seriously.
I am often reminded of the sad anecdote "The boss tells the security expert that services are no longer needed. When asked why, the boss says 'we have had no attacks in over a year, so we are eliminating your job.' The expert apologized for doing his job too well."
Los Angeles, CA
Thank you for another interesting report. In this new era cyber attacks biggest potential for destruction is not the physical world but rather the cyber world. Information and financial systems are the most likely targets. Information gathering being the most popular use of cyber hacking, followed by communication and information infrastructure disruption. The Department of Homeland Security needs to make Cyber Defense of our nation, both virtual and physical, a top priority.
Palo Alto, CA
Comments from some viewers discounting the possibility, feasibility, and likelihood of SCADA systems, banking systems, and communications systems being hacked and/or being capable of causing physical damage to national infrastructure systems clearly have their heads in the sand.
In the last six months there have been more than 35 serious security vulnerabilities uncovered in just two major Unix OS's. I won't name the specific versions or the particular exploits, but many of these weaknesses are in very basic OS level services, such as BIND, NFS, Sendmail, DNS, IGMP, routed, uudecode, and others I won't name since they would identify the specific Unix OS's affected.
These are all recently discovered and/or repaired vulnerabilities in operating systems that are sometimes used to control power generation control systems, banking systems, and international wire transfer systems.
While these core systems are isolated from direct unsecured network access, many of them are connected to much less secure internal systems through which, with common network infrastructure knowledge and discovery tools, any sufficiently motivated attacker can move nearly at will from outside. Realistically, it only takes one compromised system within the network for such an attack to take place.
Then we could also talk about large scale storage arrays, tens to hundreds of terabytes in size, where sensitive data are stored? on the other hand - let's not.
I have been a black hat and a white hat, and if any major military power and many minor, does not have a cyberwarfare unit I would be very surprised.
Al-queda, DPRK, China, and many more have sinister intentions in cyberspace. We should all thank the benign hackers and virus writers that have helped tighten security so far in the last 20 years. Without them I fear our situation would be far more grave.
I am in fact amazed that a major technological attack has not taken place yet. Just one open valve at the wrong time at any number of places, a nuclear powerplant, an oil refinery or even something as small as a water treatment plant could make 3 Mile Island look like a flash in the pan.