Why we're unfit to wage cyber war
At the risk of pointing out the obvious, there are lessons to be learned from the false alarm raised over a pump that burned out in an Illinois municipal water plant in November. Analysts in the Illinois Statewide Terrorism and Intelligence Center jumped to the conclusion that it was the work of foreign hackers and journalists reported it as the first cyber-kinetic attack launched against U.S. assets.
Turns out it was a mistake. The pump just burned out, without any help from Russia. Never mind.
The first lesson here is that we should be careful about laying blame for incidents before we have the facts. That goes for security analysts and journalists.
The false cries and fog of 'cyber war'
The second lesson is that operators of critical infrastructure need to do a much better job managing and protecting their systems. They might not be to blame for the pump burning out, but a reasonable remote access policy for the control system could have prevented the confusion over an overseas log-in by a contractor providing tech help. Such a policy also could help prevent a real hack in the future.
The third lesson is that we do not know enough about what is happening in cyberspace and in our own systems to effectively wage cyber war. The clarification of the Illinois incident came more than a week after the initial incident. That’s a long time in Internet time, and even longer in warfare.
As unraveled by Wired, what apparently happened was that Jim Mimlitz, who helped set up the control system for the Curran-Gardner Public Water District in Springfield, was contacted for help with the system while on vacation in Russia in June and logged into the system from a Russian IP address. That contact went unnoticed until a pump failed in November and someone made an unwarranted connection.
In a sense, the connection is understandable in the wake of Stuxnet and in the midst of continuing concern about vulnerabilities in the nation’s industrial control systems. But responsible analysts should not have grabbed at a single point of investigation and leaped to a conclusion without bothering to do the investigation.
Which brings us to the plant’s remote access policy. Mimlitz apparently did nothing wrong in logging into the system remotely. But if a Russian IP address would raise a red flag with investigators, why was such a connection allowed? The utility should have a policy defining who is allowed to log into the system, where they can log in from and at what times. This would have been an inconvenience to Mimlitz and whoever called him for help, but the utility should have technical help available locally, if it is required.
Finally, we need to remember that not every failure is an attack and not every hack is an act of cyber war. The United States is wise to recognize that cyberspace is likely to be a component in warfare and to prepare itself to wage war in that domain, both offensively and defensively. But the difficulty of identifying the source and even the target or purpose of an attack makes it difficult if not impossible to respond to these attacks in a timely manner, whether the response is with logic bombs or kinetic bombs.
We should be reminded by the Illinois snafu that we need to concentrate on more effective prevention of cyber intrusions, regardless of their source or motive, before we contemplate responding to them on a real or virtual battlefield.