CYBEREYE

Why we're unfit to wage cyber war

At the risk of pointing out the obvious, there are lessons to be learned from the false alarm raised over a pump that burned out in an Illinois municipal water plant in November. Analysts in the Illinois Statewide Terrorism and Intelligence Center jumped to the conclusion that it was the work of foreign hackers and journalists reported it as the first cyber-kinetic attack launched against U.S. assets.

Turns out it was a mistake. The pump just burned out, without any help from Russia. Never mind.

The first lesson here is that we should be careful about laying blame for incidents before we have the facts. That goes for security analysts and journalists.


Related coverage:

The false cries and fog of 'cyber war'


The second lesson is that operators of critical infrastructure need to do a much better job managing and protecting their systems. They might not be to blame for the pump burning out, but a reasonable remote access policy for the control system could have prevented the confusion over an overseas log-in by a contractor providing tech help. Such a policy also could help prevent a real hack in the future.

The third lesson is that we do not know enough about what is happening in cyberspace and in our own systems to effectively wage cyber war. The clarification of the Illinois incident came more than a week after the initial incident. That’s a long time in Internet time, and even longer in warfare.

As unraveled by Wired, what apparently happened was that Jim Mimlitz, who helped set up the control system for the Curran-Gardner Public Water District in Springfield, was contacted for help with the system while on vacation in Russia in June and logged into the system from a Russian IP address. That contact went unnoticed until a pump failed in November and someone made an unwarranted connection.

In a sense, the connection is understandable in the wake of Stuxnet and in the midst of continuing concern about vulnerabilities in the nation’s industrial control systems. But responsible analysts should not have grabbed at a single point of investigation and leaped to a conclusion without bothering to do the investigation.

Which brings us to the plant’s remote access policy. Mimlitz apparently did nothing wrong in logging into the system remotely. But if a Russian IP address would raise a red flag with investigators, why was such a connection allowed? The utility should have a policy defining who is allowed to log into the system, where they can log in from and at what times. This would have been an inconvenience to Mimlitz and whoever called him for help, but the utility should have technical help available locally, if it is required.

Finally, we need to remember that not every failure is an attack and not every hack is an act of cyber war. The United States is wise to recognize that cyberspace is likely to be a component in warfare and to prepare itself to wage war in that domain, both offensively and defensively. But the difficulty of identifying the source and even the target or purpose of an attack makes it difficult if not impossible to respond to these attacks in a timely manner, whether the response is with logic bombs or kinetic bombs.

We should be reminded by the Illinois snafu that we need to concentrate on more effective prevention of cyber intrusions, regardless of their source or motive, before we contemplate responding to them on a real or virtual battlefield.

 

Reader Comments

Wed, Dec 14, 2011

Stupidest headline ever. You worry about self-defense when you go to war but casualties will always result. To suggest that we should not seek contact because of the eventuality of casualties is laughable. You're writing to GOVERNMENT computer users, many of whom have seen contact and who knew that attackers might strike America's rear while they were deployed. Silliness. We ARE under attack and some of those offensives have succeeded - if we can believe news reports. We have suffered virtual casualties and millions of dollars lost time and such. "Not ready for" any kind of war is immaterial when you have already been drawn into conflict as we have been.

Mon, Dec 12, 2011 SoutheastUS

I somewhat agree with Harold, one should not generalize based on this incident. The general public, and if our government is smart ("government is smart", sometimes, is a stretch of the imagination), journalists in particular probably should not be aware of exactly what our government's preparations for cyber warfare are and their status. Even in cyberwarfare, secrecy gives both a defensive and an offensive advantage in conflict.

Mon, Dec 12, 2011 Harold

"Why we're unfit to wage cyber war" and then you use an example from an Illinois water pump? That's a bit of a stretch, isn't it? Shouldn't it read: Illinois State Water Works is unfit to wage cyber war?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above