From today's Washington Post:
While the Russians did not actively use the code to disrupt operations, according to officials who spoke on the condition of anonymity to discuss a security matter, the discovery underscores the vulnerabilities of the nation’s electrical grid. And it raises fears in the U.S. government that Russian government hackers are actively trying to penetrate the grid to carry out potential attacks.
Officials in government and the utility industry regularly monitor the grid because it is highly computerized and any disruptions can have disastrous implications for the country’s medical and emergency services.
Burlington Electric said in a statement that the company detected a malware code used in the Grizzly Steppe operation in a laptop that was not connected to the organization’s grid systems. The firm said it took immediate action to isolate the laptop and alert federal authorities.
The facts do not come out until
paragraph three, preceded by very scary headline and paragraphs 1 and
2. The laptop was not connected to operations. It could have been
infected by an employee viewing porn sites. The infection contained
at least a snippet of code attributed to Russian origin.
I'm willing to believe that the malware
found was of Russian origin. But hackers share malware freely and
excerpt and morph it to fit their needs. The Stuxnet
virus, supposedly of US Government origin is like that. Finding a
snippet of Stuxnet
code on an infected computer today is very weak evidence that the US
Government put it there.
Here is my central point. Bad guys can
very simply and cheaply use hacking to spread fear in out country,
and to erode trust in our institutions, and to cause us to spend our
money foolishly. Measured in terms of money, it is asymmetric to the
extreme. Security vendors salivate over prospective sales of
$100-$150 billion in smart grid or cyber security hardware and
software. It might have cost the bad guys less than $10 to get the
malware on the Vermont computer. That suggests a leverage of 10,000,000:1!
Readers may wish to argue for a lower number, perhaps 1,000:1. But we should all agree that the gain is very much bigger than 1, thus asymmetric in favor of the attacker.
Next, I think back to the so-called
Strategic
Defense Initiative of the Reagan years (known as Star Wars). It
has been said that Star Wars was the straw that broke the back of the
Soviet Union. Perhaps Star Wars was genuine, or perhaps it was an
insanely successful ruse. No matter. That little packet of
information, true or false, achieved what 30,000 nuclear warheads
over the span of 40 years did not accomplish. It was asymmetric to
the extreme.
It seems entirely plausible that the
Russians, North Koreans, Iranians, or other enemies can have a field
day practicing asymmetric cyberwar with the USA. The beauty of the
scheme is that they do not need to ever succeed in causing a blackout
or anything else with physical reality. All they need to do it to
destabilize our society with anxiety. If we accept that the
Russians did meddle with the US election, then destabilization rather
than electron of Trump seems to be a much more believable motive.
Hundreds of millions of Trump opponents, still stinging with
disappointment, are willing to jump on that destabilizing wagon at
this moment in time.
It may be true that the USA is much
more skilled than any other country in offensive cyberwar
capability. But it is also true that we are more vulnerable
because (a) we are so computer dependent, and (b) because our free
speech traditions allow the media megaphone to amplify fears and
concerns. The USSR in the 1980s was vulnerable in different
socioeconomic ways. Star Wars was merely the trigger, not the total
cause of Soviet Union collapse.
What can we do? We can't repeal the
1st amendment. But we can and should solicit the
cooperation of the media. Using today's Washington Post article as
an example, all that would be needed would be to to make the raw facts appear first. Make facts the first paragraph and the headline.
The authors would still be free to embellish the facts with
speculation about scary possibilities, but the editors could simply
move those to paragraph 20 of the story. It is ironic to note that
other countries with weaker free press traditions (including much of
Western Europe) would find it easier to do than we would.
It is my opinion that if we could
accomplish that simple change in how we emphasize and highlight
information, that the USA.
There are also other things not related
to cyber security that we can do to make ourselves less vulnerable,
but I'll leave those for another day.