Shift Delete
Page 2
A cyber expert testified that even among trained IT professionals encountering a cyber-attack, human nature kicks in to try to explain away the anomaly. Something isn’t working right, or someone didn’t follow procedures arc the initial reactions. The tendency is not to assume a cyber-attack is underway. And most times it isn’t; it’s just an IT issue. It is precisely such a trial by fire that defines the good cyber analyst—the one who can identify that an attack is actually taking place.”
‘The Congressional committee heard that the problem is that no one believes the doomsday scenarios; when they hear them people simply pull the wool over their eyes. Some people still think of a computer virus as a mischievous yet harmless nuisance like fireworks displays or letters dropping down the screen. Now it is finally understood that people can die as a result of cyber-attacks.
“Think about someone tampering with traffic lights, causing fatal car accidents, contaminating water sources, or altering hospital medical records like blood types, which would have disastrous consequences. Or on a grander scale, it’s not difficult to imagine a cyber-caused mass casualty incident scenario like derailing trains carrying hazardous materials or attacking air traffic control causing an air disaster.”
“Seems far-fetched. So why hasn’t anyone done it before?”
“Cyber professionals know that the most vulnerable targets are industrial control systems. SCADA systems. These legacy systems were not designed to face attacks, and are thus vulnerable. It could be the elevator in a building, a power plant, an airplane or a pacemaker embedded in someone’s chest. These are all real-time systems not protected by antivirus or firewalls.”
Until “Cyber 9/11,” cyber experts always said it was more a matter of luck than brains that no catastrophic attack had taken place to date. SCADA control systems were not originally meant to be connected to an external source. And maybe on-one thought to do a massive attack on a SCADA system. There was the Australian Maroochy Shire sewage plant incident when a rejected job applicant hacked the facility’s computerized control system to cause millions of gallons of raw sewage to spew out. While it may ring of a practical joke, no one found the environmental damage, stench or the necessary clean-up very funny, nor was the culprit’s two year prison sentence.
“Think about 9/11,” the committee was told. “Who would have thought commercial aircraft could be used as weapons of mass destruction by flying them into skyscrapers? Yet commercial aircraft were around for half a century, just no one thought of it. So who would have believed an attack from a computer possibly thousands of miles away could crash the electricity grid, thrusting tens of millions of consumers into days of darkness, with accompanying deaths and economic loss?”
The Congressional committee heard from another expert with dark hair slicked back to cover his balding pate compare cyber-attacks to a nuclear attack, claiming that cyber-attacks are more problematic given that their destructive potential is “equal to or greater than an atom bomb.” One could see from the Congressmen’s body language that they weren’t buying it. A skinny gray-haired Congresswoman was leaning back on her chair staring at the ceiling; another was reading something on his iPhone.
Sweating profusely, even though the air conditioning humming noisily chilled the room, the expert leaned closer to the microphone for effect, elaborating that cyber-attacks “involve damage to critical systems that control basic resources such as water, gas and electricity,” noting that the most substantial damage is inflicted on civilian infrastructure far more so than military. He wiped his large forehead dry with a white cloth handkerchief.
“No state can truly police everything in cyberspace, making it extremely difficult to incriminate a perpetrator. That means.” he concluded, “you can use cyber warfare and get away with it.”
That caught their attention. Some of the Congressmen sitting on the panel shifted uncomfortably in their dark leather chairs as they began to comprehend the extent of the threat.
Another expert wearing a plaid suit that looked like a holdover from the 1970s testified on the financial sector. “What would happen if a bank collapsed?” the expert asked rhetorically, his voice cracking from nervousness as he spoke.
“Mr. Chairman, esteemed members of the committee and fellow guests of this committee, imagine, if you will, logging into your bank account on your home computer. You can’t get access. Frustrated after a few unsuccessful attempts, you call customer service to complain that you cannot access your account. Imagine the helplessness you would feel when the customer service rep sitting in some distant call center tells you that they have no record of you or your account.” He paused for a moment for effect.
“It isn’t like the old days when your personal banker knew you by name and face; now you have no one to turn to. And with bank statements almost exclusively on-line these days, you probably wouldn’t even have a piece of paper from the bank to prove your claims. When did you last print out your account statement?” he asked, pausing to look for reactions among the committee members and hearing attendees. “Your savings are gone. Imagine that. It’s not only frightening, it’s terrifyingly possible.”
Expanding on his scenario, he added, “Hundreds, thousands, tens of thousands of customers discover their bank accounts have been wiped clean.”
The hearings touched on questions of who and what to protect. A fat Congressman with a Southern drawl questioned Congress’ right to determine priorities in the cyber world. In his slow, calculated speech, the Congressman asked rhetorically whether “protecting General Motors is more important to the resilience of the national economy than protecting a military installation?”
Congress was beginning to understand the scope of the problem they were trying to get their arms around. The whole cyber thing was still relatively new, and it seemed like every government agency was staking its claim of ownership on this vast new field. It became evident the situation was a throwback to the days after 9/11, when all of a sudden every government agency claimed responsibility for Homeland Security. That became the buzzword of the day, with every agency jumping on the bandwagon in hopes of increased budgets. In industry, every little company in the security business declared itself a “homeland security” company, whether it was access control systems or barbed wire fencing. The Europeans and other countries had a chuckle at the Americans, noting that the whole world simply calls this field “security” since only fortress America had been immune to international terror attacks for so long.
Now it was the era of “cyber,” but this was a far more sophisticated subject than homeland security that not everyone could pretend to be in.
Every country had to be in the game, since there truly is a world-wide war out there. These were wars between nation-states, and sometimes a war of one disgruntled, talented kid half a world away against the United States or any country for that matter. All countries were at risk—just ask Estonia, which found itself the brunt of a focused cyber-attack by the Russians after an earth-shattering event like the removal of a statue from its capital, a move that the Russians took as a major slight. In past days, the Russian ambassador might have called upon Estonia’s government to express his government’s displeasure, or in even more egregious cases, the ambassador might be recalled by his government for consultations, sending a clear message. In this day and age, the Russians’ displeasure was expressed by an independent three-week cyber onslaught targeting Estonia’s government ministries, political parties, newspapers, banks, and private companies that wreaked havoc on the economy. At the forefront of e-government, Estonia was particularly vulnerable due to its heavy dependency on computers.
The alleged perpetrator against Estonia was a Russian teenager who was so upset, distraught and insulted by Estonia’s insensitivity to Russia that he couldn’t help but act, of course with no official Russian Government sanction. Or so was claimed. And therein lies the essence of cyber warfare, or cyber- skirmishing, since wa
rfare has a connotation of being all-out: Deniability.
No one could accuse Congress of inaction this time around. In fact, at the conclusion of the Congressional hearings, Congress acted with lightning speed. The resultant Cyber Security Act was quickly passed by Congress, formally creating the Department of Cyber Response and Activity to oversee and coordinate a comprehensive national strategy to safeguard the American Government in cyberspace. This was ironic because the attack that spurred the DCRA was on public utility power lines; not a government network. And even though the energy, banking and transportation sectors are all deemed critical infrastructure, they were not covered under DCRA’s mandate, save for advising and providing guidance to private industry and individuals. Until DCRA’s establishment, the White House and executive branches, federal agencies, judicial branch, intelligence agencies and the military were all stove-piped, conducting themselves as islands in an “every man for himself” world. DCRA was to change this.
There was intense pressure to get the agency up and running before another catastrophic attack took place. That was one of the leading reasons they decided to leave industry out and focus solely on protecting the government as they figured out the mission that best suited them. To meet the Congressionally-mandated timeline for functioning, DCRA began with borrowed military personnel and just about anyone in government service with expertise in this new, esoteric field, just to get the organization up and functioning. Over time it grew to become a powerful agency, with carte blanche access to nearly every government network.
3. MOSCOW
“Welcome!” The Department of Cyber Activity’s Moscow representative Dan Chaseman met Parovsky at a cafe in the GUM Department store just off of Red Square. Parovsky didn’t understand why the meeting had been arranged at this holdover from the Soviet days, until he arrived and found GUM to be as posh as the nicest shopping malls the U.S. has to offer.
Chaseman’s fresh-out-of-college look belied the fifteen years he had already put in with the U.S. Government, starting in diplomatic security before working his way over to the DCA. He was dressed in khakis, a plaid shirt, navy blazer and maroon penny loafers with tassels, adding up to a conspicuously American uniform in contrast to Parovsky, who was unshaven and wore black Levis, untucked slim-fit button down shirt and Blundstone boots—looking more out of a fashion magazine than U.S. Government bureaucrat.
“Thanks,” Parovsky answered with a smile, shaking Chaseman’s outstretched hand. They sat down across from one another at a small, shiny table overlooking the mall’s atrium.
“So how do you find Moscow so far?” Chaseman inquired.
“Rather dour people. Is it illegal to smile in this country?”
His host smiled and nodded, already all too familiar with the locals. “That’s Russia!” Changing subjects, he asked, “So how long you TDY’d here for?” using embassy lingo for ‘temporary duty’.
“I’m here for two days. Just the cyber conference and then I’m outta’ here.”
Speaking at the occasional cyber conference broke what Parovsky saw as the monotony of days spent staring at computer screens, or cyber- attack statistics displayed on large screens in the Cyber-incident Security Information Center (SIC). But that was merely his cynical view. In truth no two days were ever the same, and each brought new challenges as any number of actors around the globe pried the U.S. Government networks. Normally his overseas trips involved meetings with the national cyber authority regarding information sharing and cooperation, which is key in the cyber realm. It is a world war, one without borders. DCA cooperated with counterpart authorities across the globe, along with NATO, the European Union and other organizations. At home, there was further cooperation with academia and specialized companies in industry. Some defense contractors were so frequently attacked that they developed cutting edge defenses and proprietary methodologies of their own that they began proffering to federal government agencies.
This time around was different given the lack of collaboration with Russian authorities, which sent a message in itself. The U.S. even had a bilateral cybersecurity working group with China, yet here he was—a U.S. Government cyber official in Moscow for a high-profile conference, slighting the host country government to express Washington’s displeasure at Russian policies with Iran and Syria.
It was a standard international trip like others he had done before. He was greeted at Moscow’s by an embassy vehicle—one of those large white GMC’s that stands out like the proverbial sore thumb. On the ride into the city, he was amazed at how tolerant the drivers were of one another’s totally inconsiderate driving behavior—something that back in Washington surely would have elicited beeping of a horn or perhaps an obscene gesture. But here, hardly a beep.
After settling into his well-appointed room at the Radisson Hotel close to the U.S. Embassy, he had some time to kill before meeting up with Chaseman, so he decided to brave the cold and head out by foot to Red Square. Bundled up in his Uniqlo lightweight down coat, he braved the frigid temperatures and found the brisk walk invigorating after being cooped up on the 10-hour Delta flight from JFK. It was just what his body needed to adjust to the new time zone, eight hours ahead of Washington. Parovsky stopped at a souvenir table where he picked up and examined a set of babushka nesting dolls—those wooden dolls of decreasing size placed one inside the other. He forgot himself for a moment with fascination with its intricate artwork: wide eyes, ruddy cheeks, mouth and other facial features hand-painted on each, the smallest doll even smaller than his pinky finger. Not that he had kids at home for whom he had to bring a souvenir; hell, he couldn’t even maintain a normal relationship, never mind entertain thoughts of marriage. Two shrinks as parents had done their fair share in ensuring that he was thoroughly fucked up, over-analyzing the world to the point that he would never be happy.
He picked up a fur Russian ushanka hat and almost dared try it on, but vanity kicked in and he stopped himself after dreading the thought of what his hair might look like when he took it off. Better frost-bitten cars than “hat head.”
At the southern end of Red Square was Saint Basil’s cathedral with its spires and elaborate multi-colored, swirl- and stripe-patterned onion dome-topped turrets—distinctive architecture meant to resemble the flames of a bonfire. Parovsky instantly recognized this building as the familiar backdrop from practically every news broadcast from the Soviet Union in the old days, finding it ironic that the most familiar landmark of the Godless Soviet Union was a golden cross-topped cathedral. He approached the building and smiled in appreciation of its eclectic shapes and colors, but didn’t have the time or inclination to go inside. There was something cold and oppressive about them. Hearing echoes of footsteps and voices, the wasteful open spaces, the overly- ornate gold-leaf religious imagery, the smell of pungent candles being lit by religious devotees. It simply didn’t sit well with him.
Red Square was decked out in white, blue and red horizontal-striped Russian Federation flags noisily flapping in obedient unison in the breeze, or flopping lifeless against the flagpoles when the wind subsided. The Russian flags were joined by some old red-field hammer and sickle flags of the Soviet Union waved by antiquarians, giving a very nationalistic feel to Red Square.
“1 hope you’ll get a chance to see something other than just your hotel room and the conference venue,” Chaseman said to him.
“I took a short walk around Red Square,” Parovsky answered. “Saint Basil’s is really impressive.”
Chaseman shook his head in agreement. “Did you check out Lenin out there in the square?”
“You know-1 don’t think 1 saw even one sign out there in English. I accidently found myself in line for what I realized was Lenin’s mausoleum, so 1 stepped over the chain link railing to get out of line, which the guards didn’t like. Seeing the embalmed arch-communist? I find the whole concept rather gross and morbid.”
Chaseman smiled as he shook his head
in understanding.
Parovsky added, “I grew up in the days when the Soviet Union was the ‘Evil Empire;’ 1 feel no pressing need to pay respects to a dead communist.” He cocked his head to the side to stress his point.
“Well, the commies seem to be making a comeback,” Chaseman said, lowering his voice and leaning in closer to Parovsky to avoid eavesdroppers. “Or I should say the old aggressive Russian bear awoke from its post-Soviet hibernation.”
“You mean what they did in Crimea?”
“Ukraine is history,” Chaseman grimaced to accentuate that Parovsky was way off. “It hasn’t made the world news circuit yet, but the Russians are flexing their muscles yet again with another of their neighbors.”
“Who’s the lucky one this time?” Elliot asked jokingly. They both laughed.
“Estonia.”
Elliot raised his eyebrows as if to say, “Really?” even though he truly didn’t care very much. He wondered to himself if he could even find it on a map.
Chaseman continued. “It’s following the typical pattern of Russian escalation: Estonia complained about Russian interference in Estonia’s internal affairs, and now Gazprom-the Russian energy giant—is threatening to cut off natural gas supplies to Estonia, claiming it’s because the government in Tallinn failed to make payments for past deliveries.”
Parovsky’s jetlag was kicking in, and he wasn’t particularly interested in Estonia’s troubles. He picked up a sugar packet from the bowl in the center of the table and tried to make out the Cyrillic letters while Chaseman continued talking. “The Estonian prime minister said the Russian move was not about gas, but rather part of a Russian plan for the destruction of Estonia. That’s a mighty claim!”