- By John Reed
John Reed is a national security reporter for Foreign Policy. He comes to FP after editing Military.com’s publication Defense Tech and working as the associate editor of DoDBuzz. Between 2007 and 2010, he covered major trends in military aviation and the defense industry around the world for Defense News and Inside the Air Force. Before moving to Washington in August 2007, Reed worked in corporate sales and business development for a Swedish IT firm, The Meltwater Group in Mountain View CA, and Philadelphia, PA. Prior to that, he worked as a reporter at the Tracy Press and the Scotts Valley Press-Banner newspapers in California. His first story as a professional reporter involved chasing escaped emus around California’s central valley with Mexican cowboys armed with lassos and local police armed with shotguns. Luckily for the giant birds, the cowboys caught them first and the emus were ok. A New England native, Reed graduated from the University of New Hampshire with a dual degree in international affairs and history.
What threat to the banks, utility companies, and telecommunications companies that make up the "critical online infrastructure" of the United States worries one of the Pentagon’s top cyber officials more than almost any other?
You might think it is a strategic, Stuxnet on steroids-style cyber attack designed by a rival nation with deep pockets and lots of engineers to cripple American industry. While state-sponsored attacks remain a big threat to large corporations and the U.S. government, the cyber tools available to average hackers are increasing in potency at an alarming rate. The proliferation of tools allowing anyone to easily detect where a device connects to the Internet, combined with growing ability of private hackers to discover previously unknown vulnerabilities inherent in computer systems (called zero day exploits), now poses a large threat, according to Eric Rosenbach, deputy assistant secretary of defense for cyber policy.
"It’s this combination of a program, which is essentially a Google-like browser on the Internet right now that allows you to scan for vulnerabilities in the industrial control systems in the U.S. and around the world, . . . that combined with the phenomena of these black market zero day exploits and malware tools that makes me extremely nervous," said Rosenbach during a Sept. 4 interview with Killer Apps, during which we also discussed the automation of cyber defense and the holy grail of cyber security. "Because then it’s not just a nation-state that wants to harm the U.S., but it could be a rogue group or some crazy individual that wants to leave their mark on history. The perspective on the vulnerabilities is there [for anyone to see], and some of the tools that you need to do it are there too. I think that is what worries us the most."
The program Rosenbach referred to is called Shodan; its website describes it as a search engine that allows users to find any device connected to the Internet — whether that’s a server, the controls of a power plant, or even a refrigerator.
Columbia University professor Abraham Wagner, who specializes on how technology has impacted national security, points out that there are already reports of hackers using Shodan to find weak spots in the programs, known as Supervisory Control and Data Acquisition (SCADA) systems, which control everything from an office building’s air-conditioning to the speed at which a uranium-enrichment centrifuge in a nuclear plant spins.
"Tools like this certainly make hacking easier," wrote Wagner in a Sept. 13 email to Killer Apps. "The vulnerable systems are still in serious need of major security upgrades, and we are still in a ‘transitional’ period where nobody seems willing to undertake the level of effort that is required. There is still an operative mentality that states it must be somebody else’s problem to do it."
While basic cyber hygiene — such as using tough-to-crack passwords and regularly updating a computer and network’s security settings — can thwart many attacks, Rosenbach doesn’t think that private companies will take action until they have suffered too many costly cyber attacks, or the government can work with them to implement cyber security standards. The latter however, remains a tough nut to crack. In August, Republican senators shot down the latest attempt to legislate minimum cybersecurity standards for companies involved in maintaining critical infrastructure.