Reliable Security Information
The President delivers his cyberscare story

The President delivered his digital Pearl Harbor story, not using the phrase because presumably has been told of its exposure to ridicule, in the Wall Street Journal yesterday. It's worth a dissection.

For the sake of the discussion, his key points, excerpted:

Last month I convened an emergency meeting of my cabinet and top homeland security, intelligence and defense officials. Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud. Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill.


Our nation, it appeared, was under cyber attack. Unknown hackers, perhaps a world away, had inserted malicious software into the computer networks of private-sector companies that operate most of our transportation, water and other critical infrastructure systems ...




It doesn't take much to imagine the consequences of a successful cyber attack. In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we've seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill




For the sake of our national and economic security, I urge the Senate to pass the Cybersecurity Act of 2012 and Congress to send me comprehensive legislation so I can sign it into law.


It's time to strengthen our defenses against this growing danger.


In the opening paragraphs the President resorts to the stock scary cyber-wargaming and scenario-concoction the US national security apparatus has delivered since ... always.


Historically, the meme is invariant, delivering news that everything is vulnerable. The entire nation falls over from surprise cyberattack.


First, let's deal with the alleged coordinated attack on trains, one which causes them to jump the tracks, releasing toxic chemicals everywhere.


If you think about this a little it falls apart,


The US has a rail system, like all countries, and mistakes happen occasionally. These cause accidents and derailments.


And throughout the nation there are lights on the tracks that signal switches open and closed, and warning and so on. Plus there are controllers. Plus people who react immediately to side-strep or remedy problems.


There is not one master switch for all rail, hubs are scattered all across the US, thousands of them, I imagine.


So, with one sentence, you are asked to believe there can be an attack on specific trains loaded with what just happen to be specifically dangerous chemicals so that they jump the rails and cause a national catastrophe?


The intelligence requirements just to start thinking about that are beyond belief. This belongs strictly to the last Die Hard movie, the one where the fired Pentagon security contractor battles McClain.


"Trigger the accidents and the release of the poison gases now!" cackled the fiend from deep within his cyber-bunker, somewhere in the eastern hemisphere.


So shame on President Obama or, more likely, a staffer for putting it in. So the occasional bad rail accident from normal human error will remain more likely than hack or cyberwar attacks on the same.


The presumption that this has changed, or is about to, is senseless.


To make another counterpoint, there is little to zero evidence reservoirs and water systems can be significantly damaged by cyberattack, even if one grants the minor possibility of remote trifling with pumping systems.


The hazard posed to water supplies was worked out early in the war on terror, motivated by fears of chemical and biological terrorism aimed at them.


Water is difficult to ruin, unless one is speaking about massive oil spills, run-offs into rivers from mismanaged chemical plants or massive industrial accidents that release materials into natural waterways.


Every year such events happen throughout the US. Recovery is swift.


In addition, water purification and supply is a nationally distributed matter. There is no way to universally degrade it in the United States.


For example, my brain tells me, and it's usually pretty good at these things, that it would be virtually impossible to affect water in Los Angeles County short of destroying the Owens Valley, the Los Angeles Aqueduct, the Colorado River and the Colorado River Aqueduct. It would take an almost irreversible blackout in California to hinder the flow of water into LA County. Extreme drought in the snow pack mountains would do it, too.


What -- could hackers or cyber-soldiers blow up Pasadena Water & Power or make the complex unusable and all the water unpotable?


How does one do that locally in Los Angeles, one of the most populous places in the world? Water supplies in ponds are scattered everywhere, there is no one central water supply and plant to do something to.


Theoretically, if you believe someone can turn up the addition of chlorine, so what? You can't supersaturate water with it. There is no way to turn water into bleach in everyone's tap from the Internet.


Details are important, not potential bluff by one hacker, published in hundreds of stories -- truth being determined by the number of people convinced to reprint exactly the same thing -- that "[said] hacker posted pictures of [a water] facility's internal controls."


This matter can also be seen as more of stunt executed through PasteBin by a hacker personally indignant at the Department of Homeland Security at what he saw to be it's dilatory attitude toward the dangers posed to the nation's water system.


Indeed, using one minor news story, never really followed up to make a convincing case that the entire nation's water is threatened, instead used for purposes of disaster titillation, is standard propaganda.


Now let's deal with the cyberstrike on hospitals. How could cyber-soldiers or hackers make doctors stop dealing with the sick?


They'll turn off the power and corrupt all the patient data, never mind the senselessness of doing both.


Just go with me for a minute.


They'll take away Internet connectivity and e-mail, and put ridiculous and dangerous results in digital logs of patient records, like prescribing insulin shots for everyone except the diabetics or Viagra for people with really bad tickers. Then the staff will roll out the needles, pills and drips and put everyone into a coma.


Ahem. Do you really think that the practice of medicine hasn't had years of experience dealing with bad or screwed up e-mail, malware, and criminal pests who get into networks?


Anyway, it is exceptionally bad to try and stampede people into believing stupid things through the use of fear, no matter how well meaning you are.


In his essay the President is working from the script that the United States can be turned off with select manipulation of a few switches. This is an absurd construct, but an old one, and something that can also be dubbed a zombie lie.


It follows always from the assumption that since no one can challenge the US militarily, all the enemies have worked out ways to destroy American civilization in other ways. And they're all effective.


Finally, readers can take note of the placement of this in the Wall Street Journal, the newspaper of the financial system.


Attack on the financial system has become a regular part of the mythology used to influence policy makers, even though it's to laugh. Consider the state of the economy and the predicament of the 99 percent. The financial sector might be attacked! Really?!


What, exactly, would that do to the 99 percent? Not a trick question.


It may seem audacious to ask people to think about the manipulation but it's not, really.


There are quite specific narratives on financial firm malfeasance and corruption, all of which lead to a global, not just a national, economic crisis. There are no such explanations for any theoretical cyberattack on the financial system.


Now we do know that hackers and thieves get after banks and they do this to steal money. But they do not rise to the level of what the insiders, the captains of the universe, have done.


The argument that careless connection of remote systems to the Internet has been with us for a very long time. People have been saying this for years. Exercise caution when connecting stuff that you believe to be critical.


Some people do. Some don't. Some do it and add security or presume they have. Others just put everything on-line so they don't have to be on-site all the time. This is the way of things and it probably always will be.


So, yes, there are going to be security problems but where are they in the entirety of the big nation and is there a master map?


These are unquantifiable questions no one can really answer except to say managing the security of such things and the risk imposed is a day to day battle.


The problem arises when it is all spun, as the President has done for effect, into a message of fear, delivered from the notion that it is trivial to collapse the nation from remote access, all for the motivation toward a policy.


There are arguments and debates to be made on this to persuade people, but sincere efforts take time and aren't served by stuff like this. Yet it has always proven convenient to go with the pungent essay seasoned with fearful examples.


Originally published at Dick Destiny blog. About the author.

 
Subscribe to SitRep:
GlobalSecurity.org SitRep RSS Feed GlobalSecurity.org SitRep ATOM Feed