Unintended Cyber Consequences Continued
After I wrote the last post about problems with the upcoming CyberSecurity bill (see The Law of Unintended Cyber Consequences) – actually after I went to bed – I realized what bugged me about the whole idea of the president having a Real-Time CyberSecurity Dashboard. It’s an alarm system just begging for someone to mess with it. There are three possible scenarios that I can think of without trying very hard.
In the first scenario someone with a great many resources (maybe well-educated Russian youth groups (as described in my post Cyberwars Redux), launches a series of “events” to gauge the workings of the dashboard. Maybe they do a virus one month, a severe denial of service attack on a high profile target another month and a serious attempt at penetration of a military target some other month. They monitor responses from the White House, particularly the CyberSecurity Advisory Panel. Maybe they go by press releases and rumors in the press. An actual intelligence operation (as all governments have and quite a few terrorist organizations as well) might have live humans they can pump for information. Anyway, after a time, they gather enough information to know how to make the dashboard show what they want it to show.
I’ve described this as an entire intel program but it doesn’t have to be. The dashboard will be something most security geeks will be interested in. Information about it will get out. Maybe it will show up in the trade press, or in casual conversations at conventions or on IRC. The trouble is, once people learn how to manipulate the system, worse scenarios become possible or even likely.
For example, if someone finds out that sending out a big virus will set off certain alarms and certain actions, or that a virus in conjunction with a military penetration attempt, or some other combination, they own the system. Why attack the Internet if all you have to do is send out a couple bad-looking attacks and let the president unplug the Internet for you?
Remember high school, when there was always some clown who would pull the fire alarm because he thought it was more interesting than going to class? How about the kinds of people who write scripts to call 911 and send SWAT teams to random addresses, just for fun? Now imagine that hackers can shut down a huge portion of American commerce just by making it look like a massive virus attack is underway. Maybe I’m crazy but I think this is a bad idea. But it’s what you can expect if the government succeeds in setting up a security system that prompts the president to make draconian decisions on the basis of imperfect information.
There is one more scenario that is almost as bad. If hackers can learn how the cybersecurity dashboard determines what is a threat, they can learn how to launch attacks it won’t notice. Meanwhile, the folks in the White House will have developed a false sense of security (one of the biggest problems with almost any security measure – thinking it’s enough) and the response will be too late.
I’m not saying that some kind of sensor system isn’t a good idea. I’d be very surprised (and disappointed) if the NSA didn’t already have something. But the single point of failure the senate is thinking of mandating is not a good approach. I’m afraid there’s too much of a tendency in Washington to try to come up with sweeping solutions to problems that maybe shouldn’t be treated that way. It’s good for the senate to be concerned about the security of our Internet infrastructure. But their attempts to “fix” what they obviously don’t understand will cause at least as much harm as good.
Maybe they should consider survivability and ways failures can be pinpointed and contained, rather than trying to mandate a single quick fix. Would someone who knows them please explain that to them?
LinkedIn
Technorati Favorites