What Do Sandy & Pearl Harbor Have In Common? Politicians Exploit Both To Push Cybersecurity Agendas
from the but-of-course dept
Defense Department boss Leon Panetta has been recycling his cyber Pearl Harbor ghost stories for a few years now to push for expansive cybersecurity legislation (i.e. budget and power to spy on people), but Pearl Harbor is a bit outdated these days. So why not shoot for a more contemporary reference? Why not something in the “now”? Well, Homeland Security boss Janet Napolitano (who’s in a bit of a turf war with Panetta over who gets control — again, budget and power to spy on people — of “cybersecurity”) has decided to go with the most contemporary possible reference: Hurricane Sandy. Apparently, to Napolitano, the answer to the question of “how soon is it appropriate to cynically abuse the story of Hurricane Sandy for political gain?” is “right away.”
Napolitano, who, you may remember, doesn’t know how the internet works, went to a cybersecurity event on Wednesday to warn that without cybersecurity legislation, an attack might be just as bad as Hurricane Sandy. Quoting a report from Hillicon Valley:
After Hurricane Sandy wreaked havoc on the East Coast, Napolitano said people should look than no further than the damage caused by the massive storm to understand the need to boost the nation’s cybersecurity protections.
“One of the possible areas of attack, of course, is attacks on our nation’s control systems — the control systems the operate our utilities, our water plants, our pipelines, our financial institutions,” Napolitano said. “If you think that a critical systems attack that takes down a utility even for a few hours is not serious, just look at what is happening now that Mother Nature has taken out those utilities.”
“The urgency and the immediacy of the cyber problem; the cyberattacks that we are undergoing and continuing to undergo can not be overestimated,” she said.
I’d say that it’s not so much the utility downtime that’s been the problem with Hurricane Sandy compared to, say, the wind and the copious amounts of water falling from the sky and piling up on the ground. Last I checked, that can’t be controlled via a computer (leaving wacky conspiracy theories aside).
As per usual, when it comes to cybersecurity threats, Napolitano (like pretty much every single other politician pushing for legislation) refused to get into specifics about how real any threat is — other than to make scary “be afraid, be very afraid!” noises. The one time she was asked about a specific threat, she immediately went vague, but in full-on FUD mode:
When asked by Post editor Mary Jordan about whether hackers are stealing information or money from banks, Napolitano answered “yes” and then quickly added, “I really don’t want to go into that per se.”
“All I want to say is that there are active matters going on with financial institutions,” she said.
Is it really so crazy to think that if the government is going to pass a bill that has broad implications for our privacy, they should at least come up with a legitimate and clear explanation for why it’s needed? Instead they toss out scare stories about hackers stealing money, planes falling from skies and utilities shutting down — without any proof that any of it is actually likely or possible.
Filed Under: cybersecurity, fud, grandstanding, homeland security, hurricane sandy, janet napolitano
Comments on “What Do Sandy & Pearl Harbor Have In Common? Politicians Exploit Both To Push Cybersecurity Agendas”
Sandy, you whore!
You wreck New York but you left this idiot alone?
I thought you meant something special to everyone!
Looks like they need to get sand out of their….
*Drops mic. Walks off stage.*
What I would Love to see...
…would be for someone, anyone, at one of these conferences to flat out ask anyone pushing these ‘our critical infrastructure is vulnerable to hackers!’ rot why exactly said systems are connected, at all to anything outside of on-site networks.
And if the reply is ‘They’re not’, then follow up by asking what precisely the bills they’re proposing would do, that simple on-site personnel training and security couldn’t do better.
Re: What I would Love to see...
Come now, this has nothing to do with security and everything to do with money and control.
I’m pretty sure this one involves a cushy multi-billion dollar contract being handed to a “friend’s” cyber-security company.
What we’re witnessing is just another symptom of corruption, played out in the public theater.
Re: Re: What I would Love to see...
Oh I know full well the whole fiasco has nothing to do with security and safety(of the public anyway).
However, if the public forced them to actually admit that, to admit that the efforts they are pushing for would be at best ineffective, and likely to cause much more harm then they are trying to prevent, then there would at least be a chance that the real reasons would come to light, and political reasoning tends to be rather like mold, it does best when it’s hidden from view and allowed to grow unchecked.
Re: Re: Re: What I would Love to see...
Doubtful. If one pays attention, it’s obvious they never really bother to hide anything behind more than a thin veneer of civil service.
People simply do not pay attention, or do not care enough to do anything.
Those few who do care are marginalized. The man yelling “this will do nothing!” would be removed by security. Later, he’d be smeared on Fox/CNN as a nutter; a crazy conspiracy theorist who’s also a racist and a pedophile.
The average (un)informed person would laugh a little about the loud nutjob and continue on, oblivious to what they see but fail to comprehend.
Whew.
Last I checked, that can’t be controlled via a computer (leaving wacky conspiracy theories aside).
After reading the linked article there, I find it reassuring to know that there are people out there who wear their tinfoil hats all the time regardless of who is watching. As opposed to someone like me who occasionally dons on their stylish tinfoil-lined wizard’s hat and wades in Conspiracy Land now and then. Makes me feel a little saner I guess.
Re: Whew.
Now you’ve done it. The Illuminati is questioning your commitment.
When asked by the Napolitano about whether people that actually understand network security thinks that she is an idiot, Post editor Mary Jordan answered “yes” and then quickly added, “I really don’t want to go into that per se.”
Improve real-world infrastructure, isolate sensitive systems and educate personnel to not let hackers call and ask for passwords? Nope.
Cyberspy on cyberpeople and cyberblock cyberaccess to cybersites… because cybeterrorists? Cyberyes.
Re: Re:
I will combine two related things to make the point that some people cannot be trained to implement security.
I haven’t seen examples of this my self, but I have heard from two different sources I trust that they have personally seen people who simply cannot count standard US currency; I am unsure why, but suspect some combination of: they can’t count, or their memory is easily corrupted.
Another example are phishing emails: clearly a frightening percentage of our population believes these (and worse, self-selects), otherwise it would not be economically viable to engage in that behavior.
The above two ideas combine to support my point. There simply are some people who will ‘fail’ in the context of security. There is also, of course, the ‘boss’/’ceo’ syndrome of poor security when it is inconvenient.
I am, however, beginning to suspect that some kind of 1:2-4 X enciphering system and a modified version of one-time-pads should be used for high security low I/O per second. Data plus replacement key-pad and a bit of channel noise (message padding) could be sent to keep equipment on otherwise public channels communicating in a way that almost not susceptible to any exploitable algorithm (You’d have to slightly obfuscate the data to prevent statistical attacks; but compression and a small bit of scrambling should be more than sufficient).
Re: Re: Re:
From personal experience, the more power a person has the more likely they are to keep a keyword written down close to where its is needed. Favorite place are bottom of the monitor, the pen draw in the desk, and the notice board on the wall.
I do know of one case where writing when sensitive information was safe, and that was writing a PIN on the wall by the cash machine the person always used. It was a popular machine, so it could have belonged to any of thousands of people.
No matter the amount of cybersecurity we have out there, there’s nothing that can been done about social engineering. There will ALWAYS be stupid people out there…Just look at the last post about Sandy and twitter.
If there are any critical systems exposed to the internet, then the IT Engineers involved should be fired. There is no reason I see that we need to be able to remotely control any critical systems off-site.
As long as we have stupid people, we will NEVER be 100% secure with our IT infrastructure. As for using the storm as a comparison, we knew it was coming DAYS in advance.
With control should come reponsibility
If the politicians get the control and financing they seek, they should be willing to accept personal financial (and career) responsibility for any subsequent failure.
Mike–
It’s stuff like this that proves you’re just a yellow journalist, spreading FUD and discrediting everyone who you dislike. You say: “Napolitano, who, you may remember, doesn’t know how the internet works . . . .”
That is a completely, 100% bullshit statement. You cite your last article, where you discredited this very well respected and accomplished person for admitting she doesn’t use email. You claimed that she was therefore unqualified to do her job (as you so often do while stomping your feet as you discredit others), but you were COMPLETELY UNABLE to name even one thing that she did not understand or could not do.
Please explain how you get her admission that she doesn’t USE email to reach your conclusion that she “doesn’t know how the internet works.” Seriously. Don’t run away. Don’t mince your words. Just answer the direct question with a direct answer, or admit that you are deliberately lying.
WTF is wrong with you that you feel the need to LIE to discredit those in power? Seriously. I know you won’t address any of my points and that you’ll run away as you are again called out for your bullshit. You’re too much of a coward, and you know it. Seriously, dude, the fact that you lie and claim that she “doesn’t know how the internet works” proves that you’re a piece of shit who just panders to the lobotomized.
Re: Re:
It is? If it’s 100% bullshit, then why does she talk so much nonsense about internet security and the best way to address it? If, as you imply, she knows whereof she speaks then she must be being deliberately deceptive.
And personally, I agree with that proposition. I don’t think she’s stupid about the internet. I think she’s lying in an attempt to make people so scared that they’re willing to go along with plans to make the internet much less free.
Re: Re:
First, let’s leave aside that you appear to be the same person who regularly demands that I “engage” with you, and then throws a complete temper tantrum whenever I do engage and don’t answer the way “strawman mike” in your head would respond — and the fact that you recently promised to leave this site alone through the rest of the year if I did one thing — which I did, and you promptly and immediately ignored.
Next, I will ignore the ridiculous ad hominems peppered throughout your comment, and focus on the key issues.
You cite your last article, where you discredited this very well respected and accomplished person for admitting she doesn’t use email. You claimed that she was therefore unqualified to do her job (as you so often do while stomping your feet as you discredit others), but you were COMPLETELY UNABLE to name even one thing that she did not understand or could not do.
There are certain things that you cannot understand if you are not engaged in them on a regular basis. How the internet functions is one of those things. She did not admit to just not using email, but also not using internet services. It is my studied and experienced opinion, that if someone does not use the internet, they will have very little understanding of how the internet works, why it’s important that it works the way it does, and why blanket statements about threats on the internet may not be accurate.
That’s not lying, that is my considered opinion as someone who has been involved in this field for quite some time.
That you take my opinion — one that I stand behind — and insist that it is some nefarious plot to lie is an issue for you to deal with. The rest of your comment is nothing but ad hominems and faulty reasoning, so there is nothing else to respond to.
Now, I fully expect that since this answer does not comport to your “expected” answer, that you will continue to freak out. I will request, politely, that perhaps you think twice about that, and realize that, perhaps, I am not the evil strawman you have built up in your head.
Re: Re: Re:
I’m not a poet but I can’t help but think of a poem about the day after Halloween and AC snug in his bed with visions of Mikey strawman dancing in his head.
Re: Re: Re:
Just ban the shill, its what responsible people do.
Re: Re: Re: Re:
Yeah, if he’s clearly promised to leave the site for the year, ban the jackass. Not like he intends to visit the site, right?
Re: Re: Re:
Oh well. Once again, against my better judgment, I tried to engage, and you just went onto other posts to attack me. Should have known.
“The cyberurgency and the cyberimmediacy of the cyber problem; the cyberattacks that we are undergoing and continuing to cyberundergo can not be cyberoverestimated”
so exactly when is the hurricane due that the cyber security bill is going to protect us from?
f00k off already
its getting old and may people are educated enough to see through the crap now a days.
hackers are as important to life as your lungs….
like your war on drugs they will never be eradicated as they are human nature ….
you can’t legislate out curiosity from the human race….
The secret they don't want you to know
All right, I’m not supposed to do this but here it goes. I’m actually a Secret Agent working for Uncle Sam, and I know for a fact that all of the US military and civilian infrastructure capacity is actually accessible over the regular web. Just go to the the CIA.gov site and press F6, the password is “swordfish”.
Homeland Security boss Janet Napolitano & Defense Department boss Leon Panetta hid up in a tree.
F-U-C-K-Ing !
Well, lets see. There was no issue with cyberwar or it’s protections prior to the US releasing STUXNET on Iran. Or Flame. But suddenly after doing so, we need laws to protect us? How about not releasing malware that won’t get disassembled to show how it’s done? That might go a long ways towards protection right there. Surely the US knows that it will come back to haunt them, after Obama took credit for the US’s involvement.
The US already stated that a cyberattack is a reason to declare war. So in essence they’ve already done that with Iran.
If the infrastructure is in such fragile disarray as to be vurnable to cyber attack causing the likes of Pearl Harbor to the US, what is it doing still connected to the internet?
How about our politicians get a clue and go after the makers of SCADA software that did not include security as part of the package? After all we’re not talking new software or anything. The whole SCADA system setup is obsolete telephony methods adapted to industry. You’d think in all this time it would have dawned on someone you don’t put a default backdoor password in specialized routers that can not be deleted or changed. This is not rocket science. It’s basic security.
Fear!
OMG terrorists are going to hire Gus Gorman to hack the Vulcan weather satellite and cause hurricanes in NY!!! Someone has to DO SOMETHING!!!1! GIVE US MORE MONEY TO REPEAL THE 4TH AMENDMENT NOW OR WERE ALL DOOOOOOMED!!!1!11!1one
Paranoia breeds paranoia
The government has pushed this cyber threat so hard that even non-essential websites see any issue as a cyberattack. I tried to join a forum and got quickly booted and my IP banned because my IP address didn’t match up with my physical location in Las Vegas. I started the registration on my phone using the company wifi. All our IT is handled through a Canadian company. So when I tried to complete the proccess at home I got flagged for having a different IP address. I would try to get the whole thing squared away but if they go ape-shit over a simple thing like this, I’d hate to see what drama they have going on in every day operations.
What I would Love to see...
And if the reply is ‘They’re not’,
The reply would never be “They’re not”. These people are very good at not answering questions they don’t like, so you would get a paragraph of gobbledy-gook that doesn’t answer anything.
Re:
There simply are some people who will ‘fail’ in the context of security.
Sure, but those people don’t have to work in positions that involve security.
So now Mother Nature is a haxor?