Monday, November 9, 2009

Errata Security Responds to 60 Minutes

Errata Security has posted an interesting piece in response to 60 Minute's investigation into threats to the US's digital critical infrastructure. I recommend you read the entire piece. Selected highlights from Errata are found below:

We know the CBS story is bogus. CBS news did not investigate the evidence. They instead cite “half a dozen sources” in the US intelligence community. However, these sources themselves did not investigate the evidence: they are simply confirming that they heard the rumor from people in the Brazilian government. Those government officials likewise did not investigate the evidence, they are likewise just passing on rumors.

CBS news didn't track this down. They didn't attempt to contact anybody in Brazil. They did not contact anybody at “Furnas Centrais El├ętricas”, the company responsible maintaining those transmissions lines. They didn't even do a simple Google search, which would tell them that the company claimed at the time that the 2007 outage was caused by dust and soot from local forest fires (which, apparently, is a common problem in power transmission).
The CBS story is obvious government propaganda. All their sources are from the government, from people who stand to gain from increased government control over the Internet. For example, it says that the US power grid is insecure, and claims that the reason it's insecure is because it's not regulated by the government. That's not a reason. The federal government's computers are even less secure than the power grid – there is no reason to think that Congress can secure the power grid if they can't secure their own computers. Conversely, all the energy companies belong to the “National Energy Regulatory Commission” or “NERC”, which is does indeed regulate the cybersecurity of the power grid. The reason the CBS story exists is because somebody else, such as the DHS or NSA, wants to take control away from the NERC. That's why you have such a one-sided story from CBS – they never talked to anybody at NERC, or any of the power companies.
Errata comes off a bit strong with some of their opinions, but there is interesting food for thought in this piece.


Andy said...

I'm not entirely sure where to post this, but apparently a botnet that is estimated to be responsible for nearly 1/3 of the world's spam was just taken down.

The botnet, known as Mega-D and Ozdok was taken down by a small security firm known as FireEye, which attacked the numerous command and control centers of the botnet. It was found that more than 240,000 IP addresses were reporting to the C&C centers. This obviously must have been a very lucrative enterprise for those running the botnet, but the impressive part of this story is the size of the network, and the ability of a small security firm to completely dismantle it. Despite the massive organization, complex encryption, and variety of command and control centers involved with the botnet it was taken down by a single coordinated attack. As a result the spam stopped almost immediately.

Anonymous said...

Furnas Centrais El├ętricas may have attributed the outage to dust and smoke from forest fires because 1) they didn't know any better at the time or 2) wanted to conceal what they knew at the time. I am in the "uncertain" camp at the moment because while I expect Admiral McConnell had access to more information than we do, I doubt he directly viewed primary source data.

What I find interesting is how this administration is continuing to push for "Smart Grid" tech because it's "green" at the same time they are hyperventilating about the cracker threat. If they truly believe in the cyber threat to SCADA systems, the WORST thing they could do is put all their eggs in one smart-grid basket before they have worked out proper security controls.

Chris said...

Having read the Errata security article, which discusses CBS’ coverage of the power outages in Brazil, I am concerned by the behavior of United States’ information and security agencies. However, I am also left unconvinced by Errata Security. The article claims that the CBS story is bogus and they know this because CBS news did not investigate the evidence and instead passed off a rumor offered up by some security officials. However, since Errata did not itself investigate the evidence itself and simply offered other examples in which “hacker” attacks were falsified, I am not completely convinced.
However, I will say that regardless of the verity of CBS’ coverage, we as American citizens do need to be aware of the fact that the United States government and its agencies are often guilty of framing issues in terms of national security to gain support from opposition groups and the public. Once again, regardless of whether or not hackers did cause the power outage in Brazil, it would be in the interest of security agencies to present our power grids as being very vulnerable and therefore their insecurity as a threat to the United States. I say this because when politicians or government agencies present issues as being important for national security it is very difficult politically to oppose them.
For example, if you look at the politics surrounding the Iraq War you can see that political support for the war did not come about until weapons of mass destruction entered the discussion. Initially Saddam Hussein was only seen as a regional threat with minimal weapons capabilities and therefore not many legislators in the U.S. considered war with Iraq as a necessary step. However, once it was proposed that Saddam Hussein had weapons of mass destruction, he instantly became an international threat capable of striking the United States and therefore the Senate passed the Iraq Resolution in 2003. Democratic legislators who may have initially opposed war were forced to support the resolution because they could not afford to be viewed by their constituents as not caring about national security. Therefore, my point is that even if hackers did cause the power outage in Brazil, which Errata Security claims is not true, we as American voters must be aware of times when the government presents certain issues as threats to American security. It is often simply a political ploy to gain bipartisan support.

Skyler said...

I tend to align with Chris's comments... Whereas I hear tons of government propaganda in the CBS story (the rhetoric was so strong, I found myself at times freaked out by the language and concerned about a global meltdown..), I do find it problematic for Errata to just dismiss any of the claims of CBS as though it was all produced for ulterior motives. The politics of language are exploited by both the CBS story and the Errata response in that they each seem to cater their language for a very specific motive.. Media outlets have the unique power to evoke an emotional response, and after viewing this CBS story, it really leaves the viewer with such a doomsday irrationality that can be so dangerous in a country still reeling from 9/11 and its subsequent global attacks.

Though Errata seemed at (most) times defensive, they made a really great assertion that I think does essentially challenge our current approach to cyberterrorism and the greater threats about which we are so worried. The article reads, "Hackers are like witches in Salem in the 1600s. When crops failed, people blamed it on the witches, who were burned at the stake." This is really true! We really do run to the worst sometimes, assuming that some highly intelligent network exists somewhere out in the world, with no known identity.

Finding the happy medium, that is a balance between crying wolf and being completely complacent, will be key to our continued effort to both fight the bad guy but also keep us safe. Good luck, Mr. President and the intelligence community as a whole -- it seems like such a hard (slash impossible) undertaking.

Keith Levinsky said...

I also looked up Errata's facts and it appears that black out was caused by a series of storms in Brazil. This demonstrates that the government is attempting to scare the public into readiness or scare the public into giving them more power as Errata suggests. This false example of an attack on a power outage seems to be similar to a Wall Street Journal article I have read which said that foreign spies had entered the power grid and taken control of it. The Journal, however, fails to show evidence of who had made the attacks or evidence that the attacks even occurred. These falsifications clearly demonstrate yet again that the main objective behind the 60 minutes episode was fear. I agree that the episode was primarily just propaganda.
I am not sure, however, that I like Graham's response to the fact that the power grid is insecure. He thinks that the United States should just accept that its power grid will be compromised. I normally dislike extra regulation. In this case, however, an effort should be made to protect America's power source which if broken, could cause an incredible amount of damage. Lives could and probably will be lost if the power grid is broken.