This article was originally published in January of 2013 on 10GbE.net.
Now I’m not just some random blogger with an opinion, and no street cred to back it up. I started hacking back in 1983 as a hobby with my TRS-80 Model III when it was still cool, and legal. “War Games” had just been released, and ethics were the only rules. Later that year I was hired by IBM Research, a company I remained with for 16 more years. During that time I’d tied many different systems together. At one point I worked side by side writing code for Davis Foulger to link Prodigy, Compuserve, AOL, and IBMPC (the IBM internal social network) together so IBMers could answer customer questions from anywhere using a single internal system. In the late ’90s I designed and created a solution for the company that linked many different systems together and in 1999 it collected $2B in revenue. This effort earned me an IBM Outstanding Technical Achievement Award, but to pull this off we also created a state of the art hacking tool for Lotus Domino to certify that our system was secure, which almost landed us in jail. So I know a bit about cyber security, and linking together different systems.
So is a “Fire Sale“, a “Cyber 9/11”, probable or Just possible? Possible, definitely. Probably, within a reasonably defined scope, say a single city, and it would require substantial capital to motivate and assemble a team with the proper skills. The team would need to touch every power grid, water, sewage treatment, mass transit, oil refinery, financial trading, etc. system within the scope. These systems don’t need to be Internet connected, people are always required to service, and inspect them, and internally they are often networked together. One would simply have to crack the case off a $100 Verizon 4G USB Cellular modem, then 3D print a new case branded to match the software product that industry runs so it would be camouflaged as a USB software license key. It could go unnoticed forever unless they did an active RF sweep. Prior to inserting this USB stick another containing a modified version of Operation Olympic Games (Stuxnet) could be used to open the security hole and inject the software, then the 4G connectivity would be used to continuously report back, and eventually carry the trigger message to bring the system down. The right mix of social hacking, posing as contractors doing repairs, or government regulators conducting inspections, even OEM system engineers doing required service could easily facilitate this objective.
George W. Bush authorized Operation Olympic Games in 2006, during Homeland Security Secretary Michael Chertoff’s time in office, why wasn’t this considered and addressed seven years ago? Secretary Napolitano has been in office three years now, and all of the sudden it’s a priority. Our government could form its own cyber security Tiger Team. This team could then covertly attack key industries, and report back to these firms their findings, and the appropriate counter measures. These attacks would simply demonstrate vulnerabilities, not bring down systems. Since the early ’90s, IBM has had it’s own Security Tiger team, “Global Security Analysis Lab“, that regularly trained key three letter agencies. I met with their leader in the late ’90s to provide him with a copy of our IBM Internal use only Lotus Domino ethical hacking tool.
A “Cyber 9/11” can be prevented, but regulations aren’t the answer, that process is far too slow and rigid. An elite group of patriotic, well compensated, cyber professions could do in two years what the administration has ignored in the past seven years. Only time will tell.