Our False Sense of CyberSecurity

This week, we learned about a wave of successful on-line hacks of the US electrical grid. We also heard about a fast-evolving virus (Conficker C) that has been actively organising millions of infected/enslaved PCs worldwide into a very formidable (and potentially malevolent) Botnet.

On-line insecurity is nothing new, but it always represents a risk.

Some people might give these stories a second thought, but their third thought would probably be, “Nah, [insert name of responsible organisation here] will take care of it.”

We have long relied upon groups like Microsoft, Symantec and “the government” to shield us from the not-so-nice elements of network computing, but is it reasonable to assume that they will always be successful in defending us?

On September 11, 2001, many millions of Americans (and, globally, many hundreds of millions more) followed in horror and disbelief the events of that tragic day. The tools of destruction appeared to be nothing more than box cutters, duct tape, some flight training and, of course, four passenger jets laden with aviation fuel. Twenty-or-so fervent radicals (and their controllers) had succeeded in turning these mundane emblems of Western society into deadly weapons of massive destruction.

No one seemed to spend much time openly investigating whether compromises in digital infrastructure contributed directly or indirectly to the terrible outcome, but there are several clues which point to the possibility that this may be true:

The GPS Downgrade

On September 12th, GPS (global positioning system) resolution for unlicensed commercial and consumer use was reduced from 10 metres to 100 metres, even though there had been no formal acknowledgment that GPS had been used by the hijackers to guide the planes to their fatal destinies. In fact, the guidance gear aboard the aircraft would have been far superior to that which could be bought at the retail level by the attackers. This could be viewed as strictly a precautionary manoeuvre by the government, because there was no way of knowing whether further attacks were forthcoming, or it could have been based on a suspicion that the aircraft may have been guided to their targets by complicated auto-pilot reprogramming in the cockpit — or even remote control. Each of the targeted planes carried on-board remote guidance and control systems designed to permit air traffic control (ATC) to assume command in the event of pilot incapacitation.

(I heard the report of the GPS downgrade during a newscast by CFRB 1010AM on September 12th and verified the information on-line the next day but can find no links to those stories today. Sorry, you’ll have to do your own digging on that one.)

One of the hijackers (Ziad Jarrah) attempted to purchase four handheld GPS units from a flight store on August 22, 2001, but was only able to purchase one, along with some aeronautical charts. Zacarias Moussawi (the so-called “20th hijacker” who did not make it onto his flight or was for some other reason not included in the operation) tried to purchase some GPS equipment, asking whether it could be used for aeronautics. I don’t know if any GPS units were taken aboard any of the four flights; that didn’t appear to be covered in the official 9/11 Report. (PDF – 7.2 MB)

Slacker Flight Students

By some accounts, the hijackers who took their pre-attack flight training in the United States were poor students. However, they wouldn’t need to be very well-trained if all they had to do was to keep the flight crew from disengaging the auto-pilot. (The remote guidance systems installed in the planes required that the auto-pilot be engaged in order for remote control to be established.) Flying a large jet at high speed and low altitude takes a very good pilot with top-notch training. This is especially true in the case of the Pentagon strike because of the building’s relatively low physical profile.

“He [Hani Hanjour] was a pain in the rear. We didn’t want him back at our school because he was not serious about becoming a good pilot.”

— Duncan Hastie, Owner, CRM Airline Training Center in Scottsdale, Ariz.

Despite failing his flight certification and being graded unfavourably by several flight instructors, Hanjour is thought to have been at the controls of the flight that slammed into the Pentagon on September 11th — an assault requiring a high degree of skill.

One Year Later

Just over a year after the 9-11 attacks, the terror of random shootings gripped the Beltway. The first fatality in the area was James Martin, an employee of the National Oceanic and Atmospheric Administration (NOAA). In June, 2002, Mr. Martin cleaned, wiped and delivered ten retired NOAA computers to a school (PDF – pg.4) as part of a giving program that he personally championed.

(Note: NOAA’s network is directly linked to the US Air Traffic Control network because of the need for accurate and immediate weather reports.)

We may never know whether Mr. Martin found some evidence of unauthorised access in those federal machines, but if he had, he probably would have reported it to the FBI. Any such reports would be forwarded to the National Infrastructure Protection Center (NIPC) and would certainly have come across the desk of the NIPC-FBI liaison at the fledgling InfraGard program.

InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States. InfraGard Chapters are geographically linked with FBI Field Office territories.

from the InfraGard website

Although the InfraGard program has since been expanded to include physical threats, it was primarily concerned in 2001 with the identification and containment of cyber threats to key digital infrastructure systems, including: electrical grids, water provision and treatment facilities, nuclear installations and commercial aviation systems.

The FBI analyst leading the program was Linda Franklin, who (like Martin) also happened to be killed by the Beltway Snipers. Ms. Franklin, shot down in front of her husband in the parking lot of a Home Depot in Fairfax, Virginia, was the driving force behind the InfraGard program, though her relative importance (with respect to cyber-security) was played down in most media reports. InfraGard established the Linda Franklin National Achievement Award in 2003.

InfraGard Franklin Award

Rest in peace, Linda, James, et al.

The ’Net Result

Technologically advanced societies rely heavily on the technology they create.

That’s both a strength and a weakness; a double-edged sword.

Is it possible to live by it without dying by it?

© 2009


Filed under Chicanery, Conflict, Economy, Reason

18 responses to “Our False Sense of CyberSecurity

  1. imahd

    Kaspersky warns of cyber world war at London conference…

  2. imahd

    NYT: Pentagon Will Help Homeland Security Department Fight Domestic Cyberattacks

  3. imahd

    Chinese academic paper details how to cyber-kill US power grid…

    Reminds one of a paper first published in 1999 by two PLA colonels: Unrestricted Warfare

  4. imahd

    DC Sniper Muhammad to Die by Lethal Injection – November 10th.

  5. Pingback: 9/11: Back to The Future «

  6. imahd

    The government’s report on FAA Web vulnerabilities and malicious exploits (PDF – 256 KB)…

    Click to access StreamFile

  7. imahd

    May 7, 2009 3:59 PM PDT
    Report: Hackers broke into FAA air traffic control systems
    by Elinor Mills

  8. imahd

    CyberCom Goes 4-Star

    WASHINGTON — Defense Secretary Robert Gates plans to nominate the director of the National Security Agency to head a new Pentagon Cyber Command, which will coordinate computer-network defense and direct U.S. cyber-attack operations, according to a draft memo by Mr. Gates.

    The move comes amid rising concern in the government about attacks on U.S. networks. The command will run military cybersecurity operations and provide support to civil authorities, according to the memo reviewed by The Wall Street Journal.

    NSA Director Keith Alexander, a three-star general, is expected to earn a fourth star when he moves to his new job at the Cyber Command. The memo doesn’t state that directly, but says that his deputy at the new command will be of a three-star rank. It isn’t clear who will succeed him at the NSA.

    more at link…


  9. imahd

    CyberCom Rates 3 Stars

    The US administration is planning to create a new military command to counter cyber attacks on the country’s sensitive computer networks, a US defense official said on Wednesday.

    The move would be part of a planned overhaul of cyber security policies now being weighed by the White House, the official, who spoke on condition of anonymity, told AFP.

    The “cyber command” would likely fall under the US Strategic Command, which already leads efforts within the military to safeguard computer networks from hackers and cyber attacks, the official said, confirming media reports.

    more at link…


Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s