Our False Sense of CyberSecurity

This week, we learned about a wave of successful on-line hacks of the US electrical grid. We also heard about a fast-evolving virus (Conficker C) that has been actively organising millions of infected/enslaved PCs worldwide into a very formidable (and potentially malevolent) Botnet.

On-line insecurity is nothing new, but it always represents a risk.

Some people might give these stories a second thought, but their third thought would probably be, “Nah, [insert name of responsible organisation here] will take care of it.”

We have long relied upon groups like Microsoft, Symantec and “the government” to shield us from the not-so-nice elements of network computing, but is it reasonable to assume that they will always be successful in defending us?

On September 11, 2001, many millions of Americans (and, globally, many hundreds of millions more) followed in horror and disbelief the events of that tragic day. The tools of destruction appeared to be nothing more than box cutters, duct tape, some flight training and, of course, four passenger jets laden with aviation fuel. Twenty-or-so fervent radicals (and their controllers) had succeeded in turning these mundane emblems of Western society into deadly weapons of massive destruction.

No one seemed to spend much time openly investigating whether compromises in digital infrastructure contributed directly or indirectly to the terrible outcome, but there are several clues which point to the possibility that this may be true:

The GPS Downgrade

On September 12th, GPS (global positioning system) resolution for unlicensed commercial and consumer use was reduced from 10 metres to 100 metres, even though there had been no formal acknowledgment that GPS had been used by the hijackers to guide the planes to their fatal destinies. In fact, the guidance gear aboard the aircraft would have been far superior to that which could be bought at the retail level by the attackers. This could be viewed as strictly a precautionary manoeuvre by the government, because there was no way of knowing whether further attacks were forthcoming, or it could have been based on a suspicion that the aircraft may have been guided to their targets by complicated auto-pilot reprogramming in the cockpit — or even remote control. Each of the targeted planes carried on-board remote guidance and control systems designed to permit air traffic control (ATC) to assume command in the event of pilot incapacitation.

(I heard the report of the GPS downgrade during a newscast by CFRB 1010AM on September 12th and verified the information on-line the next day but can find no links to those stories today. Sorry, you’ll have to do your own digging on that one.)

One of the hijackers (Ziad Jarrah) attempted to purchase four handheld GPS units from a flight store on August 22, 2001, but was only able to purchase one, along with some aeronautical charts. Zacarias Moussawi (the so-called “20th hijacker” who did not make it onto his flight or was for some other reason not included in the operation) tried to purchase some GPS equipment, asking whether it could be used for aeronautics. I don’t know if any GPS units were taken aboard any of the four flights; that didn’t appear to be covered in the official 9/11 Report. (PDF – 7.2 MB)

Slacker Flight Students

By some accounts, the hijackers who took their pre-attack flight training in the United States were poor students. However, they wouldn’t need to be very well-trained if all they had to do was to keep the flight crew from disengaging the auto-pilot. (The remote guidance systems installed in the planes required that the auto-pilot be engaged in order for remote control to be established.) Flying a large jet at high speed and low altitude takes a very good pilot with top-notch training. This is especially true in the case of the Pentagon strike because of the building’s relatively low physical profile.

“He [Hani Hanjour] was a pain in the rear. We didn’t want him back at our school because he was not serious about becoming a good pilot.”

— Duncan Hastie, Owner, CRM Airline Training Center in Scottsdale, Ariz.

Despite failing his flight certification and being graded unfavourably by several flight instructors, Hanjour is thought to have been at the controls of the flight that slammed into the Pentagon on September 11th — an assault requiring a high degree of skill.

One Year Later

Just over a year after the 9-11 attacks, the terror of random shootings gripped the Beltway. The first fatality in the area was James Martin, an employee of the National Oceanic and Atmospheric Administration (NOAA). In June, 2002, Mr. Martin cleaned, wiped and delivered ten retired NOAA computers to a school (PDF – pg.4) as part of a giving program that he personally championed.

(Note: NOAA’s network is directly linked to the US Air Traffic Control network because of the need for accurate and immediate weather reports.)

We may never know whether Mr. Martin found some evidence of unauthorised access in those federal machines, but if he had, he probably would have reported it to the FBI. Any such reports would be forwarded to the National Infrastructure Protection Center (NIPC) and would certainly have come across the desk of the NIPC-FBI liaison at the fledgling InfraGard program.

InfraGard is an information sharing and analysis effort serving the interests and combining the knowledge base of a wide range of members. At its most basic level, InfraGard is a partnership between the Federal Bureau of Investigation and the private sector. InfraGard is an association of businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States. InfraGard Chapters are geographically linked with FBI Field Office territories.

— from the InfraGard website

Although the InfraGard program has since been expanded to include physical threats, it was primarily concerned in 2001 with the identification and containment of cyber threats to key digital infrastructure systems, including: electrical grids, water provision and treatment facilities, nuclear installations and commercial aviation systems.

The FBI analyst leading the program was Linda Franklin, who (like Martin) also happened to be killed by the Beltway Snipers. Ms. Franklin, shot down in front of her husband in the parking lot of a Home Depot in Fairfax, Virginia, was the driving force behind the InfraGard program, though her relative importance (with respect to cyber-security) was played down in most media reports. InfraGard established the Linda Franklin National Achievement Award in 2003.

Rest in peace, Linda, James, et al.

The ’Net Result

Technologically advanced societies rely heavily on the technology they create.

That’s both a strength and a weakness; a double-edged sword.

Is it possible to live by it without dying by it?

© 2009