I’m not sure if this should go here or in Great Debates.
What’s this I’m seeing on the news this morning: Russian malware discovered on a Vermont laptop, and its purpose is to disable a power grid? CNN says that Ukraine in 2015 was struck by a similar cyberattack which took out power grids in major cities.
What the hell is going on?
CNN shows it.
cite.
Washington Post reports it.
cite
Both list Primary Sources at the utility in question.
The Russians are trying to down-play it, emphasizing the code as “out dated”. (ie they have better?)
cite
Small [del]Fake-[/del]Alt-News sites are trying to down play it.
cite.
The people who verify facts and sources confirm it; the people who don’t dispute it.
Conclusion: The report seems Credible.
Maybe the Russians are copying the Stuxnet worm that we put in Iran’s computers.
I’m not familiar with the story beyond what I just read in the cites here. And I don’t have any first hand knowledge of the code used in this malware. I would just say in general that attribution is tricky in cases like this. It could be that the developer of this malware just borrowed code from the Russian malware. Once a piece of malware gets out in the wild, other developers can borrow from it for their own malware. If it’s just that some code and techniques are shared between this malware and the stupidly named “Grizzly Steppe” malware, that wouldn’t strike me as particularly persuasive. On the other hand, of this malware is using the same command and control infrastructure, then that’s more significant.
Anyway, malware attacks on the power grid and other parts of critical infrastructure are almost certain to be a big part of future conflicts we find ourselves in. I guess taking out a city’s power with malware is at least slightly better than taking it out with carpet bombing.
I was doing ESecurity for a utility firm a year ago. Lets just say “shocker.” I had to leave, I couldn’t sleep nights.
So Russia has the same intentions towards the United States as the United States has towards Iran?
Which is kind of bizarre because this is exactly the sort of thing they’d ordinarily be all up in arms about as some kind of precursor to a Russian armies hiding under Lake Michigan/UN/FEMA takeover during a natural disaster/New World Order conspiranoism. These are basically the subsequent generation of conspiracy wing nuts who were so fearful about how the collapse of the Soviet Union was a sham who are now embracing the oligarcial leadership of a nation now controlled by the former head of the KGB. This is some real Philip K. Dick psychoactive-induced alternate history shit right here.
Well, we did that. We know it can be done, and we’ve frankly done very little to protect our own domestic infrastructure from it in a comprehensive fashion even though the geographic barriers that have largely protected us from a physical invasion offer no advantage from attacks across the Internet.
Don’t be so certain about that last statement. Without becoming too hyperbolic, it should be noted that many aspects of our infrastructure and critical industries are highly dependant upon Internet communications and networked control. The potential for economic, social, and even physical damage are fantastic, and they can be launched from a remote location with no warning of physical intrustion. Shutting down the power grid to, say, Chicago in the middle of a -20 deg C winter storm for days on end would be very nearly catastrophic given how few homes or businesses have provisions for emergency power or heating for that duration. Attacks on traffic control or water processing systems, while more readily physically mitigated by improvised solutions, could have dramatic economic impacts. The US Department of Defense is very concerned about cyberattacks and has been taking steps for years to attempt to develop defenses (whether they will be effective or not is another question), but despite all of Trump’s incoherent bluster about about ‘Cyber is important’, the incoming administration does not appear to be making civil cybersecurity any more of a concern than the outgoing administration, and it leaves the nation vulnerable to potentially crippling attacks by a committed, technically capable opponent. And unlike conventional or nuclear weapons, the amount of investment to develop an effective malware offense is not beyond the means of even a modest nation or non-state actor provided access to technically competent people. Right now the focus is on Russia, but it will soon be any number of nations as they realize the advantages it offers and the vulnerability of developed nations to being held ransom to such attacks.
Stranger
Stranger, you’re right of course. My “at least it’s better than carpet bombing” was meant to be somewhat facetious. I was just suggesting that, if you have to have your power system destroyed, at least not having bombs dropped too is a meager improvement. But, yeah, the Atlantic Ocean is a more effective barrier against airplanes than against emails with malicious attachments.
Anyway, since our power grid is in the hands of scores of private companies with varying degrees of security preparedness, it’s damn near impossible to lock it down to any real degree in the face of a determined attack from an adversary with the resources of a national government.
On the other hand Russia may be just as vulnerable to such attacks and thus would be deterred from making such attacks because of this.
Because they’ve found such attacks on Their soil?
Then again… perhaps they Should.
That is definitely a significant problem, and not just in respect to malware attacks but also vulernability to natural disasters such as a Carirngton event, electromagnetic pulse, or just being overloaded. While nationalization of the power grid is probably a cure worse than the disease, the owners of the various interconnected grids should be incentivized to update the obsolescent infrastructure with more robust and efficient subsystems, homogenize the system so there are fewer problems with interconnection and redundancy, and have a sufficient amount of replacement components on hand to effectively recover from a wide scale failure like a Carrington or EMP event. This would be costly but it would be a tiny fraction of the cost of wide scale failure persisting for months or years.
Except Putin doesn’t actually seem to care much about his population or even infrastructure, and seems relatively disinterested in deterrence as his provocational actions in the past few years would seem to show. It is a mistake–one we keep making over and over–to assume that your opponent has the same interests, concerns, and values as you. For Putin, looking like a strong leader and demonizing the US to his Russian constituency is far more important than long term stability or security. He plays aptly into the deep Russian cultural insecurity about not being taken seriously as a major power, and that is the fulcrum upon which his foreign policy is based. We should not assume parity for his interest in demurring from being attacked; in fact, if Russia were attacked and he could prove it, it would just bolster his claims of needing to be strong regardless of the quality of life cost to ordinary Russians.
That brings another point worth considering, as well. Putin and Trump have so far benefited (in various ways) from their mutual admiration society, but having both gotten what they wanted from it (for Putin, to sway the election away from a candidate that would be hawkish toward Russian interests; for Trump, to clutch the presidency and access to the power and wealth it offers for plunder) there is now little motivation to play nice, especially once American corporations get more invested in Russian petroleum and resources, and Putin can grab them by the kiska. Expect the current lovefest to turn into deep antagonism, with Putin flaunting his control and Trump ineffectually trying to make the same kind of shitty ‘deals’ he espouses in The Art of the Deal.
Stranger
I hear ya, pal… but even Jane Goodall couldn’t explain the mentally ill and self-destructive herd mentality of the Trumpanzee…
My WAG is our real problem is North Korea. They have little or nothing for us to retaliate against. Destroying their power grid and knocking them “back to the stone age” would have little noticeable effect.
Nm, misread.
Exactly. Keep in mind, that even with all the numerous backups and contingency plans, that Hurricane Sandy shut the New York Stock Exchange for two days. A deliberate attack on the power grid in major financial centers such as New York or Chicago, could allow the Russians to fuck with the financial markets.
To the tune of tens or hundreds of billions of dollars, sufficient to create long term impacts. War is as much about logistics and economics as it is bullets and bombs, and that kind of cyberwarfar cuts out the need to manufacture and deliver any ordnance while doing lasting economic damage with potentially devastating effects on the health and well-being of the civilian population.
Stranger
So why HASN’T it happened yet? My off the cuff guess is that the smaller, more motivated players don’t have the know how yet, and the major nations are still reluctant to be the first to start the war?
The ability to cause damage through intrusion is highly depentant on both how systems are contolled (centralized or ditributed) and discovering vulnerabilitie, both of which are regularly changing. We’re still in the early days of being able to do serious damage–despite what you’ve seen in Die Hard sequels and Bond movies, you can’t just make a building blow up by sending a command to open some gas vents (yet)–and of course it needs to be done in a way that is reasonablly deniable while still being virulent enough to have real and persistant effects rather than minor annoyances. One of the kind of advantages is that many critical systems have migrated or been developed to operate on some flavor of Linux or BSD, which have a profusion of different versions of libraries which limits the effectivenss of an attack based upon any particular vulnerabiliy and also a fairly robust community of finding and patching secuirty holes (unlike, say, Microsoft and their “secuirty through obscurity” model). To ask why Russian hackers haven’t taken down the US grid is like asking if the Germans had tanks why didn’t they win WWII; because it takes more than just tanks to win a war.
Note that this problem of vulnerabilities is not impossible to overcome; while a persistent enemy will search for and find individual vulnerabilties, a robust intrusion detection and command authorization system along with distributed control that can isolate against infiltration and damage can prevent wide scale infection and control. The biggest problem is just the ignorance-driven apathy, the notion that if it hasn’t happened yet it won’t be a problem, even though in our ever-increasing interconnection and “Internet of Things” it is already possible to spy on someone using their own audio-capable appliances, shut down communications systems and vehicles remotely, and insert fraudulent commands or data into control systems to spoof them into failures.
I read a study a couple of years ago (not for public distribution) which discussed how vulnerabilities commercial office equipment in the Pentagon and military bases–things like network routers, video conference systems, and even environmental control systems–could be used to compromise security in a wide number of different ways, completely bypassing all of the military-grade protection and encryption on operationally procured systems. “Informance Assurance” has become a big bugaboo for the military because while they are dependant upon commercial equipment for a lot of nominal day to day operations, there is no real program or even consensus on what should be done to lock those systems down.
Stranger
Yeah, but I’m not talking about “winning a war”; I’m talking about taking a significant action that it seems to me a no brainer to many.
I’m not sure I grasp your question, but to take a nation like China, it really doesn’t have any incentive to do economic damage to its largest economic trading partner. Or Russia, which hasn’t yet crossed into the “burn it to the ground” threshold, but is clearly preparing for the day Putin or his successor decides to lob that shitball over the gate.
Stranger