30 gennaio 2011

OECD’s Cyber Report Misses Key Facts - Jeffrey Carr - Digital Dao - Forbes

Cyberwar soldiers

Image via Wikipedia

Professors Sommer and Brown wrote a paper for the OECD entitled “Reducing Systemic Cybersecurity Risk“. They sought to answer the question “How far could cyber-related hazards be as devastating as events like large-scale pandemics and the 2007-10 banking crisis?“. Their conclusion: “very few single cyber-related events have the capacity to cause a global shock.” The authors identify only two events that would qualify:

  • a successful attack on one of the underlying technical protocols upon which the Internet depends, such as the Border Gateway Protocol
  • a very large-scale solar flare which physically destroys key communications components such as satellites, cellular base stations and switches.

It’s important to note that the professors have taken care to only address “pure” cyber war, not hybrid or multi-modal warfare where cyber is one component of a kinetic attack. Personally I think that greatly diminishes the value of the project because it ignores the evolving nature of cyber warfare, particularly as it has been conducted since late 2009 in favor of a theoretical academic exercise. And that’s really the crux of my problem with this report – it’s more “ivory tower” than “street” and while parts of their work are well-researched, other parts show little to no research at all. Here are a few of their biggest flaws.

- Reasons given for why there will never be a true cyber war:

(1) many critical computer systems are protected against known exploits and malware so that designers of new cyberweapons have to identify new weaknesses and exploits;

(2) the effects of cyberattacks are difficult to predict

(3) there is no strategic reason why any aggressor would limit themselves to only one class of weaponry.

I can’t imagine any Information Security professional accepting (1) as valid. In fact, the notion that USCYBERCOM, Israel’s Unit 8200, and Germany’s Bundeswehr’s Strategic Reconnaissance Unit would throw up their hands in the face of “having to identify new exploits and weaknesses” is utterly laughable.

The author’s point (2) could work both ways.

And point (3) as it applies to cyber warfare, makes me wonder if the authors consulted with any military strategists in writing this report, particularly Western military officers who read Sun Tzu:

The skillful leader subdues the enemy’s troops without any fighting; he captures their cities without laying siege to them; he overthrows their kingdom without lengthy operations in the field.”

There are many strategic reasons for achieving the objectives of a war without the enormous costs incurred through massive destruction of the enemy’s infrastructure, work force, and economic base. Operations against an adversary state conducted in cyberspace may be one of the few ways to achieve that goal.

- Analysis Of The Likelihood Of Cyber-Related Events

Appendix 1 of the report lists tables which “illustrate feasible cyber-related events and analyses them for likelihood, duration and propagation”. Here are a few examples provided by the authors:

Event: Zero day fundamental flaw in popular operating system

Likely Duration/Recovery Factors – immediate: “News of the exploit would appear within 24-48 hours, together with initial (and probably partial) advice on evasion. A fuller remedy might take 7 or more days and would be in the form of a patch. Advice would need to be disseminated about acquiring and applying the patch safely.

Potential For Global Impact: Low

There are so many exceptions to this statement that I hardly know where to begin.  US CERT gives vendors 45 days to fix a publicly disclosed vulnerability whereas Google has set their number at 60 days. Stuxnet is a great example of how long patching critical vulnerabilities can take. The .LNK vulnerability had been known since November 2008 while the patch came out in August, 2010. The print spooler exploit used by Stuxnet was first known in April 2009 while the patch was released in September 2010. The Privilege Escalation Via Task Scheduler vulnerability went un-patched until Dec 14, 2010.

Another important factor not addressed by Summer and Brown is that companies don’t immediately push patches released by Microsoft onto their networks. They have to be tested first to ensure that it doesn’t break anything and that can take another month or longer. Bottom line- this event’s entire “proof” by the authors needs to be thrown out.

Event: “Large Scale Failure Of Electricity Supply”

Likely Duration/Recovery Factors – immediate: “Electricity is usually supplied via a grid so that some service can be restored in hours. More remote locations may have to wait days, but not much longer.”

Potential For Global Impact: Low

This one category of risk was grossly under-researched. It made me wonder if the authors had ever personally experienced living in a region without power for two days or more. “Low impact” is not what immediately comes to mind for those times when my neighbors and I have endured that experience. Even worse, however, is that the authors didn’t address the more serious risks posed by the rapid implementation of the Smart Grid.

David Baker wrote the following assessment in his article “Making A Secure Smart Grid A Reality” for the Journal of Energy Security:

If a truly malicious worm were to infect meters in a given area, there would be a best- and a worst-case scenario. Under the best-case scenario, the utility would simply push a firmware update across the standard wireless network to all the affected meters, overwrite the worm, and return the meters to normal operation. This assumes the attacker had not damaged the remote flashing capabilities, changed the frequency on which the meter operates, or changed the calibration of the meter.

Unfortunately, during malicious attacks the worst-case scenario is more likely to be true. In this case, the normal wireless update mechanisms would no longer be intact, or the calibration of the meters would have been changed. If meters supported remote disconnect capability they could be instructed to simultaneously or individually disconnect service to customers’ homes. To return power to affected homes, the utility would need to take time to understand the vulnerability and develop a patch. Then the utility would need to physically repair or replace each meter to return it to normal operation. Restoring power to homes would likely be an expensive and long process, detrimental to the utility and frustrating to the costumers.


Call it what you will, cyber operations with hostile intent are being conducted every day while cyber warfare tactics, techniques, and procedures are being researched, drafted, debated, and implemented by both developed and developing nation states. Summers and Brown really bit off more than they could chew with this research project. A proper evaluation of just the impact of attacking the vulnerabilities present in Smart Grid technology and its potential global effects would have been a much wiser investment of their time and OECD’s budget. In my opinion, this paper did not answer the question assigned to it. It’s a Fail.

Nessun commento: