The Wolf Approaches
In the government, the use of the term “grave” means something very specific. That meaning should be obvious to you, but on the off chance that you haven’t had your first cup of coffee yet, it means that whatever the issue is, messing it up could cost someone (or more than one person) their life.
The attack against the water system in Oldsmar, Florida was a potentially grave situation. A water system is not a trivial technology enterprise and as such it has numerous checks – including a human in the loop – to make sure malicious activity or honest mistakes don’t end lives. But the fact that an outsider was able to get such access in the first place makes it clear that there exists a disconnect between what such systems are supposed to be, and what they are.
We give the Sheriff of Pinellas County a pass on the use of the term “wake-up call” because he has not spent a large portion of his life in the belly of the cybersecurity beast. A wake-up call only happens once, how we respond indicates how serious we are about taking action:
- In 2015 DHS Secretary Jeh Johnson calls OPM breach a “wake-up call”
- In 2012 General Alexander, Director of the National Security Agency, calls the hacker attack on Saudi ARAMCO a “wake-up call”
- In 2010 Michael M. DuBose, chief of the Justice Department’s Computer Crime and Intellectual Property Section, called successful breaches such as Aurora "a wake-up call"
- In 2008 Deputy Secretary of Defense William Lynn called the BUCKSHOT YANKEE incident “an important wake-up call.”
- In 2003 Mike Rothery, Director of Critical Infrastructure Policy in the Attorney-General’s Department of the (Australian) Federal Government called a hack into a wastewater treatment plant “a wake-up call.”
- In 2000 Attorney General Janet Reno called a series of denial of service attacks against various companies a “wake-up call.”
- In 1998 Deputy Secretary of Defense John Hamre called the SOLAR SUNRISE incident “a wake-up call.”
- In 1989 IT executive Thomas Nolle wrote in Computer Week that poor LAN security was a “wake-up call.”
The details of this particular case are probably never going to see sufficient sunlight, which only adds to the ignorance on these matters at all levels, and sustains the fragility we so desperately need to improve. This is particularly important when you consider how our relationship with technology is only getting more intimate.
These are issues that are decades old, yet if you want to have some idea of what it will take to spur action, keep in mind that we intentionally poisoned 100,000 people via a water system for five years and no one is in jail (yet). The idea that the people rooting around in such systems have the ability to cause such effects but don’t because they appreciate the moral, ethical, and legal implications of the matter is increasingly wishful thinking.
We in security have long been accused of “crying ‘wolf’” and for a long time those critics were right. We knew bad things could happen because Sturgeon’s Law has been in full effect in IT for ages, but it has taken this long for matters to go from merely serious to grave. Like everyone who puts off addressing a potentially fatal issue until the symptoms cannot be ignored anymore, our ability to survive what comes next is an open question.