Friday, February 19, 2010

Be careful -that slope is slippery

I remember when I first started working in corporate information security - back when no one really cared about security.  Come to think of it... nothing really has changed in 10 years - but I digress.

One trick I learned quickly back then and have been using ever since is that if you want to make something happen, prove there's a need.  If you can't prove there's a need, stage a mock incident to prove there's a need.  In case you haven't paid attention, the news has been flooded lately with the story of the US government staging a mock "massive cyber attack" to gauge response and figure out where we as a digital nation are lacking.  To some, the results were shocking.  Those of us who have worked in information security for more than 30 minutes just yawned and said "so what?"...

The Washington Post wrote "War game reveals U.S. lacks cyber-crisis skills", Information Week (Government edition) had a headline reading "Cyberattack drill shows U.S. unprepared", and Yahoo! among other outlets kept using the term "digital doomsday"... incredible.

What caught my attention initially on this was not that it was semi-officially dubbed "Cyber Shockwave" ... or that it was staged for the world to watch the epic failure we all knew would come - but this gem of a quote:

Half an hour into an emergency meeting of a mock National Security Council, the attorney general declared: "We don't have the authority in this nation as a government to quarantine people's cellphones."
The White House cyber coordinator was "shocked" and asserted: "If we don't have the authority, the attorney general ought to find it."

There is a great line from a movie, I think, that goes "if you peer into the darkness long enough, the darkness peers back"... I'm not sure I like what's staring back at us.  For those of us that are cynics of government's "good intentions" (and repeated abuses of trust and power) this has got to scare the pants off you.

The thought of the government quarentining people's cell phones is insane -think of the incredible power that the government would officially have if that were the case.

More now...
In a crisis, she said, "Americans need to know that they should not expect to have their cellphone and other communications to be private -- not if the government is going to have to take aggressive action to tamp down the threat."
She recommended that the Obama administration seek legislation for comprehensive authority to deal with a cyber emergency.
Participants also wrangled over how far to go in regulating the private sector, which owns the vast majority of the "critical" infrastructure that is vulnerable to a cyber attack. Stewart Baker, a former assistant secretary at the Department of Homeland Security who played the "cyber coordinator" on Tuesday, said that the private sector was not prepared to defend against a cyber act of war and that the government needed to play a role.
That's right, the government is going to further intrude into the private sector - or at least they have plans to.  Forgive me for donning the tin hat for a moment but doesn't the government already have secret wire-tap and other intrusive elements under the Patriot Act?  There were rumblings some time ago that President Obama wanted to be able to "shut down portions of the private Internet" in a crisis... lest we forget.

Let's widen our focus just a little bit folks... I'm all for security and being able to defend my homeland from Internet-bourne attacks BUT... we need to be careful on the motivations of our dear government...
  • Over the last several years our civil liberties, specifically the right to privacy - have been depleated at an alarming rate... mostly in the name of "anti-terrorism"
  • Our government has proven that it cannot be trusted with keeping to its own rules and regulations about breaking privacy
  • Our government is at the top of the list of entities suffering massive break-ins from hostile nations, rogue states, and hackers at large
  • There are no established (at least no well-understood) precedents for search and seizure of digital devices ...yet
So let me ask you this, conspiracy fans and logical thinkers alike - was this exercise really sincere in its given intent?  Or was this a staged show (much like the security theater we're all familiar with called the TSA) to shock and awe and scare the general population into begging the government to take away more of our rights to protect us from this "doomsday scenario" which may or may not ever happen.

What sort of risk analysis has been done to see whether this type of attack is even practical?  Having worked in the energy sector for a few years doing information security I can tell you that the "fire sale" event like in the latest "Die Hard" movie is extremely unlikely at best - partially due to the Neanderthal systems and manual knobs still out there.  I could be entirely wrong - but I know for damn sure I am no more comfortable letting the government have more intrusive power than I am giving my psychopathic mother-in-law the same.

Think.  Don't follow the hype curve, and get caught up in the hysteria.  There has to be a better way than turning over our last shreds of privacy to a government... I mean, we already do that with Google!

I'm going to go put my tinfoil hat back on and sit in my panic room in the basement.


Brett Hardin said...

The line is not from a movie, but Nietzsche and states "If you stare into the Abyss long enough the Abyss stares back at you."

Rafal Los said...

@Brett- see... That's what I have you readers for!

Unknown said...

Nice information, I really appreciate the way you presented.Thanks for sharing..