Wednesday, March 04, 2009

"Cyber Katrina" or "Digital Pearl Harbor" (which is a more loathsome term?)

Every time you hear 9/11 or Cyber Katrina you should reach for your wallet.  

Does anyone find this sort of hyperbole rhetorically effective?


House Permanent Select Committee on Intelligence

Washington, D.C.

RE: Establishment of North American Urgent Radiological Information Exchange

Madame Chairperson:

While we do not believe that this is a matter that rightfully falls under the province of your Committee, in the interest of cooperation, this letter will address the events leading up to the establishment of the North American Urgent Radiological Information Exchange (NAURIE).

As you know, on the 10th year anniversary of 9/11, all of our nation’s nuclear power plants were targeted in a massive distributed denial of service attack orchestrated by the Conficker III botnet which had grown to a heretofore unheard of 30,000,000+ infected PCs.

While US CERT teams as well as regional DOE cyber security personnel were focused on combating this external threat, each plant’s internal firewall separating the Command and Safety System Networks from the Site Local Area Network was breached from the inside due to the use of pirated hardware with malicious embedded code that passed server control to external users.

Of even more concern is the fact that all of these plants were targets of a carefully planned, longterm social engineering attack which relied on human error and the broad-based appeal of Social Network sites. As DOE employees broke protocol and downloaded phony social software apps, malicious code worked its way into secure networks and lay dormant until activated by the attacking force.

This led to a number of consecutive failures in our safety mechanisms resulting in partial to complete core meltdowns at 70% of our plants. When these plants went offline, the nation’s power requirements couldn’t be met. Grids were overwhelmed and blackouts began occurring in our most heavily populated urban areas. Once criminal gangs realized that overburdened police departments were unable to respond to every 911 call, looting of businesses began in earnest as did home invasions in the wealthier neighborhoods.

One year later, we still do not have a final count on the number of deaths and casualties but most responsible estimates place them in the tens of thousands. If we extrapolate out for the as yet unknown future effects of radiation poisoning on the victims, the count goes into six figures.

While this is clearly a tragedy on every level, I feel I must point out that the NNSA, as late as 2009, in a letter to the Los Alamos National Laboratory, did our part in improving security by determining that the loss of 83 LANL laptops should no longer be considered just a “property management” issue, but a cyber security issue as well.

Also, that our G3 physical security model (Gates, Guards, Guns) was not compromised, and that cyber security compliance has never been a mandatory policy; that instead it was an ongoing negotiation among various other considerations.


Director, National Nuclear Security Agency
(BTW, this is far less salacious than the scenario we came up with for CyberStorm 2005 in the Energy sector)

So. Am I just a reactionary? Is this sort of FUD a necessary evil to make "progress on cybersecurity" or just another boondoggle.

No comments: