A few weeks ago, while I was at the Defcon computer security conference in Las Vegas, I attended a panel discussion on The Commission on Cybersecurity for the 44th Presidency. Established by The Center for Strategic and International Studies, the Commission will make recommendations for a comprehensive strategy to improve cyber-security in federal systems and in critical infrastructure to the Presidential administration that will take office in January 2009.
When such weighty issues are discussed, many eyes in the general public begin to glaze over very quickly. Most people will ask, “What the heck is ‘cyber,’ anyway, and why should I care?”
Coined by the late visionary mathematician/philosopher and computer scientist Norbert Wiener, “cybernetics” (from the Greek word “kybernetes,” meaning steersman or governor) was originally used to describe the science of control mechanisms in human and machine systems, including computers. Since then, “cyber,” as a prefix, has been tacked onto the front of many different words, usually to indicate their connection to computers. “Cyberspace” typically refers to the world of electronically interconnected humans and machines, i.e., the Internet. “Cybersecurity” refers to the security of cyberspace.
Generally speaking, the cybersecurity of government systems is not in very good shape. Although not widely reported, the past few years have seen massive attacks on government networks around the world, some successful, some not so successful. Most people barely noticed when the government and financial networks of Estonia were brought to their knees last year after politically-motivated “hacktivists” launched 128 separate attacks on the tiny country’s ill-prepared systems. After the attacks tapered off, many security analysts, in describing the situation, began using another “cyber” word: cyberwar.
In the United States, the situation is equally precarious. Successful attacks have been launched against NASA, the Pentagon, and numerous important educational and research facilities. Just three weeks ago, someone hacked into a Homeland Security Department phone system and made over 400 calls to countries such as Afghanistan, India, Yemen and Saudi Arabia. Nobody is really sure what would happen if organized, concentrated and sustained cyberwarfare was waged against our country’s computer networks, and it seems that our country has, at best, a vague national response plan. It is certain, though, that there is a clear and present danger to our nation’s security, easily as big as the danger of nuclear war.
As the panel discussion progressed, Marcus Sachs, Executive Director of Government Affairs for National Security Policy at Verizon, asked the audience for their recommendations to the next U.S. President. Many good ideas were put forth, and we were also treated to a very lively debate about the hackability of SCADA networks, which are the vast computer systems that control nuclear power plants, electric utility grids and other large industrial complexes. Throughout it all, I was thinking to myself, “If I was in the Oval Office, what would I tell the President about security, in a way that he could understand?” I pondered this question until the panel discussion ended.
Afterwards, the answer to my question popped into my head. “That’s perfect,” I thought, and I smiled. You see, the day before the cybersecurity panel discussion, I attended a seminar about high-security locks, such as those that are installed in the doors that guard major government facilities. Last year, I’d seen a demonstration featuring a 12-year old girl who, using a special form of lock picking known as “bumping,” could open the same locks used in the Pentagon and the White House. This year I witnessed the “improved” version of these locks being opened with normal lock picks and a special improvement bypass device: a paper clip.
Later that evening, at a nerdy and entertaining event called Hacker Jeopardy, I saw Mr. Sachs again. “Hey Marcus,” I said, “I thought of my recommendation to the President.” “That’s great,” he replied, “Do you want to send it to me?” “No,” I said,” I’ll just tell you. Dear Mr. President: change the locks.”
“Oh, yeah,” he said, his eyes getting a little bigger and his mouth changing to a wry grin. “I saw that. Scary stuff, huh?” Yep, scary stuff, indeed.