Yesterday CNN ran an interesting story, “U.S. at risk of cyberattacks, experts say.”
For those of you in the information security biz this is not new news, I know. We’ve known and discussed the massive and insidious types of damage that could be done through cyber attacks for several years. However, there is still not enough being done.
“The Web sites of key government security agencies, such as the Pentagon and the Central Intelligence Agency, are difficult to bring down, experts said. So are the computer networks of large American banks. But experts say a successful, large-scale attack on U.S. computer systems could hobble electric-power grids, transportation networks and industrial-supply chains.
“You’d see some disruption of essential services, like electricity. You’d definitely see espionage,” said James A. Lewis, a senior fellow at the Center for Strategic and International Studies in Washington. “Would it be decisive? No. Nobody’s going to win a conflict with the United States in cyberspace. But would it be disruptive and irritating? Yes.””
Knowing the lack of security and controls in many of the existing applications and existing systems, I believe it could be much more than just irritating.
A rather different slant that was not discussed was considering our horrible economy along with world unrest…
I’m surprised the article did not talk about the actual types of economic disruption that could be done through cybercrime that could have a huge and devastating impact. Not necessarily from the large cyber attacks discussed in the article, but from changing data, systems and applications code. And if the cybercriminals did it just a little bit here and there, consistently over time, imagine the huge problems it could cause to banks, insurance companies, medical providers, energy companies, communications companies, and so on.
Just a few scenarios that could happen through vulnerable applications code and poor access controls to databases…
- What would happen if the stock prices were lowered by a few cents, or dollars, for some companies or raised for others, by cybercriminals a little bit each day or week over a period of time?
- What would happen if the code in hospital networks were changed so that amounts of automatic drug doses were all changed by a decimal point?
- What would happen if the data was changed slightly for the power grid roll-over points?
- What would happen if the car factory computer systems had the locations for the bolt attachments changed by just a quarter inch to the left or right of the proper location?
We could keep brainstorming this list ad infinitum.
The article focuses on cybercriminals from the outside and the need for firewalls and other perimeter protections; all important.
However there is perhaps even greater risk from insiders, along with poorly engineered and poorly controlled and protected applications and systems. More attention needs to be paid to those before something major happens.
Just some food for thought.
Tags: awareness and training, CNN, cyberattack, cybercrime, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training