back to article The cyber-weapons paradox: 'They're not that dangerous'

When it comes to bombs, the more powerful they are, the bigger their impact. With a cyber-weapon, the opposite is true: the more powerful it is, the more limited the damage it causes. The deeper a bug can get into any given system, the less likely it is to trouble anything else. And that's why cyber-weapons aren't real weapons …

COMMENTS

This topic is closed for new posts.
  1. Robert Carnegie Silver badge

    Is SCADA particularly difficult?

    Serious hackers are rather good at studying a computer system and figuring out how it operates and how to interfere with it. I wouldn't put confidence in security through obscurity.

    So, anyway, could somebody make all of our traffic lights give the wrong instructions? And if we switch the lights off, then how much chaos is permanently wreaked on our cities? By which I mean, cities anywhere in the world.

    1. Bumpy Cat

      Re: Is SCADA particularly difficult?

      I think the key point in not in knowing how to fiddle with a system, but how to meaningfully fiddle with a system. As you say, an expert hacker can penetrate, study and understand a system, but would have to be an expert in sewage systems, traffic lights or nuclear plants to actually do something specific. Shutting down is probably easy to figure out, but closing this or that valve to achieve backflow somewhere is not going to be obvious.

      1. fatchap
        FAIL

        Re: Re: Is SCADA particularly difficult?

        The problem is there is no barrier to entry to becoming an expert on sewage systems, power generation or one of many other SCADA scenarios other than intelligence and motivation to learn. If you are planning on launching a proper nation state vs nation state military action you normally have these both in spades.

        The assertion that we only therefore have to care about malicious insiders should be suffix with a coda of “or anyone else able and willing to gain a similar level of knowledge”. Which suddenly increases the threat actors from a few people per site to well funded intelligence agencies with an appetite to launch these types of attack.

        So the threat of damage in a cyber war is low apart from the threat of those capable of actually starting a cyber war.

    2. Jinxter

      Re: Is SCADA particularly difficult?

      SCADA is not particularly difficult; what was special with the Iranian Nuclear Plant was that the SCADA system was on an air-seperated network (i.e. no external connectivity) and as such it was silently transfered through the use of digital media (USB I believe). To do this silently and with no harm to any carrier systems and to meaningfully attack the systems showed that the capability level of the attacker was far beyond that normally seen.

      When looking at cyber-warefare (and hence cyber-weapons) you are generally looking at consolidated attacks. For example; during WW2 you wouldnt just send your privates out to the battlefront but you would also send your medics. Now when you go to war you don't just send in your tanks but you use your cyber-weapons to disrupt communications and logistics. More often than not; you are not looking at performing permenant damage but are looking at causing interuption.

      While I agree with a number of the principles within the publication I do disagree that a 'hack' cannot result in loss of life.

    3. SJRulez

      Re: Is SCADA particularly difficult?

      SCADA and PLC's themselves are not that difficult, understanding the interactions between them within an industrial system is.

      SCADA software is primarily a monitoring system and to certain extent control, it will check the status of hardware and it some cases facilitate transfer of status information between PLC's through set points, simply interfering with SCADA might not cause issues at the PLC level since the it has its own program managing itself and if the program is written correctly it would spot an inconsistency.

      For example a motor spins at 400 rpm and has max speed of 1000rpm, if SCADA was to tell the PLC to spin it at 1200rpm it would ignore it as an error and generate a fault (assuming it was well programmed), if on the other hand you were able to alter the register on the PLC to always be 100rpm lower than it actually is or intercept the return pulse from the motor, instruct SCADA to tell PLC to run it at 1000rpm it wouldn't realised and would actually spin at 1100rpm.

      The modifications to the program would be easy to spot later by an engineer or would be removed by reloading from a previous backup, the trick to the recent SCADA attacks was its ability to manipulate SCADA and the programming terminals. It manipulated the program whilst it was being transferred to the PLC's making it appear that the program as seen on the screen was downloaded when it actual fact it had been manipulated on the fly during the download. It then further manipulated the SCADA programs to cover up the changes it had made at PLC level.

    4. Vic

      Re: Is SCADA particularly difficult?

      > could somebody make all of our traffic lights give the wrong instructions?

      Traffic control systems are actually pretty safe; there are hardwired backup systems checking the consistency of all the signal heads.

      In the event that something goes wrong - e.g. conflicting greens - the safety system crowbars the power supply, and the junction shuts down.

      Vic.

      1. chris lively
        Stop

        Re: Re: Is SCADA particularly difficult?

        I have personally witnessed traffic lights at multiple locations in which lights were green for all directions. In one case I was nearly hit by an 18 wheeler. My first instinct (after avoiding the collision) was to call the cops on the driver. Which is when I saw that both of our lights were 100% green. When I called emergency services they said, "Another one? We'll take a look at it."

        So, I'm calling BS.

        1. honkhonk34
          IT Angle

          Re: Re: Re: Is SCADA particularly difficult?

          Isn't this entirely dependant upon the supplier, based upon the local governance/laws for procurement?

          Since most states/countries/regions have different procurement methods your BS call is moot. I'm in the UK (specifically Scotland) and I've never experienced an "all green" situation - the only exceptional situation I've seen with lights has been all red with local police managing the traffic flow manually.

          I don't expect the inner workings of the systems in place in Scotland to be the same as those in America, Japan, Germany or any other country, other than perhaps the wider UK...

        2. Jody

          Re: Re: Re: Is SCADA particularly difficult?

          I once worked (for a week!) at the Transport Research Labs in Crowthorne, where they programmed the code that ran, I was told, most of the traffic signals in the Western world. The reason their software became so ubiquitous in the 1960s was that it was given away free. From the 1980s, though, they began to charge to recover the costs. While local authorities in Europe paid for the upgrades, those in the US tended to stick with the gratis, but less-sophisticated code...That is what I was told anyway. Perhaps that sometimes leads to all-greens!

  2. Brewster's Angle Grinder Silver badge
    Alert

    Does this mean Jurassic Park was accurate?

    A maverick insider, with knowledge of esoteric industrial control systems, disables the "prison doors" for personal gain. Oh how I used to laugh at the implausibility of it. Now it turns out to be real. :shock:

  3. JDX Gold badge

    DOS question

    It describes DOS attacks as temporary inconveniences... but why is it temporary? If the attacker doesn't turn off their botnet, won't the target stay compromised indefinitely?

    1. Anonymous Coward
      Anonymous Coward

      Re: DOS question

      The longer the attack runs, the easier it becomes to implement targeted filtering against it, or to move IP and blackhole the old address. In practice, DDoSers who want to keep a site offline for a protracted period have to keep adjusting the types and sources of the junk traffic they're sending, and it starts to take increasing amounts of time and effort on their part to sustain the DoS against the protective measures the victim (and their upstream ISPs) start to put in place.

      There's also turnover in their botnet to be considered, if you just set it running and left it alone completely the number of zombies would decay over time as machines get cleaned or reinstalled or taken offline, leading to the amount of DDoS traffic also falling. That's why there aren't any of the historical DDoS bots (e.g. mafiaboy's) still running out there.

      Bottom line is, a DDoS can keep going as long as the operator is interested in keeping on paying a lot of attention to it, but it requires ever-increasing time and complexity on their part. Sooner or later the law of diminishing returns kicks in.

  4. Pete 2 Silver badge

    A team effort

    We're fortunate that there are very few people in the world who wish to cause harm - and even fewer in positions of trust and with the ability to do so. Luckily (!) most of the attacks we've heard about have either been from external forces - limited by their ability to insert bad stuff accurately, or by lone insiders acting out a personal vendetta. Whether the situation of a concerted inside-job by a focused team will remain a fiction, or whether it will be targeted as the "soft underbelly" of the whole computer industry, remains to be seen. However, it would be incredibly easy to do[1] given the time and inclination of those involved.

    Afterthought: Given the amount of mis-management, overruns, over-costs, poor implementations and buggy products - maybe this sort of sabotage has, actually, been happening for years - or decades.

    [1] Scenario: An HR person with a particular "outlook" preferentially recruits techies with the same outlook. As part of a slow-burning plan, they all gravitate towards working on the same vulnerable system and from that position of self-supervision are free to implement whatever bugs, backdoors, weaknesses, logic-bombs or espionage they please. How many people? A team leader, couple of coders, a tester. Maybe half a dozen: tops. How long? Maybe a year or two.

    1. amanfromMars 1 Silver badge

      Re: A team effort

      And whenever such a team phormed itself maybe a year or two ago, Pete 2? ........ whenever it was not even imagined as a fiction let alone thought possible as a stealthy virtual action to be ......... well, depending upon your own particular and peculiar circumstances in a control and power lead position .... guarded against or endorsed and encouraged with the open cheque book of off the books national security slush funding accountants provided liquidity feed to irregular and unconventional zeroday vulnerability exploiting seeds and needs ...... Stealthy Virtual Action Teamsters.

  5. Anonymous Coward
    Anonymous Coward

    cyber weapons are part of information warfare

    Vulnerability: the end-point of information warfare is total continental electronics-based infrastructural annihilation , which could sound rather troll-mongering , so I'll quote from the 2008 briefing to the US Congress (*)

    Evidence: Congressman Roscoe G. Bartlett (R-MD) said: ""We met with three of our Russian counterparts on the Duma International Affairs Committee, including its chairman, Vladimir Lukin, and senior Communist Party member Aleksandr Shabonov. On May 2, [1999] the Russians chastised the United States for military aggression in the Balkans and warned Russia was not helpless to oppose Operation Allied Force (the NATO bombing of the former Yugoslavia). Lukin said, ‘If we really wanted to hurt you with no fear of retaliation, we would launch an SLBM [submarine launched ballistic missile] and detonate a single nuclear warhead at high altitude over the United States and shut down your power grid and communications for six months or so.’ Shabonov added, ‘And if one weapon wouldn’t do it, we have some spares."

    Threat: I agree with the article that NEPM as perhaps the ultimate cyberweapon isn't particularly dangerous, (it's the 6 months following without power/SkyTV/water/food/transport/money that might prove a slight inconvenience).

    Risks: I heard on Radio 4 "Today" this week that the risk of NEMP happening somewhere is rated as "likely". (Newt Gingrich mentioned NEMP as part of his campaigning recently it seems. There's definitely a whiff of Military Industrial Complex about cyberweapons - but NEMP is inescapably instilled in the information warfare doctrine so cannot be overlooked just because they'll make money out of it!)

    (*)(available at http://nipp.org/National%20Institute%20Press/Current%20Publications/PDF/EMP)

    1. Allan George Dyer
      Mushroom

      Re: cyber weapons are part of information warfare

      So you're saying that the most effective cyberweapon is a nuke? I suppose that makes the father who shot his daughter's laptop a 1337 h@k0rz, or even a cyber-terrorist?

    2. Dude_in_Grey
      Alert

      Re: cyber weapons are part of information warfare

      I really hate to say this, but any NEPM launch would look identical to an ICBM launch to people in places such as NORAD, who may assume, quite reasonably that it is instead a MIRV or similar. The consequences for that mistake would have literal and figurative fallout, which is why it really would be an awful idea in practice.

      1. Tom 13

        Re: awful idea in practice.

        I'd say that depends on:

        1) who you are

        2) who your target is

        3) who is available to be the patsy

        4) how good you are at covering your tracks

        5) whether or not you give a crap about the consequences

        That last one is particularly important when dealing with irrational maniacs.

    3. Michael Wojcik Silver badge

      Re: cyber weapons are part of information warfare

      You can call shutting down the infrastructure (via EMP or anything else) "part of information warfare", but it's by no means a "cyber weapon" or part of "cyber warfare". It's conventional warfare targeting infrastructure. And it's not relevant to the article, which is about software attacks ("cyber weapons") against IT systems.

      (Personally, I think we'd all be better off if the use of "cyber", on its own or as a prefix, was banned except when talking about ACTUAL DAMN CYBERNETICS, which has nothing to do with "cyber weapons" or "cyber war" or "cyborgs" or the execrable "cyberspace" or any of those other idiotic coinages. Too late to fix that now, though.)

  6. Anonymous Coward
    Anonymous Coward

    More on SCADA

    "closing this or that valve to achieve backflow somewhere is not going to be obvious."

    Well I guess that depends.

    If you have access to details of a replicated installation, one that isn't a one off site but has been rolled out dozens or hundreds of times...

    If your payload can get access to the site itself...

    If the site's function is an essential part of basic public infrastructure...

    Good job that doesn't happen in real life. Oh, hang on.

    The insane post-privatisation"dash for gas" in the UK electricity generating industry led to the installations of tens of GWs worth of largely identical gas turbine fired power stations, controlled by simple(ish) PLC setups. Not all identical, but lots of identical ones (they had to be identical to make them cheap to build and quick to deploy ready to make a fast buck or three).

    And that's just one very obvious very easy example.

    Still, we wouldn't notice losing a few GW would we, "the markets" and the government's energy security strategy have ensured that there's plenty of spare capacity and/or demand management capability to handle all credible eventualities.

    They haven't?

    Oh, so the engineers *were* right when they said privatisation of utilities was mad. Never mind, there's been plenty of bonuses all round at HQ since then.

    Dimwits.

    1. Bumpy Cat

      Re: More on SCADA

      I mostly agree, but my point is that John Random Hacker is not going to know anything about gas turbine fired power stations. A disgruntled insider or an engineer who worked on the systems *would* know enough to do lots of damage, but in that case would they need to hack in?

      The pool of people who can usefully hack into systems, SCADA or otherwise, is small. The pool of people who know how to tweak SCADA systems in a bad way is also small. The intersection of these is necessarily even smaller - and (thankfully? hopefully?) the number of those who actually wish to cause harm is even smaller.

      Also, a malicious SCADA hacker who knows how to mess up sewage plants probably can't affect traffic lights, or nuclear plants. We're just lucky enough that the intersection of two rare skill sets and malicious intent is pretty small.

      1. Mephistro

        Re: Re: More on SCADA

        Affecting traffic lights should be a cake. The inputs and outputs of such a system are few and easy to deduce, and in the worst case you could create mayhem -The biggest gridlock in History!!!- just by changing some random bytes.

        The other examples? If you have access to a similar facility and to its hw and sw, understanding the workings of the plant should be relatively easy.

        The next step? Create a personalized virus. Given the way many techies play loose with USB memory sticks and the like, most systems vulnerable would be infected in less than a year. Then comes the 'trigger date', and then comes the gridlocks, the blackouts and the shit-floods.

      2. Anonymous Coward
        Anonymous Coward

        Re: Re: More on SCADA (disgruntled insider)

        "A disgruntled insider or an engineer who worked on the systems *would* know enough to do lots of damage, but in that case would they need to hack in?"

        Suppose you're in the automation industry; lots of people are.

        You find out who puts these multi-site-replicated CCGT control systems together (who cares about traffic lights, that's only local chaos, and there's too much variation in them anyway). You wangle a contract there and get the relevant details.

        You disappear into other work, and seemingly lose your access, but pass on the relevant details to your partners in crime.

        Or via social engineering you get the relevant details some other way.

        Some time later your associates have incorporated the necessary details you have provided, and they release their Stuxnet-style weaponised version into the wild.

        Before too long, it's done a Stuxnet and crossed the air gap onto the plant network, made itself invisible, and is sitting waiting for the trigger date to unleash its chaos. Olympic opening ceremony could be a good time to hide odd goings on of the noisy kind, but there are plenty other options.

        Obviously it can't really happen like that. We fixed ALL the Stuxnet-style holes in technologies, products, and processes, didn't we.

        Anybody got any 3kVA silenced diesels going cheap?

      3. chris lively

        Re: Re: More on SCADA

        The problem is that if John Random Hacker is actually good enough to write the code in the first place then you can pretty much guarantee that John Random Hacker can *become* an insider.

        It's not about resources. Rather the threat is from those who are motivated to do something.

      4. Michael Wojcik Silver badge

        Re: Re: More on SCADA

        > I mostly agree, but my point is that John Random Hacker is not going to know anything about

        > gas turbine fired power stations. A disgruntled insider or an engineer who worked on the

        > systems *would* know enough to do lots of damage, but in that case would they need to hack

        > in?

        If the era of phone phreaking and the textfile subculture (see eg www.textfiles.com) taught us anything, it's that this is precisely the sort of information which has value in the hacker community (regardless of hat color). People will find and disseminate a lot of it. They'll get temporary jobs in the industry. They'll find ex-employees and get information from them. They'll dumpster-dive for paper docs and collect others from online sources and from backup media and whatnot. They'll use social engineering. They'll get samples.

        Venues like /2600/ and /Phrack/ remain viable because there's an enduring interest in writing and reading about obscure technical systems. It may not be easy to find information about the SCADA system of your choice; but there's information about many other embedded systems around, and they may be *someone's* preferred target. Or someone may not really care what the target is.

  7. Monti
    Happy

    Yes!

    Finally... A level headed examination of cyber warfare.

    Every time something happens on computer systems everyone seems to go completely mad with fear... (remember Y2K?)

    1. Graham Bartlett

      Re: Yes!

      You mean the Y2K that wasn't a big deal because a lot of companies DID spend a HUGE amount of time and money taking it seriously?

  8. Anonymous Coward
    Anonymous Coward

    All too easy...

    As an electronics engineer (and therefore no S/W guru) who was tasked with developing P.C Diagnostic apps for NETWORKED(!) SCADA systems in a previous job, I was stunned by how easy it was to not only access the vendor supplied ActiveX control for the PLC comms, but also to write 'hidden' VB6 apps to perform certain functionality which ran in parallel with the main control software (required when the S/W department had quoted 3 months lead time to change the firing behaviour of a digital output)!

    Knowing the architecture of the control system (P.C - PLC - Fieldbus - Distributed Motor Drives and I/O), and the capabilities of the configurable slave devices, gave me a far greater understanding of what was possible (and how to screw it up effectively) than most of the software guys, who mostly hid behind .dll function calls etc. and had no idea of the software OR hardware architecture of what they were working on.

    Software engineers working on SCADA systems have a unique responsibility to understand the mechanical, electrical and software characteristics of the systems which they are working on, both from the point of view of effective process control, and to limit the effects of 'bugs/attacks' by someone who knows enough about a part of that particular system.

  9. ACx

    Now this bloke has pointed this out, it will only be a matter of time. All he has done is set a challenge to people who simply love being challenged.

    1. Michael Wojcik Silver badge

      Yes, this was a real secret before

      Security researchers, including plenty of grey- and black-hat hackers, have been talking loudly and frequently about the vulnerabilities in SCADA systems for years. There was a flurry of discussion during the 2003 Northeast (US) Blackout, for example, when some commentators wondered if the blackout was the result of an attack on SCADA systems at power plants; that conversation made it into the trade press.

      Later actual attacks against SCADA systems, such as STUXNET, provided more evidence of their vulnerability and encouraged more hacker attention to the topic.

      What's new in this research is some of the conclusions drawn about software attacks on IT systems in terms of military theory. It's likely that relatively few hackers are military theorists, and even fewer rely on military theory to inform them of likely targets.

  10. dotdavid
    Joke

    Weaponised bags

    "If we look at the world of brick-and-mortar weapons, we wouldn't call a bag a weapon though it could be used to carry away stolen goods"

    Unless we're the TSA or UK Border Force, in which case we call it "a weapon concealment weapon"

    1. Charles 9

      Re: Weaponised bags

      Even simpler than that. Nice heavy hardcover book inside the bag (it's the book you were reading on the flight, even). Now, you try to sneak up on me, and I react by swinging the bag with said book in it. Now tell me that bag wasn't a weapon then. Same way with a sock. It isn't much of a weapon...then you stuff it with a half-brick.

  11. jake Silver badge

    I've said it before, and I'll say it again ...

    Anyone who uses the term "cyber" in supposedly serious conversation is probably completely clueless, and safe to ignore when it comes to day-to-day communications.

    1. Mike Flex

      Re: I've said it before, and I'll say it again ...

      > Anyone who uses the term "cyber" ... is probably completely clueless

      It's the term of art in government and military circles. If you don't like it; tough, it isn't going to go away.

      1. jake Silver badge

        Re: Re: I've said it before, and I'll say it again ...

        Who is using it where doesn't alter my point ...

  12. the-it-slayer

    The author is right but...

    Surely a co-ordinated attack on communications/systems heavily reliant on day-to-day life and linking the chain by wiping out the backup plans.

    For example, imagine an attack on the UKs transport systems. Cause plenty of accidents by colliding trains/cars/planes. Then the attack would then bring down comm's (phone/radio) for the emergency services. Afterwards causing the stock exchanges to fall and foundations of 21st century life crumbling. In return, this would cause the same panic as previous physical attacks via terrorism that have happened in countries all over the world.

    Problem? You'd need a lot of people involved to take down all different types of systems used by many private firms etc. Chances are very small down to our intelligence services spotting the trends of a planned attack first.

    1. This post has been deleted by its author

  13. fLaMePrOoF
    Boffin

    "The deeper a bug can get into any given system, the less likely it is to trouble anything else."

    What complete and utter bollocks!

    This guy obviously doesn't have the slightest technical understanding of the subject he's pontificating about.

    He really should do himself a favour and shut the fuck up.

    1. fLaMePrOoF

      Just to clarify - I'm not saying that the opposite argument is in fact the case and 'cyber weapons' do indeed have massive offensive potential. There is a valid argument that their capabilities are often over egged in the minds of the non-technical public and law enforcement / security bods.

      However, this guy's whole thesis appears to be based on the above flawed premise.

      The plainly obvious truth of the matter is that the 'deeper' into a system an attack vector can infiltrate, the more potential for exercising control and effecting change on the infiltrated system and connected systems.

      1. Michael Wojcik Silver badge

        > The plainly obvious truth of the matter is that the 'deeper' into a system an attack vector can

        > infiltrate, the more potential for exercising control and effecting change on the infiltrated system

        > and connected systems.

        I believe you misunderstand this aspect of his argument.

        The point is that an attack which causes indiscriminate failure typically doesn't spread far, because it disables its own propagation mechanism. If a single power station's SCADA system gets infected by malware that immediately brings down that station, it won't have much luck spreading to other stations.

        There are many problems with this hypothesis as it applies to malicious software (which can take failure modes and propagation requirements into account), but there are historical cases where it's been true, including STUXNET, which is the best-known example of something like actual software "warfare": as the article points out, it spread widely in part because it was designed to damage only one very specific type of system.

        I don't find the "paradox" a useful hypothesis myself, but it's not as naive as you make it out to be.

    2. Anonymous Coward
      Mushroom

      I agree

      "[Having] more destructive potential is likely to decrease the number of targets, the risk of collateral damage and the political utility of cyber-weapons."

      Funny, from what peaceful planet does the speaker come? It all depends on your 'politics.'

      If you look at a global map with countries colored to indicate how close to the stone-age they are, you can see who the targets aren't going to be. The U.S, Japan, western Europe and eastern Asia might as well be painted in red/white concentric circles and be pinned to the wall.

      Imagine the premise of Larry Niven's "Anarchy Park" on a global scale. I don't even think the bookmakers would put a line on the outcome...but it would be ugly, sparsely populated and well fertilized. Also, if you have a room full of food and defensive weapons already prepared....don't tell anyone about it.

    3. joe K 1

      Some children are scared of clown's too!

      Seriously, are you 14 or something? This paradox has already been proved right in the most important testing ground of all - nature! The reason we're all still here is that the deadliest natural viruses, despite their potency, have to be so ultra-specialised to reach their full destructive potential that a few mutations is all it takes to survive them, and natural selection makes sure these mutations happen. Contrast the ebola virus with the common cold.

  14. Anonymous(not a) Coward
    Trollface

    Cyber warfare?

    Well the debate rages on. Cyber warfare is as it says on the tin warfare that happens in the cyber world. In theory, this means that the impact and effects of any attack must be contained to the cyber-world and must not have real world effects. Increasingly what an attacker wants is the actual information that can and is used to drive a real world event via an automated or manual system. That is Information Operations (warfare) and there are many facets to it. The media buzz on cyber warfare and the fuel added on by academics has given this term a totally different meaning which could result in scaremongering.

  15. Yet Another Anonymous coward Silver badge

    Stuxnet was not the worst

    http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage a 3kt explosion that by pure chance occurred in a remote part of Siberia rather than a major city.

    High pressure gas pipelines are now rather common across Europe and north America.

    But of course it couldn't happen here - US and UK oil companies are famous for the lengths they will go to with expensive multiple redundant safety systems to prevent any possible accident.

  16. Mephistro

    Wait a few years...

    Till everybody has a 'smart meter' at home. A week without leccy and/or gas in a cold winter, in London would probably kill more people than a week of German air raids in WWII.

    Oil refineries would probably be also a good target, given their actual scarcity. Hacking Domotics systems in the near future would come handy for kidnapping and blackmail.

  17. despairing citizen
    FAIL

    So bad it's not even wrong

    "Serious damage would require an intelligent malware agent that was capable of changing ongoing processes while hiding the changes from their operators, Rid says. To our knowledge, this has not yet been created, and making something as complex would require the backing and resources of a state, he added."

    Access patient records.

    Is Alergic to Penacillin ; Change Y to N.

    Doctor why has the patient gone into shock!

    Title relates to a comment Pauli used to make about some of the crap thesis papers he had to review

    Please can somebody show this chap a computer and explain how they work!

  18. Anonymous Coward
    Mushroom

    Wrong, Wrong, Wrong

    Although I agree there is some scaremongering going on, I do think cyber-weaponry has already demonstrated its potency and there is growing potential for doing more damage.

    What is even worse, nobody knows how much spying is going on by means of cyber-attacks. Defintely there is lots of activity, that's what we know.

    Examples:

    1.) Stuxnet. Serious damage to the Iranian nuclear program. Not terminal, though.

    2.) Syrian Reactor bombed. They managed to do that w/o the Syrian radar detecting them. How did that happen, despite no stealth a/c used ??

    Of course, cyber attacks/reconnaissance must be seen as a tool in the big toolbox of militaries and their attached intel agencies. Serious damage can be done by combining cyber operations with conventional ops like air attacks or submarine attacks.

    Use cyber means to reconnoiter and disable and then conventional forces to precisely strike on a supposedly unknown location/system based on the intel gained from cyber. That is probably what matters in the future.

    In the electronics circles there is already much discussion about electronic warfare and cyber attacks, whether it is the same or something different. But there are very few doubts cyber attacks can and will be done.

    Finally, modern intel gathering systems could be easily the target of cyber attacks. All one needs to do is to send a poisoned PDF via satcom and wait for the payload to report back. I am absolutely sure the gobbermints didn't bother to write their own PDF parsers and probably they all have integrated libpoppler or the Adobe crap into their vaccum cleaners.

    Picture of an A380 crashed by cyber attack.

  19. Anonymous Coward
    Stop

    One More Example

    The recently suffocated Hamas weapons procurer's travel details had been acquired by pwning his PC, it is said.

    So cyber space can have serious adverse health effects, it seems.

  20. Anonymous Coward
    Anonymous Coward

    GCHQ vs CPNI

    "In short, Rid suggests ditching the spooks" "That's not where public pressure comes from"

    I don't see many reasons why GCHQ couldn't have a dialogue with software and hardware vendors where it felt the need was there. But if secrecy was that critical it has the ability to lean on other departments to achieve the same public effect - the glaringly obvious public body that should be looking to manage risk in SCADA security is CPNI who have no pressing reason to refrain from generating 'public pressure'. In that sense, haven't we already 'ditched the spooks'?

  21. chris lively
    FAIL

    PR Fail

    Two conflicting quotes from the same moron in this article:

    "To our knowledge, this has not yet been created, and making something as complex would require the backing and resources of a state, he added"

    and

    "Rid's top tip is that it's the people who work on esoteric software – maverick insiders – that we should worry about rather than patriotic foreign hack-warriors"

    The first sentence is absolute horse crap. There has been a trend in the security community lately when communicating with the press to talk about how a particular attack could only be pulled off with "state sponsorship". Never mind that Thomas Rid directly contradicts himself later on with the second statement discussing the real ones to be worried about.

    All you need in order to do a targetted attack is to be above average intelligence and the inclination to do it. You don't need 10s of millions of dollars (or more) and you don't need 100+ developers.

    All of the knowledge required in order to get an attack past the eyes of watchdogs can be obtained within a few months as a simple INTERN for the responsible company. Go work for them. See how things work. Write your code. It's expected that the interns are there to learn and IT people (especially the programmers) are notoriously easy to pull info out of; just stroke their ego and let them talk. Heck a beer isn't even required.

    That said, the articles premise that "They're not dangerous" is more than a bit misleading. It's like saying a sniper bullet isn't dangerous because it's a highly targetted attack.

    FAIL.

    1. fatchap
      Thumb Up

      Re: PR Fail

      The exact analogy that occured to me.

  22. hayseed

    Things don't have to go boom at once

    You can be sneaky about it, as in backdoors and intelligence. Intelligence OR finally using

    a backdoor could be devastating. Remember Enigma.

  23. Quinch
    Black Helicopters

    So... they sneak through the defenses, travel undetected and there is no trace of them until they have already done their damage or destroyed their target? It's all so clear - cyber-weapons are just a red herring to distract us from the fact that they're hiring ninjas!

  24. I think so I am?
    Joke

    Cyper weapons vs Forsty the snow man

    2inches of SNOW is the biggest single threat to the UK!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Cyper weapons vs Forsty the snow man

      The evildoers will hack power stations and make them generate much dust, which will in turn change the weather, inducing snowfall. All of that previously simulated in a weather supercomputer.

      No don your tinfoil and write "I will believe in cyber threats from now on" 100 times !

  25. Dodgy Geezer Silver badge
    Flame

    Ditching the spooks?

    "...In short, Rid suggests ditching the spooks: "If we put GCHQ in charge of cyber security, by their clearly secretive nature, they won't be able to put public pressure on businesses...."

    Up to 1994 we had a Government commercial security team. In 1994, the spooks ditched them, and took over their budget. At the time, people in the know said that this was a mistake....

This topic is closed for new posts.