Over the course of this past weekend, countries around the world stopped for a few minutes to reflect and remember. In the United States, we celebrated Veterans’ Day, a day of appreciation for our armed services and those who serve. Others may call the day Armistice Day (which it was originally, and still is in many countries)–the 11th day of the 11th month, a remembrance of when World War I finally fell silent and an eerie quiet fell over the trenches of Europe.
We are forever grateful to those who risk their lives to fight against tyranny, and have nothing but respect and admiration for those who have served or are currently serving. When I meet a service member, current or former, I feel compelled to say something–to tell them at the very least that I appreciate them. I want to at least say or do something so that soldier (sailor, airman, marine) knows that they are not alone. Some may think it silly, but I can’t help myself. I have to acknowledge that huge sacrifice.
A New Battleground
While the Doughboys of 1918 and the GIs of 1945 had to go halfway around the world to fight the enemy, that is no longer necessarily true in our highly technological society. The world has become increasingly smaller and increasingly more connected. What does this mean for us?
Protecting the homeland no longer means having an army and a navy ready to go out and fight. It also means that we need to be ready to protect the homeland on our own soil–and in cyberspace. With so many aspects of our lives dependent upon technology, we have to make sure that we take the proper precautions to protect it. Even things that the average person may not think about in their day-to-day, that we take for granted because it’s always there, could disappear with a clever attack.
Think about the power grid. Think about water supply. Earlier this year, the U.S. Department of Interior released a report indicating that two dams considered “critical infrastructure” were at risk because they were not implementing security best practices. Among the infractions that the Department of Interior found was that account access was not always revoked when employees left the organization (meaning if they really wanted to, they could keep logging into their account and access the system even though they were no longer working there). Background checks for those employees with high-level privileges were less vigorous than perhaps desired or required. If you’re interested in what else the Inspector General found, you can read the full report here.
What Is Critical Infrastructure?
This is not the first time that an organization considered “critical infrastructure” has been found to have gaps in the security framework. But what exactly is “critical infrastructure”? Basically, any assets that are essential to keep society running. It’s a government term (of course), and can include things like
- Water supply (drinking water and waste water/sewage)
- Electricity generation (including renewable energy sources as well as traditional gas, oil, coal, nuclear)
- Agriculture (the food supply)
- Public health (like hospitals, ambulances)
- Transportation systems (airports, harbors, highways)
- Financial services
- Security services (hello, law enforcement and military)
Unfortunately, the scenario could be. There are examples in the news of what could happen if the government’s networks aren’t properly secured.
In 2007 Estonia, authorities in a town called Tallinn moved a World War II memorial from downtown to a suburban military cemetary. The Russian government had warned Estonia that removing the statue would be “disastrous,” and in a way it was. Soon after moving the statue, Estonians across the country found that their internet was hobbled. They couldn’t access online newspapers or government websites, and bank accounts were suddenly inaccessible.
Soon, the Estonian government discovered that the internet trouble was not an inside problem, but an attack from the outside. A concerted Distributed Denial of Service Attack (also known as a DDoS attack) had swamped servers and shut down websites.
Coincidentally, this is considered the first cyberattack in history that managed to affect a country nationwide. Previous attacks had not had the crippling effect on an entire nation the way the Estonians experienced.
“The Maroochy Incident”
The Maroochy Incident , as it has been called, is actually one of my favorite stories. I first found out about it through a wonderful podcast called Malicious Life. (If you haven’t heard of it, check it out–they run through the history of computer viruses and malware in a way that makes it entertaining and easy to digest, even if you’re not a supernerd. My tech knowledge was casual and thin when I started listening, and now I’m reading and researching this stuff on the regular!)
The basic story is this: in spring of 2000, the computerized waste management system in Maroochy Shire, Queensland, Australia malfunctioned and spilled raw sewage into local parks, rivers and businesses. It caused a real stink, if you will. After some investigation, it was discovered that the cause of the malfunctions was a series of hacking attempts–Vitek Boden, an employee of the company that installed the sewage control system, was getting into it from the outside. He was eventually caught sitting in his car by a sewage control point with radio and computer equipment, using the sewage management system software to play with the pump system. Apparently he had applied for a job with the Maroochy Shire Council and had been rejected.
In 2001, Boden was sentenced to two years in prison for his actions, which caused a real environmental crisis for the area.
What Can We Do?
Of course, nothing extreme has hit the homeland. This is why we do audits and have reports like the one the Department of the Interior released earlier this year–to make sure that we are doing all we can to keep the lights on. In fact, it would be even more concerning if they hadn’t found anything–because that would likely mean that they weren’t looking hard enough. Like with anything run by human beings, our cybersecurity systems are not perfect. We constantly need to tweak and monitor them in order to keep things patched and clean.
So what can we do? Well, keep practicing good cyber hygiene at home. Rotate your passwords, use a password manager, and teach your children about being safe online. This may not appear to have anything to do with national infrastructure, but security starts at home. And our children may be the next generation of cyberwarriors, dedicated to protecting the homeland on this new battlefield.
For more information on what the government is doing in cybersecurity, visit these links:
From the National Security Agency: https://www.nsa.gov/what-we-do/cybersecurity/
From the Department of Homeland Security: https://www.dhs.gov/topic/cybersecurity
And from the White House, dated September 2018: https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf