Every school kid knows not to put all your eggs in one basket.
Up until about 1999 or so, I thought we were being cautious and smart about this newfangled Internet thing that had us under its spell. Then there was a now forgotten news story that told me exactly how completely we were being seduced by this new technology.
Microsoft was working on a new version of Windows, Whistler I think, and it got hacked. Somebody broke into the computer they had it on and downloaded it, which was big news in the tech press but hardly anywhere else. Microsoft audited the code, attempting to make sure it hadn’t been tampered with, and found it clean. There were no trojans or back doors installed. None they found anyway.
I was dumbfounded. I couldn’t believe Microsoft would leave a copy of their next generation crown jewels lying around on a computer facing the Internet where black hats could find it. I figured the yet-to-be-released and still under development next generation Windows product would be secured on a hard drive connected to a computer not networked and locked-up deep within a vault somewhere protected by a bevy of Barney Fifes. It never occured to me it would be facing the net where any digital lock-picker could get at it. What were they thinking?
As I say, every school kid knows not to put all your eggs in one basket.
About a week or so ago as I was scouring tech news sites looking for links for our Twitter and Facebook feeds, I came upon an article filed by Reuters on Internet security. It opened with the news that a cybersecurity expert had been poking around and had found access to the controls for 30 pipeline sensors, none with password protection. The researcher, H.D. Moore, said he found the sensors while sifting through information in a freely available online database of Internet-connected devices.
The article went on to explain that we used to think we were safe from devastating cyber attacks on our infrastructure under the same “mutually assured destruction” idea that kept us safe, in theory, during the Cold War. That’s no longer the smart way to think:
“U.S. national security experts used to take comfort in the belief that ‘rational’ super powers like China or Russia were their main adversaries in cyber space. These countries may have the ability to destroy critical U.S. infrastructure with the click of a mouse, but they are unlikely to do so, in part because they fear Washington would retaliate.
“Now, concerns are growing that ‘irrational’ cyber actors – such as extremist groups, rogue nations or hacker activists – are infiltrating U.S. systems to hunt for security gaps like the one uncovered by Moore. These adversaries may not be as resourceful, but like Timothy McVeigh’s bombing of an Oklahoma federal building in 1995, it is the element of surprise that is as concerning.”
It’s not very comforting to realize that something I figured-out, as ignorant as I am, back in the 1990s is only now being understood by those who are being paid big bucks to protect us. It’s also not very comforting to know that the controls for nuclear power plants and the like are accessible by the same Internet that can’t keep credit card numbers safe despite draconian requirements by Visa and Master Card.
I’m not going to ask “why?” I’m not going to point out that for several decades we seemed to run our nuclear plants just fine without our engineers being able to make adjustments on a laptop from home.
As I say, every school kid knows not to put all your eggs in one basket.
Yesterday we learned from PCWorld that many, if not all, of the designs of our military’s advanced weapons systems have been compromised and are now in the hands of the Chinese military. How did this happen? If you guess we were keeping them on the Internet and they got hacked, you’re right. Never mind that advanced weapons systems are only worth the money we spend for them when we’re the only one who has them and when no one else knows the details of their capabilities. We wanted to have this information convenient and that trumped security concerns.
“‘DoD and its contractor base have already sustained staggering losses of system design information incorporating decades of combat knowledge and experience that provide adversaries insight to technical designs and system use,’ the advisory group said in a public version of the report released in January that covers the findings of an 18-month study into the resilience of military systems against advanced cyber threats.
“Among the designs documents obtained by hackers were those for missile defense systems, including the PAC-3 Patriot missile system, the Terminal High Altitude Area Defense (THAAD) system and the U.S. Navy’s Aegis ballistic-missile defense system, according to the Washington Post, which obtained a copy of the previously undisclosed report section.
“System designs related to the F/A-18 fighter jet, the F-35 multirole combat aircraft, the V-22 Osprey aircraft, the Black Hawk helicopter and the Navy’s Littoral Combat Ship (LCS) class of vessels were also among those listed in the breach report.”
Naturally, we’re filled with umbrage and are busy blaming the Chinese military for being dastardly. How dare they do what we would expect any country’s military to do? Also naturally, we’re not putting any blame on ourselves. No one is suggesting that such sensitive information, perhaps, shouldn’t be placed on a computer facing the Internet, no matter how secure. Nor is anyone suggesting that maybe the largest and most advanced military on the planet needs to have their own world wide web that’s not connected to the one used by the rest of us. No one is suggesting that this isn’t the way we won World War II.
However, every school kid knows not to put all your eggs in one basket. It’s wisdom we make sure to pass down.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
I spent my entire military career in special operations. I can assure you that the DOD does have a private internet. Every inch of it is hardline or satellite based with NSA hardware encrypted devices. The breaches that the news reports have all occured on the “green” networks not on the “red” networks. As you alluded to in your post, military contractors are careless as are utility companies.
I agree with ComputerRanger. I worked at Alcatel. We merged with Lucent, which at the time owned the Bell Labs. The guys from Bell Labs could not use the in-house corporate network for any communications. All their email and other connections into the labs went through IP tunneling, amongst other forms security. These published data breaches are usually one moron who took classified information home on his laptop and connected it to the internet with his Windows firewall disabled.
And you keep blaming the other side…
Tell me, who do you think let that “moron” take classified information outside a secure building?
If the DoD and the NSA have two sepparate networks, then someone is making a “bridge” between them.
Why is there classified information on the “green” network for starters?
Oh, and I’m sure those hacked systems weren’t directly facing the public internet.
Usually, hackers get into a seemingly harmless public server and from there work their way to other systems (or at least that’s what I’ve seen, I’m a sysadmin for a web hosting company and had to take care of a couple of issues like this myself).