National Cybersecurity, Politicians, Black Hat Magic and White Lies
Across the globe, world leaders are being briefed about the threats and risks to critical infrastructure and national security. Politicians are being told tales of cyberwar, disruptions to power and transportation systems, financial chaos and what could be the end of civilization as we know it. Technical gurus demonstrate how easy it is to compromise and take control of a system, like the main act in the center ring of a circus, to instill shock and awe into the crowd of curious onlookers. And why are these things being done? To gain support for cybersecurity initiatives and spending against the threat de jour – the hacker.
But is everything being presented the truth, the whole truth and nothing but the truth? I’m not so sure that it is.
While those briefing world leaders talk about the aforementioned threats, I’m wondering if the risk being presented – the likelihood that any of the terrible things being mentioned will actually happen, is based on theory, perception or reality. Why? Because no one outside of a country’s borders can hack a system that isn’t hooked up to the Internet or accessible via a dial-in connection. The same thing goes for those attempting to hack into systems from within a country. If an organization has all of its systems on a closed network with no Internet access and no remote access capabilities, the only real threats are a trusted insider or unauthorized physical access.
In all the information that is floating around in the media and on government Websites, has anyone seen any numbers as far as what percentage of a country’s critical infrastructure has a direct connection to the Internet? How about the breakdown by infrastructure type? Has anyone seen any figures with regard to insufficient physical security measures? How about percentage of personnel maintaining critical infrastructure that haven’t completely a background check?
Is the current cybersecurity assessment really as bad as government officials and the media make it out to be? Are all of these systems completely unpatched and unprotected against any threats? Are the system and network administrators that manage these systems completely incompetent?
The most simplest solution to protecting critical infrastructure from compromise over the Internet, is to move part or all of an organization’s assets onto a closed network. This is achievable through several means, including separate physical infrastructure and virtual private networking. Are these options even being considered?
Something is very wrong with some of the legislation being passed around the globe to address cybersecurity issues. As I’ve questioned in previous posts, how many of these lawmakers truly understand the issues beyond what they are being told? Have lawmakers become an easy victim of fear, uncertainty and doubt because of their lack of knowledge?
Someone has to stop the madness – and that someone is you. Spread the word.