Our interview with Damon Petraglia, a Cyber-Terrorism expert and member of US Secret Service Electronic Crimes Task Force, about the threat of Cyber-Terrorism and how it could affect the United States.
Can you tell us a little about your background in relation to cyber security?
I am a cyber-terrorism and cyber-crime expert certified in Risk and Information System Control. I hold a Master’s degree in Forensic Computer Investigation and have extensive experience in information security consulting throughout the world. I am a recognized Cyber-Terrorism expert often cited by the media, have appeared on television and have been special guest presenter at several national information security conferences.
My background includes work as a federal contracted special investigator. I have taught at the graduate and undergraduate level and have provided trainings for police departments, hospitals, government agencies and major corporations. I developed and presented the Information Security Training curriculum for the Information System Security Officers (ISSO) and security staff at major government agency. Additionally, I teach law enforcement and am a member of the electronic crimes task force for the US Secret Service. The protection of critical infrastructure assets is my focus.
Can you tell us what threats you see in the immediate future?
The immediate future is already here. The United States is currently under attack. The attacks are against government system and private corporations. This article will provide detail of current and future states.
In regards to our infrastructure (power grids, water, utilities etc…) how vulnerable are we?
Unfortunately our Infrastructure is very vulnerable to attack. To understand how and why we are vulnerable we need to look at the infrastructure and its interdependencies. There are 18 defined Critical Infrastructure Sectors:
Of these 18 sectors many are controlled by SCADA (supervisory control and data acquisition) systems which are a type of industrial control system (ICS). SCADA systems typically control things like the power grid and nuclear reactors. SCADA systems use different computing language and protocols than most computers systems people typically interact with. For many years SCADA systems we thought to be more secure. Additionally SCADA systems used to be for the most part what is known as “air-gap” systems. What this means is they do not hook into the Internet or other Wide Area networks. So to attack them the attacker would need to physically access them. This has been difficult in the past as physical security at nuclear plants and power stations have been better addressed than logical security.
This is no longer the case as evidenced with one of the most studied attacks known as Stuxnet. Stuxnet was an extremely sophisticated computer worm. Perhaps the most sophisticated piece of code at the time. It was discovered in June of 2010. In simple terms Stuxnet targeted specific ICS in the Iranian nuclear program by leveraging vulnerabilities in both Windows systems used to program the ICS and the ICS controls themselves. Essentially Stuxnet instructed the centrifuges which are used to enrich Uranium, to spin at irregular speeds resulting in burning out or destruction of the centrifuge motors. While Stuxnet instructed the centrifuges to spin incorrectly, it would report back to the operators that the systems were operating normally. The result was a significant delay and cost to the Iranian nuclear program. To this day it still has not fully recovered. What should be noted is that Stuxnet most likely entered the systems on an infected USB device. This is a very low-tech way to initiate a very high-tech attack. It is also the most effective by attacking the weakest link; the human element. What this really means is, for some reason a human being was compelled to put a USB device into a computer used to control the ICS.
Now imagine code similar to this being used across multiple critical infrastructure sectors. Imagine causing nuclear reactors to either meltdown or shut down while disabling emergency communications throughout geographic areas of the United States.
In regards to our financial infrastructure, how vulnerable are we?
Our financial infrastructure, while part of the 18 critical sectors, is typically designed differently than those sectors which use SCADA and ICS. The financial infrastructure has some unique attributes which differ from the other 18 critical sectors. Our financial systems are interconnected globally. Value is affected by global markets. We hear about hackers and other criminals able to incept funds, steal account holdings, transfer money and in general steal money this way. When you analyze this most of what you read or hear has to do with the criminal element and tangible theft of funds, however much more vulnerable and much father and deeper reaching is the idea and actions behind corporate espionage. What I am referring to is the idea of State-Sponsored corporate espionage.
Competition has always sought to steal the trade secrets and intellectual property from the opposition. Long ago this was the “cloak and dagger” type of spy versus spy, but in today’s interconnected world. One does not need to physically breach a corporation to steal the high value trade secret or intellectual property data. In fact, one does not need to even be in the same country.
The United States is a global economic super-power with strong value to its dollar. We are the biggest financial target on the planet. It has been claimed that other countries including China have already breached or otherwise infiltrated every major US based corporation. What this means is that a foreign countries are actively stealing US trades secrets, intellectual property and research data. This theft and espionage is typically state sponsored and performed at a military or intelligence level; these are not your typical hackers, these are highly trained, highly skilled, highly protected intelligence and military units. In many of these foreign countries the stolen data is then used for profit of the country which stole it, either by selling the data or using it to produce products or services, or by leveraging sensitive information for their own economic advantage. This has been referred to China’s Death By A Thousand Cuts.
With every theft and breach of US private industry, the US begins to lose its global economic advantage and the value of the dollar declines. If this continues it will lead very quickly to a severe economic crisis in this country which will be far worse than the great depression or any economic crisis in history.
How would this type of attack affect the country? What would the actual impact be in terms of scale?
I discussed the concept of multi-vector attacks leveraging other crisis in a previous interview with Off-Grid Survival. I will expand upon that and walk though what the attacks might look like, the scale and the impact.
First we need understand global warfare. Traditionally there have been specific theaters of war: Land, Sea, and Air. These are the physical places where war actually happens. In the 1980s a fourth theater was added: Space, and this was the start of the “Star-Wars” program under Ronald Reagan. In the theaters of Land, Sea, Air, and Space there can be physical action and physical counter measures. Vehicles and troops can engage on the land, ships at sea, planes in the air and missiles and rockets in space. Now we have added
A fifth theater: Cyberspace. This theater is unique as it overlaps and affects all other theaters. As an instrument of war it can be, has been and is used in several ways.
Malicious code can be used to produce physical results as we have seen with Stuxnet. Computer code is now weaponized to produce physical damage. Communications, planning and information exchange essential to military strategy, location and movement can now be intercepted by the enemy. This can give the enemy military advantage as well as allow the enemy to alter intercepted information. Altering the supply chain information could lead directly to military advantage and win. Imagine altering the supply chain of the adversary and re-routing ammunition, fuel, food and water away from the adversary’s front lines.
Now imagine affecting, not only the military, but an entire country including the civilian population in the same way. From a military perspective, normal course to disable and disorient. We have seen this done by an initial bombing campaigns targeting communications, radar, defenses, transportation and other sectors of critical infrastructure. After the bombing campaign the troops (boots-on-the-ground) are sent in to occupy and control strategic areas.
Rather than bomb to disable and disorient, a series of cyber attacks can be used with a cascading effect for more effective, deadly, and disabling than bombing or traditional warfare has ever been able. Think of basic human needs according to Maslow’s hierarchy. Humans need water, food, and shelter before anything else. Without those basic needs met, humans will have no way to defend against attack or occupation. In fact to get those core needs met, neighbor will kill neighbor and brother will kill brother just to survive. In other words, if in the course of war you can remove water and food from your adversary you only have to wait. With water and food removed or scarce in a population, that population will spin into complete anarchy very quickly and essentially tear its self apart with little or no influence from the aggressor military or nation.
If this were to happen, coupled with continuous attacks against the financial infrastructure, communications, and transportation so that food and water no longer moves to the people, the scale of impact would be complete devastation to the target nation and further cascading effect to every nation which relies on import / export relationships with the target nation. We would see a tremendous global effect, which would mostly like change our planet forever.
Do you believe this country has been attacked already?
We have been attacked and we are under attack 24 hours a day, seven days a week, 365 days a year. Our military systems are probed in excess of hundreds of thousands of times per hour. Our private industry can claim similar statistics.
In your opinion, will future wars be largely fought in cyber space?
Wars will not be fought in cyberspace exclusively. War will always involved human beings and physical occupations or some sort of physical control. Cyberspace will be the most effective theater for military operations so it will be used more than any other theater, but it will not be a cyberspace exclusive war. Militaries will utilize the cyberspace theater to real world advantage.
How prepared are we as a country to deal with this problem (from both a private and public sector perspective)?
One of the greatest concerns is that over 85% of critical infrastructure is privately owned and operated in the United States. Therefore oversight and resource allocation in some areas may be inconsistent. I have been working with both the public and private sectors for a number of years and I can honestly say that the people who understand the vulnerabilities, threats and risks associated work tirelessly to protect us. My concern is that they need more resources, more funding and better information sharing to address the current environment.
Additionally our entire cyber-supply chain is under attack. The government is aware and reports that computers and electronic components which go into computers and networking devices have been found with pre-installed malware, spyware and configured with known vulnerabilities. This creates both a huge vulnerability and a great opportunity. The vulnerability is obvious. The opportunity to bring 100% manufacturing of high technology back to the United States is one that should be supported and advocated for by the Government.
How can the average person prepare for this type of threat?
Believe it or not the average person can do a tremendous amount. Prevention is always the first course. First, at home and from mobile devices, keep patches and antivirus products up to date. It seems minor but every little bit helps. The reason is that many people have the ability to access their corporate networks via there home computer or mobile devices. This is a known avenue to infect corporate system.
Be aware. Take information security training seriously at your workplace. I have provided trainings throughout the country and I know it works because I receive emails from participants who tell me how they identified something malicious and did not let it execute on the network, but before the training they would have never known. Be aware of anomalies and strange things such as a USB device left in the workplace parking lot. This is a tactic often used because the adversary knows that curiosity will provoke someone to bring it inside and attached to a computer. Once attached it will transfer malicious code and infect the network, typically with no indication or alert to infection.
Preparing for an actual worst case scenario is similar to the preparations one would make for extended period without adequate food and water supplies and access to emergency services. Look to reliable sources such as the Centers for Disease Control (CDC), National Institutes of Health (NIH), and World Health Organization (WHO) for preparation and response guidance regarding health as without adequate food and water supplies and access to emergency services a severe health crisis will be a concern.
Damon Petraglia is a Cyber-Terrorism expert and member of US Secret Service Electronic Crimes Task Force.
He is also Dir. of Forensic and Information Security for Chartstone.