What do we do when we discover a storm brewing in the Atlantic that becomes a tropical depression heading toward the East Coast? We prepare.
Cybersecurity experts have been tracking just such a storm, which has been brewing in cyberspace for the past several weeks, and they expect it to hit a million organizations worldwide. And as its predecessor, Mirai, did almost exactly a year ago this month, it is expected to take down vast portions of the internet and perhaps even dwarf that historic cyber-hurricane that hit major websites on the Atlantic Coast and crippled a huge part of the internet’s backbone.
Are we prepared? Of course not.
This hurricane, which has been named Reaper (as in grim), was first detected in September, and trackers say it is growing by 10,000 devices per day. As with its predecessor, it is infecting cameras and routers and other internet of things devices, which typically have weak security controls in place. Following the last storm, we were told to make sure that all of our internet-connected devices, especially our home routers, were up to date with the latest firmware upgrades and security patches. I will bet the mortgage that no one did any of that.
As the governor of Minnesota, Mark Dayton, told a gathering of cybersecurity experts in Minneapolis this week: “I fear that it will take something truly catastrophic to gain the public’s attention.”
I am pretty sure he’s right about that, but unlike a physical hurricane that comes and goes in a few days, leaving a mess behind that can be cleaned up fairly quickly, a cyberstorm like the Reaper has the potential to leave a lasting impression on the landscape, one that none of us will want to imagine.
A Reaper-class cyberstorm can shut down the entire U.S. critical infrastructure. It can destroy industrial controls for equipment we rely on to manage energy, water, communication, transportation, and agriculture, just for starters. These operational systems will not be returned to any sort of normal online status when and if the storm passes, and repairing some of the major components will be difficult and in some cases impossible.
Most of our power generator components, for example, are made in Europe and China and since we do not have a backup supply on hand, they will have to be built and then transported to the locations where the outages have occurred. Many of these are of the size and weight that challenge overland transportation, and in some cases it will simply be impossible to get them where they are needed. The lead times for a new build can be a year or more.
This new storm is now spreading across the United States, Australia and other parts of the globe, and many trackers are concluding that the purpose is to test systems and create global chaos while sending a message that hurricanes like this one are a precursor of things to come. Not unlike analogous kinetic storms in physical space, we will be unable to halt this or those that follow given the state of our cybersecurity readiness. If I were planning on shutting down all of the energy systems in a target country, I would pick the beginning of winter as a good time to start. Oh …
Now you would think that this sort of impending doom would be sufficient to motivate members of Congress to craft some emergency legislation that addresses all of the vulnerabilities with specific plans to prepare and recover, but no matter how hard or deep you dig, you will find nothing of the sort.
What, then, will it take? We had a very minor bot attack last October when Mirai assembled over 100,000 bots and attacked the Dyn domain name system (DNS) infrastructure with a large, distributed denial-of-service (DDoS) attack. The result was that the internet was unavailable to most people in the U.S for the better part of a day. What happens when the next attack assembles 100 million bots and invades all of the cameras, televisions, home routers, and other vulnerable internet of things devices connected on the internet while conducting a serious and widespread DDoS attack?
That small attack last October did, however, succeed in opening up an important conversation about internet security and volatility. Not only did it highlight vulnerabilities in the security of internet of things devices that need to be addressed, but it has also sparked further dialogue in the internet infrastructure community about the future of the internet itself.
That is all good, but the internet infrastructure community is not the right place to be talking about this.
Our leaders in Congress and the administration are the only people who have the power to effect change and to enforce the requirements for upgrading our operational industrial control systems throughout our entire critical infrastructure. The responsibility to prevent a cyberattack and protect our nation’s infrastructure rests squarely on their shoulders, and it is well past the witching hour.
We need a joint task force led by the private sector to immediately formulate and implement a defense system to not only prevent an attack of this nature, but to develop an offensive that can take the fight to the enemy. This is not that hard. Where is Congress when their collective voices are actually in demand?
Four in 10 millennials don’t know that Equifax was hacked and seven in 10 don’t understand how the Equifax hack affects them. It seems we have finally arrived at peak stupid.
“Asleep, though we stand in the midst of a war … Gotta get mine … Gotta get more” — “Township Rebellion,” Rage Against The Machine
Steve King is the COO of Netswitch Technology Management and a LifeZette contributor.