Tom Olzak

Archive for the ‘Critical Infrastructure’ Category

Shadow IT: Treat the cause, not the symptom

In Application Security, Business Continuity, Cloud Computing, Critical Infrastructure on July 8, 2015 at 04:00

I just posted an article at Toolbox.com about the business risks associated with shadow IT.  Many organizations see shadow IT as a disease to be cured.  However, as I write in my post, shadow IT is a symptom of a deeper issue.  It is this issue, related to IT remaining stuck in the past, that must be addressed.

Nyuh-uh… wasn’t me…

In Business Continuity, China, Computers and Internet, Critical Infrastructure, Cyber Espionage, Cyber-warfare on February 20, 2013 at 18:48

Read this article first. Unit In China’s PLA Behind Massive Cyber Espionage Operation: Report | SecurityWeek.Com.

Now we can talk…

It should come as no surprise that China is aggressively hacking into anything it can.  In 2009, Gurmeet Kanwal wrote in the Journal for Defence Studies,

“The Chinese call their pursuit of information warfare and other hi-tech means to counter Washington’s overwhelmingly superior conventional military capabilities “acupuncture warfare”, a term that first surfaced in a 1997 PLA National Defense University publication entitled “On commanding Warfighting under High-Tech Conditions.”  Acupuncture warfare (also called “paralysis warfare”) was described as ‘Paralysing the enemy by attacking the weak link of his command, control, communications and information as if hitting his acupuncture point in kung fu combat.'”

So the Chinese have hacked, wheedled, and otherwise slunk into our national infrastructure.  They seem to be expanding on their initial acupuncture approach with theft of information needed to catch up with or impede Western technical and financial progress.  Of course, the Chinese deny they are anything but victims.

Yes, it is naive to believe we aren’t just as aggressively going after the Chinese.  However, public and private organizations still fail to understand the threat.  In China, the government has no problem applying pressure where needed to protect national infrastructure.  In fact, it is highly probable the Chinese government can disconnect China from the Internet on command.  In both areas, Western nations are at risk.

The path we must take in the West is to force government, financial institutions, utilities, healthcare organizations, and other critical service providers to secure their networks or face severe sanctions.  After all, we can do little about what China sees as behavior in support of its national security.  What we can do is remove the vulnerabilities it exploits and closely monitor for what is obviously continuous malicious activity.  We’ve waited long enough for government and private management to do the right thing.  It’s now time to pick up Teddy’s big stick and domestically whack some heads.

Executive Order: Improving Critical Infrastructure Security

In Control Systems, Critical Infrastructure, Cyber Espionage, Cyber-warfare, Government, Regulation on February 15, 2013 at 21:03

President Obama issued an executive order (12 Feb 2013) addressing the need for a cybersecurity framework to protect the critical infrastructure of the United States.  You can read the order here...  In theory, it’s what we need.  In practice, how long will it take before politicians weaken the order’s intent to the point that it becomes a meaningless script for staging a ” We really do care” position?

The order includes a directive for information sharing but leaves it to the various departments to decide who to notify, what to declassify, etc.  Based on how slowly our bureaucrats move on anything, an attack will be long over and China will be manufacturing the stolen designs before a notice goes to the potential targets.  Nothing in the order specifies process or technology needed to give timely notifications.  Given how long it has taken the government to understand it has a security problem, the delays in achieving the president’s expected outcomes will likely last far into the next administration… where its eventual demise is highly probable.

The administration is looking for incentives to encourage critical infrastructure owners and operators to carry out recommendations the NIST is requested to formulate.  Incentives?  Incentives for public utilities, for example, will need to be a kick in the pants and the threat of jail time.  If the operators of critical infrastructure really cared, we wouldn’t find ourselves in this mess.  It wasn’t yesterday that security became an issue for anyone with a computer.  There is no excuse for our current situation except heavy lobbying and political career survival practices.

I do hope there is progress on the president’s plan, but I’m not hopeful.  My faith in business and government doing the right thing left the station long ago.

 

 

%d bloggers like this: