A book review by Alice Friedemann of Joel Brenner’s “America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare”.
After reading this book you’ll wonder what secrets haven’t been stolen, what infrastructure doesn’t have hidden time bombs waiting to go off, and if there are any corporations, government organizations, or military departments that haven’t lost data to cyberattacks and criminals.
So many industrial and military secrets are being stolen that our prosperity and security are threatened. We’ve probably lost half a million jobs and hundreds of billions of dollars from all the technological secrets stolen that we spent years developing.
The problem with cyberattacks is that when a system is infected with malicious code, it can be impossible to remove. The code can evade detection by opening electronic “trapdoors” allowing hackers to bypass the system’s security. If a trapdoor is closed, the code opens another door. And even if you manage to find the code, you have no way of knowing who did it, so how so how can you put anyone in jail or stop them from continuing to attack, and steal personal data, intellectual property, and national defense secrets?
Worse yet is the kind of cyberwarfare Brenner calls the “Criminal-Terrorist symbiosis”. The only difference between terrorists and nation-states is the latter have more expertise right now, but that will change. As China’s Dr. Shen Weiguang wrote, “Every computer has the potential to be an effective fighting unit; and every ordinary citizen may write a computer program for waging war.” Thanks to the 2010 Wikileaks list of world-wide critical infrastructure, terrorists know exactly what targets to attack.
Who’s stealing information?
Freelance hackers, Russian mobsters, and other countries – especially China, Iran, France, Israel plus another 108 foreign intelligence services.
The FBI has discovered that the People’s Liberation Army (PLA) in China has 30,000 cyberspies, who can draw on 150,000 private sector computer experts for help in stealing “American military and technological secrets and cause mischief in government and financial services”.
Corporations conduct industrial espionage against one other. Oracle won a $1.3 billion lawsuit against German company SAP for getting into their systems and stealing their software code.
Employees steal information to sell.
- Ford lost a great deal of design documents for engines, transmissions, and so on when a product engineer sold them to his new employer, Beijing Automotive Company.
- An employee at Goldman Sachs stole secret algorithms used to automate their securities trading.
- Engineers at Goodyear Tire & Rubber stole trade secrets to sell to a Chinese tire maker.
- Dow Chemical, General Motors, and DuPont all had intellectual property stolen
Why is it so easy?
The internet wasn’t built to be secure — it was built to be used by educational and government institutions to share information. It was never meant to be the backbone of commerce and military communications.
How do they do it?
Criminal hackers can park in a van with powerful antennas. For many years, retail stores used wireless networks that transmitted unencrypted data, which could easily be read with “sniffer” programs that grabbed credit and debit card data.
Thieves can get your personal data by getting you to click on attachments or other links that load malware, which then searches through your files looking for any that might have passwords to your banking and brokerage accounts. These files are packaged and sent back to the hackers.
Anyone who loads P2P software to get free music, movies, and other free stuff is just asking to be robbed, because now all your files are visible to cybercriminals. Examples of such software are LimeWire, Kazaa, BearShare, and FastTrack.
If you use passwords like 12345 or ‘password’, then you’re almost certainly hosting a botnet, which could be doing many things, though most likely what it’s doing is sending millions of spam emails. But the owners can also use your computer to attack companies and governments with denial of service attacks.
Many hackers steal data but have no idea what to do with it. No problem, there are middlemen who pay for credit card data and sell it to cybercriminals. So much stolen credit card data is available that the price has dropped.
Thieves love getting PIN numbers – which is bad news for you. If a criminal uses your PIN to get cash, it’s up to you to prove the withdrawal was a fraud, which is almost impossible.
Thieves also get your data by churning out 57,000 new fake web addresses every day that they load with computer malware and viruses. They’re hoping you’ll think the site is real and log on to your bank account. They’re also operating within Twitter, Facebook, YouTube, and Flickr. Soon, if not already, they’ll be looting the Cloud.
It’s so easy to hand out free poisoned USB drives at conferences and trade shows, or leave them lying around in places where someone might find them. This is how about 1 in 4 computer worms get into networks.
Executives routinely have their laptops searched and loaded with malware in their hotel rooms in some foreign countries.
Billions of dollars in intellectual property espionage has taken place. The Chinese have been very clever at getting this data. One backdoor method was to sneak into the networks of intellectual property lawyers. They’re privy to business and investment plans, business strategies, technical secrets, and much more.
This was much easier than breaking into a corporate network because lawyers don’t like listening to technical people. They’re impatient to make money, and can’t be bothered with trivial things like requiring passwords on mobile devices that connect to the firm’s servers. U.S. Law firms have been penetrated here and abroad, especially if they have branches in China or Russia.
The first sentence of the book is about twenty terabytes of data stolen from the Pentagon – that’s equal to 20% of what’s in the Library of Congress. It would take a line of trucks 50 miles long to haul this data if it were in print.
The Chinese realized that they could get military secrets by going after military contractors, who get $400 of the $700 annual Pentagon budget. So they’ve broken into computer systems at Boeing, Lockheed Martin, General Dynamics, and Northrop Grumman. These companies don’t just make tanks and airplanes – they make complex subsystems function as a whole, including merging voice, video, and data signals that travel on the same fiber-optic cables, microwave signals, and satellite links.
China has stolen military technology that cost American Taxpayers tens of billions of dollars to develop, such as:
- The Quiet Electric Drive propulsion system that makes our naval ships and submarines almost impossible to track and detect.
- Information on the next generation of “U.S. Navy destroyers, aircraft carrier electronics, submarine torpedoes, electromagnetic artillery systems, the electronics of our next-generation Joint Strike Fighter aircraft, the F-35, etc.
- They have built radar systems stolen from us, only better, since they know how our radar works, when they built their own systems they modified them in ways we can’t penetrate.
Government: The GAO says that the number of malicious software attacks on government computers is up 650% since 2006
Most of the time, banks hide theft from their systems so that people don’t lose confidence and start a run on the bank. Here are a few scams that did manage to make the news:
- Heartland Payment Systems (processes bank card payments for merchants). In 2009 130 million credit and debit card numbers and data were stolen. Their stock price went from $15 to $3.78 per share.
- Royal Bank of Scotland payroll system 2008: information stolen on ATM cards. Cards created and used at 139 ATMs and $9 million stolen within 30 minutes in the USA, Canada, Russia, and China. It’s one of the largest bank robberies in history.
Brenner states that losing control of infrastructure systems “would create widespread disruption and loss, and bring our society to a standstill”.
We are totally vulnerable – all of our industrial, military, banking, financial, satellite, air traffic control systems, dams, electric grid, oil and gas infrastructure, Nuclear Power plants, stock exchanges, sewage, water delivery systems, railroad signaling systems, telecommunications, and business systems are electronic and connected to the internet. Worse yet, essential infrastructure isn’t isolated electronically like it should be – having the electric grid and other essential infrastructure connected to the internet is crazy and dangerous, but regulatory agencies are powerless to force corporations to protect themselves.
Lives are at stake, many millions of people could die if electric grids, water delivery systems, telecommunications, the financial system, and so on were brought down for long. These targets would certainly be brought down in a war, but might even be attacked during a diplomatic standoff like the one Brenner envisions in Chapter 7 between China and the USA.
Businesses could be attacked in many ways. Production lines can be shut down. Goods can be sent to the wrong destination. HVAC could be turned off. And the cyberthieves could delete the log entries of their entry into business systems and leave no footprints or DNA like regular burglars.
CEO’s and other top executives could be kidnapped or killed if their calendars can be tapped into.
Companies are also vulnerable to extortion or the electric grid will be brought down, as has already happened in India, Saudi Arabia, the Middle East, China, and France.
We also have too many single points of failure, where the entire system comes down if just one part fails. All cyberattackers would need to do is disable one electric substation, one financial exchange, and so on. An example of this (not done by hackers) was when the 1998 Galaxy IV communications satellite failed and up to 90% of pagers in the United States stopped working. Hospitals couldn’t reach doctors; credit cards didn’t work at gas stations, and so on.
Industrial control systems are run by SCADA systems that supervise and control components scattered over many places. SCADA is constantly checking on temperature, pressure, inputs, outputs, and other variables to make changes faster than a person could. These systems were never designed to be connected to the internet. Only a few are encrypted. It was assumed a person would use them at the local facility in question.
By putting these systems on the internet, the entire economic security of our nation is put at risk. Some of it can even be accessed with Bluetooth wireless technology, which is highly insecure. This vulnerability isn’t necessary.
Industries say they need to keep their facilities hooked up to the internet so they can patch their software with the latest fixes. But they don’t systematically patch their systems, and if they did, that could be dangerous, the patch could crash or slow the industrial system down. Usually patches have d to be tested before a company dares to apply it.
Brenner says that the real reason our infrastructure is at risk is because companies don’t want to spend the money to make their systems secure. A survey by McAfee, “In the Crossfire, Critical infrastructure in the age of Cyber War” surveyed oil and gas, electricity, sewage, and telecom companies about why they weren’t protecting their systems. They said they wouldn’t be held liable and expected a government bailout, ratepayers, customers, or insurance to pay for any cyberattacks.
This system is so vulnerable to physical and cyberattack that I thank every day the electric grid is still up. I’m in awe that the operators can balance the electric load from so many intermittent sources of power, like wind, and all the hundreds of other providers and keep electricity within the narrow bandwidth it must stay in or blow up the system.
If cyberattackers or terrorists attacked the large generators that supply large cities, it would take us two years to replace them. That’s because nearly all North American industrial electric generators are made overseas, and the biggest, most important ones come mainly from China, and some from India. Can you imagine living for 2 years without electricity? And even longer if the cyberattack came from China – they’re not going to be in any rush to fulfill that order!
There are more than 1,800 owners and operators in the North American bulk-power system. There are 200,000 miles of high-voltage transmission lines, thousands of generation plants, and millions of digital controls. This is regulated by the North American Electric Reliability Corporation, or NERC. Naturally NERC wanted to know which, if any of these assets are being protected. So NERC contacted the industry and asked them to identify the assets that “if destroyed, degraded, or otherwise rendered unavailable would affect the reliability or operability of the Bulk Electric System”. Since there’s no definition of what’s critical, the results were disappointing to put it mildly. 73% of respondents said they didn’t have any critical cyber assets.
That’s because engineers are trained to think about the odds of equipment failing, but they don’t have a clue about the risks of malicious cyberattacks. Nor can NERC force utilities to do anything, because each utility can do whatever they want, NERC has no teeth. Congress has allowed owners and operators to control whatever standards they feel like applying to themselves.
What needs to happen is for the electric grid to have systems that can recover quickly because of redundant systems. Thanks to the deregulation of the electricity, no one is responsible for the physical infrastructure of the grid, and it’s falling apart. It used to be triple-plated, or triply redundant, now it’s a bare bones single plated skeleton. I’ve got an Electric Grid Overview at energyskeptic that explains this in detail.
President Obama has said that “We know cyberintruders have probed our electrical grid and in other countries cyberattacks have plunged entire cities into darkness.”
Senior intelligence officials believe the Russians and Chinese are already inside parts of the electric grid in the USA, and have left behind software that could be turned on and used to destroy the grid if we went to war. Meanwhile, Iran and terrorist groups like al-Qaeda are trying to do this as well.
Electric grid attacks:
- Brazil had blackouts affecting 3 million people and took down world’s largest iron ore producer, costing that company $7 million dollars.
- Australia: extremists with the Pakistani group Lashkar-e-Taiba tried to bring the grid down in 2003 (the group that committed mass murders in Mumbai 2008)
If an insider could be bribed or hired, the odds of a successful attack would be quite high. A disgruntled employee could help ID critical systems, let cyberattackers through internet and real physical doorways, and send details of how security works at a given facility.
Oil and Gas. Disastrous economic and environmental harm could be done by sabotaging oil and gas infrastructure.
- Oil rig blowout preventers could be attacked and other components of offshore drilling equipment and create another Gulf Oil spill or worse.
- In 2009 an employee at pacifric Energy Resources sabotaged the leak-detection system on an oil rig off the California coast (luckily discovered before harm was done)
- This sector has the highest infiltration rate, with more than half of companies in this sector with stealth attacks every month.
In 2000 an angry sewer system operator in Australia got even by driving around and giving radio commands to sewage equipment that made the system fail. Pumps stopped, alarms remained quiet, and pumping stations couldn’t communicate with the main computer. The result was millions of gallons of raw sewage erupting into parks and rivers. If he’d attacked the water supply instead, he’d have killed people
In 2010 a gigantic botnet was discovered that had gotten into at least 75,000 computers at 2,500 different companies around the world, such as Marck, Paramount Pictures, and Juniper Networks. This malware was stealing the logins for corporate electronic financial systems.
Credit and Debit card number theft
Below are some of the companies mentioned in the book. The number in parentheses is the number of customer credit and debit card numbers & data stolen:
- Best Western hotel group 2008: (8,000,000) Sold to Russian mafia.
- BJ’s Wholesale Club (400,000), DSW (1,000,000), Marshalls & T. J. Maxx (45,600,000), Dave & Buster’s, OfficeMax, Boston Market, Barnes & Noble, Sports Authority
- Walmart: Kim Zetter, “Big-Box Breach: The inside story of Wal-Mart’s Hcker Attack,” Wired, October 13, 2009.
- Montgomery Ward 2008: (51,000) Brian Bergstein, “Wards didn’t tell consumers about credit card hack”, USA today.
- HEI hotels & resorts (i.e. Hilton, Marriott, Sheraton, etc.) 2010: credit card data of several thousand guests by altering swipe machines at check-in counters
- 7-Eleven: $2 million from 2,200 Citibank ATMs and $5 million in fake prepaid iWire cards
- Hannaford supermarket chain: (4,200,000)
The ‘bid data’, which as the quantity, value, and location of oil discoveries worldwide was stolen by Cina from Marathon Oil, ExxonMobil, and ConocoPhillips. This information costs tens of millions of dollars to get by using expensive exploration equipment and software.
On page 67 Brenner describes the history of China, the upshot of which is that “China does not regard Western domination as normal, and it does not suffer from an inferiority complex.” For most of history, China was the top dog. Until the 15th century, they had the world’s highest per capita income and best technology. Their goal is to be the top dog again.
On page 75, Brenner believes that “an armed conflict between the United States and China would likely be a naval confrontation, and naval modernization is one of China’s highest priorities”.
From my ecological and natural resource point of view, their victories are temporary and Pyrrhic. The world has been at peak oil since 2005 and is close to, or past peak coal (energy-wise) and close to peak natural gas as well. Nearly all of the trillions of combustion engines will come to a stop by 2100 with nothing to replace them, because “renewable” energy has such weak energy density and capacity that it can’t ever replace fossil fuels (see energyskeptic for details).
Meanwhile, China has destroyed its ecosystems, and poisoned its water, land, and air for many millennia. They’ve mowed down their forests and imported so much wood from ecosystems essential to the health of the planet (i.e. Amazon basin, Indonesia, etc.) that there will be few forests left at a time when we’re on the cusp of going back to the age of wood.
As far back as 1988 the idea of information warfare was presented by Dr. Shen Weiguang at a lecture at Beijing’s National Defense University. Weiguang said that instead of killing or occupying enemy land, victory would come by using the “information space” to destroy the enemy’s military, financial, and telecommunications networks.
This idea really struck home as the Chinese watched the USA smash the Iraqi forces in 1991, when they realized we could do the same to the People’s Liberation Army. Clearly a better way to fight the Americans would be economically by stealing secrets electronically and using cyberwarfare — much less expensive and potentially more destructive than military weapons – rather than direct confrontation. If the military could be paralyzed, their information systems corrupted, and made blind and deaf, the American military would be useless, impotent.
In addition, the Chinese realized they could attack a nation’s currency after watching George Soros attack the currencies of East Asian nations.
The Chinese haven’t even tried to hide how they’d go about using cyberwarfare to their advantage. They’ve made it clear they’d attack a nation’s communication and control nodes so that they couldn’t trust their own systems, which would disrupt decision making, operations, and moral. They’d bring down the electric grid, transportation systems, and financial networks.
Chapter 7 is a scenario of how this might take place in a fictional scenario between China and the USA that takes place in 2017. Brenner says “I’m not predicting this scenario, but it’s well within the realm of possibility. And we would be foolhardy not to prepare for it.” You’ll need to read the book to find out what happens, since it’s too long a scenario to summarize.
The Chinese military understands that nations too fond of war perish and believe that Americans are incapable of realizing that due to their love of technology.
Brenner defines 6 kinds of cyberwarfare:
- Electronic propaganda, where each side tries to portray themselves as superior through TV, internet, and radio broadcasts
- Massive Denial of Service attacks. Russia used denial of service attacks to shut down the Estonian governmental and financial institutions.
- Strategic cyberwar against infrastructure: railways, power grids, air traffic control. Brenner thinks this is unlikely because it would be hard to limit to a single country, and disrupting financial markets would affect everyone.
- Electronic sabotage is passing along bad information, computers and microchips that might initially perform well, but eventually fail, or attacking supply chains. Most devices are composed of hundreds of parts that come from all over the world, so counterfeit computer chips, low-quality screws, and other components could disable an enemies products.
- Operational cyberwarfare is taking over the enemies communications systems, like the USA did in 2003 in Iraq, tricking their radar systems, and so on.
- Criminal-Terrorist symbiosis. The definition is in the introduction above.
I’m sure Brenner would like his book to be a wake-up call for America’s businesses to do more to secure their networks, especially the companies that run the power grid and other infrastructure.
But how can that happen? Capitalism is broken. The regulatory agencies are powerless and have been captured by the industries they regulate. The shareholders and executives of companies don’t want to spend money on network security, because that subtracts from the share price and dividends of the stock they own. And as Brenner wrote above, if something goes wrong, companies expect the government, ratepayers, customers, and insurance to pay for the damage.
In the end, perhaps they are right not to make their companies more secure from cyberattacks. Why bother? What you see when you look out the window is temporary, those roads and buildings won’t be there some day, as I explain at energyskeptic in “A century from now concrete will be nothing but rubble”. It will be a miracle if the electric grid, internet, and telecommunication networks last that long also. Whatever we have will diminish vastly in scale as fossil fuels decline
In fact, I argue at energyskeptic in “Peak Resources and the Preservation of Knowledge” that microchips will be one of the first products to stop being manufactured on the downslope of Hubbert’s Peak, since they have by far the most complex supply chains of anything on earth, take thousands of steps using rare metals to construct, require purity of .999999 to .9999999 to make, and several days during which the electricity must operate the entire time, to name just a few reasons.
Once energy declines, the ability to repair damage will greatly be reduced as oil is diverted to agriculture and other essential services. As time goes on, broken infrastructure will remain broken.
So I hope that cyberwarfare and terrorism don’t end the party any sooner than necessary. Especially if there’s any chance cyberattacks could trick United States, Russian, or Chinese nuclear warhead systems into thinking they were under attack and launching a nuclear missile, or cause nuclear power plants to melt down after the grid was down long enough and the backup generators ran out of power.