In the wake of the 60 Minutes story there has been both a significant amount of attention given to the story online as well as expected complaints that the story was over hyped. The specific complaint was the citation by “prominent intelligence sources” that the Brazilian power outage was caused by cyber attacks. I even received some tweets dinging me for propagating the hype from my last post on the original 60 minutes story.
The complaint is that 60 Minutes didn’t do their homework and that there is no proof that the actual outage was caused by hackers. I won’t get dragged into that dispute here, but I would like to address the conclusion that some have made that hacking in general is overstated.
To those who work in the security industry and say that the cyber threat to both Government and private systems is over hyped, my answer is have they even been paying attention? Both foreign governments and organized online crime have been carrying out attacks with specific purposes with increasing frequency and the evidence is all around us.
Here are some examples:
-
From 60 Min story – U.S. Government loses over a terabyte of sensitive information:
“In 2007 we probably had our electronic Pearl Harbor. It was an espionage Pearl Harbor,” Lewis said. “Some unknown foreign power, and honestly, we don’t know who it is, broke into the Department of Defense, to the Department of State, the Department of Commerce, probably the Department of Energy, probably NASA. They broke into all of the high tech agencies, all of the military agencies, and downloaded terabytes of information.”
-
Hackers steal over 130 million credit card numbers online – In August Albert Gonzales was indicted for stealing over 130 million credit card numbers from Heartland and other online businesses.
-
Clampi trojan steals bank login information – Cnet posted a good article on the organized use of trojan horses to monitor our online activity and steal our credentials when we visit one of over 4600 banking sites.
-
Bahama botnet used to drive online click fraud – From a recent eWeek article:
Click Forensics, which has been reporting on click fraud data and trends for over four years now, released its figures for Q3 2009 this week. According to the latest figures, botnet-driven traffic accounted for 42.6 percent of all the empty ad traffic between the beginning of July and the end of September 2009.
The results represents a significant increase in such activity, more than doubling botnet-driven click fraud compared to the same period in 2007 and gaining from the 27.5 percent reported for the same quarter in 2008.
These aren’t random infections from worms. This is organized hacking with a purpose. These are just a few real examples of our systems under attack and there are far more that simple searches will reveal. Our online systems are targets plain and simple and the security of our power grid is serious business.
If there is one thing that I hope people get from the 60 minutes story it’s that we need to understand the threats that exist out there and take the steps to mitigate that risk before a serious attack takes place. We have to remember that all significant threats can be considered FUD before they happen. When it comes to protecting our critical infrastructure I hope we don’t stick our head in the sand.
[...] Opinions varied about the special itself, but the one thing people shouldn’t overlook is that cyber threats are real and that the infrastructure that protects our power grids needs to be [...]