Surveillance or Security?: The Risks Posed by New Wiretapping Technologies (30 page)

Such collaborations carry many intellectual property risks and require
various forms of information security, from laws protecting intellectual
property, to contracts protecting collaborating partners, to cryptographic
algorithms protecting the data transiting between them. Each aspect of
security is crucial if this globalized system of production is to function. It
is not news that data must be protected, but there are two new aspects to
the equation: the increasing complexity of the supply chain and the role
information plays as a commodity. It is worth looking at this particular
aspect in more detail. I have chosen to examine the collaborations that
Sun Microsystems, a computer manufacturer, has with its partners."

Sun Microsystems, a subsidiary of Oracle, is a computer company that
produces workstations, servers, storage, software, and services. Most software is developed in house, and virtually all the rest of Sun's technology
offerings are designed by Sun-and built and assembled elsewhere.

Outsourcing is simply moving production outside the company, subcontracting as a way to lower production costs, access cheaper resources,
including labor, and focus on core business functions. In many ways outsourcing is a natural progression from the division-of-labor model that
began over two centuries ago. Thus, for example, a computer manufacturer
has no need to be its own travel agency, for example. Instead of staffing a
corporate department responsible for booking travel, it is far more cost
effective for the manufacturer to outsource that function to a travel agency,
which naturally has much greater expertise in making hotel, car rental,
and flight reservations.

Sun's first decision was to outsource certain aspects of manufacturing
that had become too expensive to do in house. Sun engineers would design the chips, boards, and modules, but these would be fabricated elsewhere
(though Sun would still be hands on in testing). As Sun's product line grew,
there were increasing numbers of partners. Pieces were manufactured by
different suppliers and assembled by partners-a process not unlike the
manufacture of the iPod.

From chips to servers, Sun designed the system while partners built
individual pieces. The product was ultimately a Sun server, a Sun storage
device, and so on. As with the iPod, Sun's role is creating the technology
and managing the supply chain. Sun developed "one-touch" outsourcing:
each customer order-and keep in mind that such high-end systems are
highly customized-requires Sun to configure the supply chain a single
time and then pieces would be shipped, configured, combined, perhaps
multiple times, without any additional hands-on management from Sun.

In 2001 Sun's model changed to partnering with other companies to
provide services.73 This complicated security. It is one thing to outsource
production, where the intellectual property being shared, although potentially voluminous, is a fixed amount. It is quite another thing to outsource
where the ability to provide the services may require constant connection
into the heart of Sun's own systems.

Consider customer support, for example; at Sun such support is provided not by the company itself but by outside partners with which it has
contracted. Sun sells high-end systems to large financial customers. Customer support does not consist of answering simple questions like "Why
can't I print?"" but instead resolving complex issues where the documentation to answer the questions may be available only within internal Sun
systems. Performing customer support for these customers means Sun's
partners have access to large swaths of Sun internal information. The image
of what is "inside" the company and what is "outside" changes when such
outsourcing occurs. The outside partner is inside the company. The security challenge is clear. Sun's contractual arrangements with suppliers carry
numerous requirements, from physical security to personnel security to
process security, and Sun conducts periodic security audits to ensure these
are met.

On the communications side, Sun's original solution was dedicated
digital Ti and T3 lines (respectively carrying 1.5 and 44 million bits per
second) for communicating with suppliers. Later the company switched to
using virtual private networks. Both solutions secure communications
between outside suppliers and Sun internal networks. What Sun does
not-and cannot-do is secure the communications systems of the
outside suppliers. If these are penetrated, then so are Sun's. This is part of the business risk that arises when suppliers are in nations where electronic
eavesdropping is a matter of course rather than a matter of probable cause.

In its reliance on outsourcing, Sun is far from unique. The fiber-optic
cable connecting the United States and Europe to parts of the world where
educated labor is much cheaper means that outsourcing is a permanent
part of the economic landscape.75

7.3 Critical Infrastructure Risks

In recent years, the need to protect critical infrastructure has become a
mantra. We hear that risks to critical infrastructure are great and we are in
much danger. Yet there appear to have been no attacks. For a topic so
much in the public eye, critical infrastructure risks remain remarkably
obscured by fog (not to mention sturm and drang). Confusion begins with
the definition of critical infrastructure, which the PATRIOT Act calls the
"systems and assets, whether physical or virtual, so vital to the United
States that the incapacity or destruction of such systems and assets would
have a debilitating impact on security, national economic security, national
public health or safety, or any combination of those matters."" The definition in a U.S. 2006 National Infrastructure Protection Plan is even more
expansive, listing the following as key infrastructure resources:

agriculture and food, defense industrial base, energy, public health and healthcare,
banking and finance, drinking water and water treatment systems, chemical facilities, commercial facilities, dams, emergency services, commercial nuclear reactors,
materials and waste, information technology, telecommunications, postal and shipping, transportation systems, and government facilities." The list also includes
national monuments and icons, which are surely not critical infrastructure by anyone's definition.

The first known IT threat to critical infrastructure was an incident
that might have escaped notice had it not happened to shut down an
airport. In 1997 a teenage hacker accessed a NYNEX switch in central
Massachusetts-one that did not require authentication-and corrupted
information in the switch, disabling access to the Worcester Airport. The
main radio transmitter was unable to communicate with the control tower,
and incoming planes could not activate the runway lights. The airport
was closed for six hours.78 The problem arose from a convergence of
an old-style switching network-the PSTN-with new-style control. The
Worcester situation illustrates the generic problem that results when
closed proprietary control networks are connected with the open Internet.
New vulnerabilities are created. Nowhere is this more apparent than in the supervisory control and data acquisition systems (SCADA systems)
that control industrial processes, including the electric power grid, water
and sewage systems, oil and gas pipelines-in short, much critical
infrastructure.

Such industrial systems require constant monitoring of temperature,
pressure, power, and other variables. Depending on the application,
they must be controlled on a minute-by-minute, second-by-second, even
millisecond-by-millisecond basis. Consider electric power. The generation
of power is due to the need, which can change from minute to minute as
people wake up in the morning, turn on their coffeemakers, run their hair
dryers, check their email, and so on. Power must be available when the
customer wants it. Generating systems must respond to rapid changes in
demand. In recent years, deregulation has engendered competition, and
power companies do short-term sales of power to each other depending
on who is generating power most cheaply. Contracts are of very short
duration-minutes, not hours. The cost of power is determined through
measurements made by the SCADA systems.

There were no networks at the time SCADA was developed, and the
systems were designed with the expectation that they would work independently. SCADA systems send messages in the clear, without encryption
and without requiring authentication." Yet where once SCADA systems
used proprietary protocols to communicate and were designed with the
expectation that they would be operating in an isolated network, now
these are IP-based systems connecting to networks outside the plant.
Matters were not helped by the fact that vulnerabilities in critical infrastructure became known as a result of efforts to handle the Y2K problem
in the late 1990s.80 While much information was removed from public
view in the wake of September 11, knowledge of the vulnerabilities is not
so easy to take away from potential attackers.

One might think that security could simply be added ex post facto to
SCADA systems, but security is never easy to add on. Because SCADA
systems operate on millisecond accuracy, it is particularly difficult to build
security into this environment. Security will slow processes down, resulting
in performance degradation, something the plant operators find unacceptable. Despite the lack of security there are many reasons, from ease of use
(control the systems remotely) to efficiency requirements, why control
systems end up connected to outside networks. Connections happen in
myriad ways: through direct and indirect connections to the Internet,
through communicating via other channels, such as radio signals, through
mobile devices, like an infected USB stick.81

Energy, information and communications technology (ICT), government services, and financial systems are the four enabling critical infrastructures whose disruption would cause an immediate crisis.82 My concern is
how IT-related critical infrastructures of telecommunications, the Internet,
and embedded control systems may imperil the critical infrastructures of
power grid, water, telecommunication, and the financial sector. Vulnerabilities have already been exploited to do so.

In 2000 in Australia, for example, a disgruntled ex-employee of the
company that had installed a sewage plant's control system remotely
accessed the control system of the plant using radio transmissions and his
computer. He caused a failure at the pumping station, resulting in the
release of hundreds of thousands of gallons of sewage onto a tourist
resort.83 In 2003, a contractor at the Davis-Besse nuclear power plant
bypassed the plant's firewall and connected to the network, accidentally
unleashing the Slammer worm and infecting the plant, disabling a safety
monitoring system. Fortunately the plant was shut down at the time and
no harm was done.

As these things go, the attacks did not cause huge amounts of damage.
This does not mean that such an attack could not do so. In 2007 researchers at the Department of Energy's Idaho National Laboratory demonstrated
they could access a power plant's control system through the Internet.
They ran the experiment on the lab's emulator, which is used by utilities
to check out their new software. (The emulator is connected to the Internet, but not to the actual power grid.) Included in the test were twenty-two
lines of code that power-cycled a 27-ton generator at quite short intervals.
The generator began to rock, then to smoke, and finally it exploded.84

This potential for exposure to attack, code-named "Aurora," drew immediate concern. It demonstrated serious vulnerabilities in the control system
for the power grid, a concern that had been raised multiple times by the
computer security community, but that had been denied by executives of
the electric companies, who claimed that the systems were secure.85 An
attack that requires insider access or the ability to skirt a corporate or
government firewall is easier to defend against than one that can be
mounted by anyone with Internet access. "Anyone" is a misnomer here;
the Aurora attack was not easy to mount, and a script kiddie or simple
hacker would not be able to do it. But the situation gives rise to the question that if critical U.S. infrastructure is at risk through connectivity to IT
infrastructure, why hasn't the nation experienced devastating attacks
against its critical infrastructure? The answer is that some players lack
capability, while others lack incentive.

Some networks are highly protected. While banking and the financial
infrastructure rely heavily on electronic communications, that the SWIFT
network runs on a separate communications network makes an intrusion
more difficult to achieve and would most likely need the help of insiders.
This is not to say network-based attacks on financial institutions have
not occurred; there were two, for example, in 2008, with large financial
repercussions.

A group of criminals from St. Petersburg, Russia, and Estonia broke into
a server at the Atlanta-based RBS WorldPay card-processing company. They
took information on customer accounts: card numbers and encrypted
PINs. They were then able to decrypt the PINs, and they crafted counterfeit
debit cards for accounts on which they had raised the withdrawal limits.
"Cashiers" working for the group lifted $9 million from 21,000 ATMs in
49 cities from around the globe in a matter of hours.86 Another attack
occurred against Heartland Payment Services, a major processer of creditcard and debit-card transactions. Heartland's internal systems were penetrated and a packet sniffer placed to read records traveling between the
merchant point-of-sale devices and Heartland systems authorizing the sale.
At the time-Heartland has since changed its systems-these records were
unencrypted while in transit. Over 130 million account numbers were
compromised.87 The data was sent to servers in California, Illinois, Latvia,
the Netherlands, and the Ukraine and used to create cloned cards.88