Infrastructure resiliency is an important area of my research, and disruptions to infrastructure come from both natural and human actions. There is no need to mention the critical nature computers and networks play in modern society. The disruption to the essential Colonial Pipeline oil and gas distribution system got a lot of news a few weeks ago, and now the attack on the JBS food distribution company is causing disruptions and a lot of angst. Let’s look at three aspects of this: the impact of the disruptions themselves, the infrastructure security implications, and the role of both state sponsored and freelance cybercriminals.
First, the impact of the disruptions. Like with the Colonial Pipeline attacks, the JBS impacts should be transitory – but will probably end up being worse than it should be due to human behavior. Like the irrational pandemic inspired toilet paper runs last year, there will likely be a lot of spot shortages as people change their normal buying habits, creating a temporary supply shortage. Although modern logistics methods like warehousing-in-transit have reduced the safety margin, what people don’t think about is that supplies and distribution systems have slack build in to account for disruptions – and disruptions happen all the time due to maintenance, weather, and so forth. But that is all based on normal buying habits. When you horde or stockpile, you break that assumption, creating artificial shortages. Assuming the system is back online in the next day or so, price spikes and outages should be transient, but like disruptions from storms, may take a week or two to settle down. My guess is that if nothing breaks that shouldn’t, this will again have been a brief disruption.
As for the infrastructure implications, it’s an almost intransigent problem. It takes time to develop and deploy infrastructure. Even with fixed hardware, the firmware and software than runs on it takes time to develop, test, and deploy – and of course it is the ability to do remote upgrades and software changes that is the underlying cause of the problem in the first place. If you can access it to use it, much less upgrade it, you can probably hack it. The old DoD “Orange book” on computer security said the only secure computer was one that was unplugged with the hard drive removed. So while a lot can be done to improve security, ultimately there is no way to create a system that is both usable and completely secure against a determined, intelligent attacker. So like most things, the trick is to balance the two – maintain usability, but make it hard enough to keep out the amateurs, and have international standards, laws, and policies in place to deter and punish those who exploit system vulnerabilities.
And therein lies a key problem: governments use cybercriminals.
There is a love/hate, sometimes incestuous relationship between intelligence agencies, IT security companies, and cybercriminals. A not insignificant amount of the malware floating around was either developed, enhanced, or allowed to continue in play due to the action (or inaction) of intelligence agencies – including some well known episodes involving US intelligence agencies. Ironically, some of the most effective malware currently in circulation goes back to a hack of NSA and the release of their toolkit (ARS technica link). In addition, Agencies have been known to discover exploits, but because they are using them, don’t report them to operating system and software developers. IT and cyber security firms have been known to be complicit, in one at least one known case not fixing a hole until after No Such Agency had finished an operation requiring the exploit. And of course the need for computer virus protection, OS upgrades, cybersecurity consulting, etc. is a profitable business.
So it was remarkably hypocritical for President Biden to say that Russia bears responsibility for the hacks because the hackers (who in both cases seem to have only been after money) happened to be based there. Of course, President Putin didn’t really help matters when he “joked” …
“Hackers are free people, like artists: (if) they are in a good mood, they (get) up in the morning and draw. So hackers, if they wake up and read that something is happening in interstate relations and if they are patriotic, then they begin to make their contribution,” Vladimir Putin said.
Of course he went on to deny that Russia was sponsoring or exploiting hacking. While there have been cyberattacks in Russia, the security services pretty much hunts the criminals down and kills them. It is clear to these guys that if you’re going to do this, do it elsewhere. I’m not advocating that kind of quick “justice”, and the tolerance of domestic criminals who keep their crime offshore is something nations-states shouldn’t do, but in fairness it is absolutely not limited to Russia; the US is infamous for it with respect to other kinds of crimes, particularly essential and profitable but environmentally damaging enterprises.
In summary, treating cyber criminals as serious, dangerous criminals no matter where they are based or where their crimes are committed, is essential. Today one can kill with a computer by harming cyber infrastructure almost as easily as one can kill with a bomb. Therefore, as has been attempted with mixed success with nuclear weapons and biological warfare, nation-states need to put together frameworks to limit and prosecute the use of computer viruses and cyber attacks. That will be difficult – the system of international law and norms of behavior is in shambles (in no small part due to US actions over the last two decades, but that’s another story). The US, which pioneered these techniques, should take the lead in renouncing them and working with the international community to address the problem rather than hypocritically screaming about it in public all the while creating and using them in private (the US approach), or joking about it in public, making sure it doesn’t happen at home, but allowing it to occur elsewhere (the Russian approach).