Posted by: Greg Ness | October 6, 2019

The Digital Age Maginot Line as Foreseen by Mel Brooks

Blazing Saddles tollbooth

Attack Vectors in the… Trillions?

The growing attack surface of the new industry 4.0 internet is a big problem. On this everyone agrees. But underneath the headlines and the frequent “patch now” warnings from firewall vendors is a more ominous reality few are talking about: the exponential vector problem.

Yes the attack surface is huge and growing. 127 new devices per second are being connected to the internet, many of them insecure by design, creating a global hacker’s superhighway. Got that. I discussed this in more detail in The Digital Cyber Security Paradox:

In 5 years there will be 75 billion devices connected to the internet, perhaps a few billion insecure and unpatchable.  An estimated 2 billion run VxWorks and perhaps a couple hundred million of those will not be patched in any reasonable length of time. – Archimedius

[Here is a great collection of IoT connectivity and market size stats from Cisco, Gartner, etc. on various aspects of the Saganesque “billions and billions” IoT estimates.]

OOPS- We’ve Gone Global

While everyone is focused on the massive, unprecedented growth in the IoT attack surface, the bigger problem is the exponential increase in attack vectors. This quiet reality is buried deep inside the WannaCry/NotPetya “oops- we’ve gone global” cyber attack. Remember when IIoT targets in Ukraine were unintended back doors into the UK health system, Maersk and FedEx? “Exponentially increasing attack vectors” is the hidden byline underneath our growing digital age cyber security malaise.

 The Maginot Line, when lateral movement trumped massive security investments.

Based on France’s experience with trench warfare during World War I, the massive Maginot_Line_1944Maginot Line was built in the run-up to World War II… French military experts extolled the Line as a work of genius… The line has since become a metaphor for expensive efforts that offer a false sense of security.”– Wikipedia

The Maginot Line was built based on the assumption that the next French war would be fought based on the technology of the last one. When the Germans quickly and easily conquered France, they did it by simply going around it.

Most firewalls deployed today were architected in the 1990s…. when there was only one way into a network. Today there are trillions of attack vectors and growing.

Old Architectures versus New Realities

Deploy a firewall in front of each device?  That would bankrupt most organizations. That is, if they could find enough skilled security pros to manage them. The new digital era problem: how old architectures address new realities. It’s complicated… and expensive… just like the Maginot Line.

A few weeks ago this came up on an episode of theCUBE, recorded after Gabe Lowy published his thought-provoking paper: Securing Critical Infrastructure Against Cyberattack. I mentioned how “we don’t even have the semblance of a Maginot Line when it comes to IIoT infrastructures. And these infrastructures offer access to critical systems in factories, hospitals, cruise ships and even power and water stations.

An Important Realization

At the close of IIoT and Cybersecurity: Apocalypse Now or Later John calls the IIoT  problem “one of the most important stories in the tech industry in a long, long time…” He’s right.

Perhaps Mel Brooks saw this futile digital age scenario coming decades ago. Imagine a toll booth sign saying “’Zero Trust’ courtesy of your firewall vendor.” Now that’s comedy, or at least tragicomedy.


See You at Torrey Pines!

On October 10 I’ll be discussing this problem further at Future in Review with Anne Hardy, Steve Fey and Derek Harp. I hope to post the panel video here in a few weeks.

Posted by: Greg Ness | September 7, 2019

The Digital Cyber Security Paradox

Digital Paradox

Everything is Connected

In 5 years there will be 75 billion devices connected to the internet, perhaps a few billion insecure and unpatchable.  An estimated 2 billion run VxWorks and perhaps a couple hundred million of those will not be patched in any reasonable length of time.

About 200 million Internet-connected devices—some that may be controlling elevators, medical equipment, and other mission-critical systems—are vulnerable to attacks that give attackers complete control, researchers warned on Monday. – Ars Technica

Deep Asset Risk

It’s no longer just about data ex-filtration but instead also the specter of the loss of physical control. Thanks to the overwhelming business advantage of digitalization many organizations are creating massive, porous attack surfaces of insecure devices responsible for controlling physical infrastructure, from water, HVAC and power to medical, manufacturing and even maritime structures.

What Could Go Wrong?


The digital paradox is the inherent conflict between business advantage and deep asset exposure to bad actor control. And we’ve already seen the opening moves in the new hacker game. The lines between networks, nations and organizations are getting blurred by vanishing air gaps that once protected these devices from unseemly remote actors.

Unintended Consequences

Let’s face it, we’re emerging from the perfect Sorites Paradox scenario, where a heap of sand (the growing business value of interconnectivity) is eroded just one grain at a time by malware or remote bad actor control. Today, as billions of insecure devices connect, there is a growing, critical mass of exposure where many more grains can exit at a time.

I discussed this in more detail with Gabe Lowy, Tempered’s Bryan Skene and SiliconANGLE’s John Furrier a few weeks ago on theCUBE. You can read more about it as well at A Clear and Present Danger.

For example, attacks against critical infrastructure in Ukraine in 2017 (WannaCry and NotPetya) inadvertently spread globally and shut down hospitals, ships at sea and even distribution centers. They were among the most devastating and unintended cyber attacks of all time. OOPs.

These attacks aimed at Ukraine accidentally cut globally like a hot knife through warm butter, from network to network, nation to nation, seeping into the critical systems of some of the most well-defended companies. Read excellent coverage of NotPetya in Wired.

IT isn’t ready for IIoT

Gabe on firewalls

The firewall vendors warn you to patch and segment, segment, segment.  How many skilled security experts will it take to protect you?  How many lines of code? How many ACLs?  The answer: you’ll never have enough resources.  See this 102 second explanation from former Wall Street infrastructure analyst Gabe Lowy on the futility of the firewall in the age of IIoT:

“So if you’re an organization moving IIOT data from your OT systems across your network into IP analytics systems or software, that’s lateral movement. Your firewall- traditional firewall, just not going to be able to handle that and protect against it…”

From Geeks and Greeks to Rolling Stones

That brings us to another insight from the ancient Greeks: the myth of Sisyphus. The firewall and segmentation problem is, at its core, a scale and resilience/availability challenge exacerbated by the direct link between skills shortages and human error in the security chain. Every step up the mountain, a step back. All the while the attack surface grows and the attack vectors proliferate.

What could go wrong?

cyber war and IIoT

A recent theCUBE panel on IIoT and cyber war concluded that the bad guys were already in your network.  They are being held back by the threat of attacks against their own soft underbellies. But what about private players who are primarily playing defense and have no offensive countermeasures?

The digital enterprise merely connecting IIoT devices to the internet?  Do they launch attacks against bad actors or do they just pay ransom? Today I suspect they’re simply paying up or suffering the losses. Maybe they’ll take out cyber attack insurance.

The ancient Greeks took exception to rolling stones uphill. It was a notable curse.

Think you can hire and spend your way to the top with your existing security stack? Get Gabe’s paper here.

Gabe cover


Posted by: Greg Ness | August 10, 2019

IIoT: Apocalypse Now or Later

The IIoT problem no one has been talking about, despite high profile attacks:

“The hyper-converged infrastructures we’re building because of overwhelming business advantage is putting us at an overwhelming cybersecurity disadvantage.” – Archimedius blog

Had a chance to talk about the problem with John Furrier, Bryan Skene and Gabe Lowy, the author of the recently published paper “Securing Critical Infrastructure against Cyberattack” on SiliconANGLE theCUBE this week: watch the panel on YouTube

IIoT Power Panel

If you’re not concerned about the security risks of digitalization then you’re not paying attention. “The level of scale, porosity and risk is unprecedented…”

Right after we celebrate the birthdays of two of the most destructive cyber attacks ever launched (WannaCry and NotPetya) a disturbing VxWorks advisory is issued for billions of IoT devices, and perhaps millions of them are unpatchable. There is a simple, fundamental equation that no one seems to grasp when it comes to IT skills, resources and capabilities: IT<IIoTIT IIoT (1)

It’s clear the digital era we’re being pulled into is creating a massive attack surface; and there are not enough people, training courses and/or funds to deploy another layer of traditional firewalls, access control and segmentation solutions fast enough to keep up. And the security and networking cartels would rather sell you more of the same (see below):

Archimedius Traditional Networking at Scale

This stack is DOA for IIoT.  It’s too cumbersome, complex, expensive for the digital era we’re entering (of billions of connected devices, many of which are easy targets to get inside a network).  And, even worse, none of these solutions were architected for the demands of IIoT. An upcoming paper by unencumbered network infrastructure analyst Gabe Lowy spells out the critical shortcomings of the current network security stack:

Traditional firewall and VPN solutions were not architected for Industrial Internet of Things (IIoT) initiatives.  They were designed to protect against earlier generations of malware.  As such, they are no match for the IIoT threat environment.

      – Gabe Lowy, “Securing Critical Infrastructure against Cyberattack” – August 2019

His five requirements (availability/resilience; scale; visibility; management; and security) will certainly stir the pot with the traditional network stack vendors. I’ll share a link to the paper in August when it’s published.

It is readily apparent the network security stack has arrived at the same place it was in the 1990’s, with the advent of the firewall in response to primitive worms and viruses attacking small pockets of connected networks (what we called the information superhighway). Yet that highway was nothing compared to today’s emergent digital era.

What the New Equation Means in Terms of Risk: “We’re not in Kansas Anymore”

What’s at risk beyond the new ability to compromise physical spaces, from lighting, to water, employee/customer access, patient care and diagnosis, production lines and transportation?  The basic tenants of the digital era… or some could say the tenets of western civilization itself. Hyperbole, you say?  Well, read this sobering report​ on the prospects for cyber war based on Richard Clarke’s new book (The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats) and how this new reality levels the playing field between the “superpowers” and the isolated upstarts once solely obsessed with nuclear weapons:

In the real world, Iran does have significant offensive cyber capabilities. The barrier to entry to having a meaningful cyberwar offensive force is low. Countries that could never defeat the United States in a purely conventional military battle can pose significant asymmetric risks to us in cyberspace.

– Fast Company Editors reviewing Richard Clarke and Robert Knake’s The Fifth Domain

A new approach is needed. But first we have to realize that IT<IIoT.

The hyper-converged infrastructures we’re building because of overwhelming business advantage is putting us at an overwhelming cybersecurity disadvantage.

Future In Review: See You There?

I’ll be talking about this paradox at Future in Review on a panel entitled: IT isn’t ready for IIoT with Steve Fey, CEO of Totem Building Cybersecurity; Anne Hardy, Chief Security Officer at Join Digital; and Derek Harp, Founder of CS2AI.


The advantages of digitalization are well documented and understood, especially in health care.  Patients, for example, benefit when their doctors can access critical data by simply plugging a device into a wall jack. That wall jack typically connects to every other connected device in the hospital.  If the hospital is part of an MPLS network then the scale of access and convenience is even greater.

Patients benefit because those caring for them are more productive, more knowledgeable and faster to respond. The problem, however, is that easy access can extend beyond the wall jack to the internet.

Health Care

Digitalization can expose more critical care processes and controls to the internet and that’s a big problem.

Two years ago this week WannaCry took down hundreds of thousands of systems globally in a matter of hours, including about a third of England’s hospital trusts and 8% of the nation’s general practitioner offices. In June we’ll note the anniversary of NotPetya, one of the most devastating cyber attacks of all time. Like WannaCry, it had devastating impacts, including hospitals and clinics. And WannaCry is still out in the wild, continuing to infect computers:

In its global list of countries where WannaCry variants have been detected over the past two years, India is at the top with 727,883 WannaCry infections, followed by Indonesia (561,381), the US (430,643), Russia (356,146) and Malaysia (335,814).

– Dev Kundaliya, WannaCry remains a serious IT security threat worldwide, researchers warn, May 2019

While tens of thousands of appointments, including surgeries, were cancelled or scheduled, no one has yet to die because of a cyber attack. Hospitals are starting to realize that there are 1000’s of devices connected to Hospitals that if breached, could hurt or worse kill someone. These include devices that deliver medication, drugs, chemotherapy and radiation.

A recent study predicted that by 2020 70% of medical devices will be running on unsupported, insecure operating systems, many of which are tied to patient care(CSO Australia):

Some 38 percent of connected devices related to patient identification and tracking systems, while 32 percent were infusion pumps, 12 percent patient monitors, 5 percent point-of-care testing, and 3 percent medication dispensing systems.

               – David Braue, For breach-weary healthcare CISOs, Internet of Medical Things is yet another headache, May 2019

There are scores of vulnerable medical devices (see Melanie Evans and Peter Loftus Rattled by Cyberattacks, Hospitals Push Device Makers to Improve Security):

The Department of Homeland Security last year issued 30 advisories about cybersecurity vulnerabilities in medical devices, up from 16 the year before, according to MedCrypt, which makes security software for medical devices.

The situation is getting worse just as we commemorate the rise of powerful cyber attacks and ransomware:

Reports show that ransomware and other cyberattacks are on the rise — and health care is one of the biggest targets. Just this week, researchers in Israel announced that they’d created a computer virus capable of adding tumors into CT and MRI scans — malware designed to fool doctors into misdiagnosing high-profile patients, Kim Zetter reports for The Washington Post.

Hospitals are attractive targets because they have a shared infrastructure. Like an airport, they also have lots of 3rd party vendors working on the same L2 network through hundreds of VPNs, some connected directly to critical care equipment. Giftshops, vending machines, bio-medical services, laboratories can also share that same common network.

Hospitals often have no idea what’s on their network at a particular moment. They’re often using networks built incrementally over decades and no one ever made a map. Very few have done any inventory of connected devices. And those devices can be plugged and unplugged from the network in seconds. Many of them are running outdated and unpatched. operating systems.

Around 10% of the devices on hospital networks run outdated operating systems (XP, Windows 2003 as examples). Hospitals are also starting to realize that there are 1000’s of connected devices that if breached, could hurt someone. These include devices that deliver medication, drugs, chemotherapy and radiation.

So as hospitals converge OT/IT infrastructure new demands, from attack surface, to vector sprawl confront firewalls and segmentation solutions architected for quite different challenges.  See Happy Birthday WannaCry

Posted by: Greg Ness | May 16, 2019

Happy Birthday WannaCry


Microsoft released a patch update to… Windows XP? What’s up with that?

Here are highlights from Ars Technica ( Dan Goodin) augmented with recent commentary:

 Microsoft is warning that the Internet could see another exploit with the magnitude of the WannaCry attack that shut down computers all over the world two years ago unless people patch a high-severity vulnerability. The software maker took the unusual step of backporting the just-released patch for Windows 2003 and XP, which haven’t been supported in four and five years, respectively.

“Exploitation of the vulnerability, as described in the advisory, would simply require someone to send specific packets over the network to a vulnerable system that has the RDP service available,” Brian Bartholomew, a senior security researcher on Kaspersky Lab’s Global Research and Analysis Team, told Ars in an email. “In the past, exploits for this service have been pretty easy to craft once the patch is reversed. My best guess is that someone will release an exploit for this in the next few days.”

A different security company, CyberX, analyzed traffic from 850 operational technology systems, which are used to manage factory production lines, gas monitoring, and other types of industrial operations. Researchers found that 53 percent of them run unsupported versions of Windows, many of which are likely affected by the just-patched vulnerability. The lack of upgrading stems from the difficulty of taking computers offline in mission-critical environments that operate continuously. Phil Neray, VP of industrial cybersecurity at Boston-based CyberX said a stop-gap measure for these companies is implementing compensating controls such as network segmentation and continuous network monitoring.

Network Segmentation, However, Faces its Biggest Challenge: Converged Infrastructure

WannaCry and NotPetya, two of the most devastating cyber attacks of all time, have at least two things in common: 1) both were able to spread quickly around the world in hours; and 2) and effortlessly spread beyond IT assets into OT devices. They also occurred within a few weeks of each other. Yes, we’re about the celebrate the birthday of yet another devastating attack.

Network segmentation solutions have had there share of issues when it comes to deployment, especially internal political and technical challenges –see the Zero Trust Paradox. Complexity behind the firewall has escalated to such an extent that security innovation on a macro-scale is almost impossible without transforming the TCP/IP stack. That’s the old news: network segmentation pain.

With OT/IT convergence attacks like WannaCry and NotPetya have a massive global attack surface of interconnected IIoT things that have the potential for catastrophic effects:

Tod Beardsley, director of research at security firm Rapid7, said an alternate Internet scanner, BinaryEdge, shows there are an estimated 16 million endpoints exposed to the Internet on TCP ports 3389 and 3388, which are typically reserved for RDP. – Ars Technica

Traditional firewall and segmentation solutions were not architected to protect massively converged infrastructures of IoT, IIoT and IT systems.  They were created in a different era of security with very different challenges. As a result the defense in depth stack has become complex and expensive. Yet innovation outside what we used to call the perimeter  continues to gather increasing levels of sophistication,  from cryptocurrency ransomware to aaS delivery models.

Perhaps Wired best summarized the problem:

Recent CyberX research indicates that more than half of industrial sites run unsupported Windows machines, making them potentially vulnerable. There’s not much opportunity to test the impact of a patch on those types of systems, much less to interrupt operations to install them.

That applies to health care systems, too, where the process of updating critical software could interrupt patient care. Other businesses run specialized software that’s incompatible with more recent Windows releases; practically speaking, they’re trapped on XP. And while the best way to protect yourself from this latest vulnerability—and the countless others that now plague unsupported operating systems—is to upgrade to the latest version of Windows, cash-strapped businesses tend to prioritize other needs. – Brian Barrett


The net result: millions of devises running XP won’t be able to be patched (in time or perhaps never)  and the traditional security stack is already overtaxed by stack fatigue.

A major problem area is health care IIoT, where devices are integral to patient care:

Healthcare institutions are still rocking that 10-year-old Windows 7 or Windows Server 2008, putting themselves at serious risk of cybersecurity breaches, data theft, ransomware and all other kinds of nasties. – Sead Fadilpasic, ITProPortal

Happy Birthday to one of the most destructive cyber attacks of all time…

May 30 2019 update: WannaCry Still Launching 3500 Attacks/hour


Posted by: Greg Ness | May 10, 2019

The Zero Trust Paradox

Or The Zero Trust Graveyard… your choice.

I just glanced through an analyst report on “zero trust” and noted the sizable eco-system of startups and security cartel players who have all managed to join the party. After all, it’s a noble aim.  If there isn’t a way for an untrusted user, app or file, etc. to enter a TCP/IP network from the internet that would be a great thing.  A great thing indeed.

Yet startups embracing zero trust in their messaging have had little success.  And I don’t think its because the security cartel players embracing zero trust (perhaps merely for thought leadership points) have succeeded.

What is the zero trust problem hinted at by the analyst?  Why is there a higher correlation between zero trust startups and new office space filled with old cubicles… than with hackers declaring bankruptcy?

I have a theory, inspired by conversations with security execs who’ve dabbled in the use of zero trust firewall and segmentation solutions.

Zero Trust Paradox

The Zero Trust (Complexity) Paradox

For traditional TCP/IP-architected security solutions the security landscape (defense in depth) is so complex that anything added ends up creating more complexity than actual enforcement efficacy.  In short, it’s a declining sum game, where every new investment ends up costing you more because of stack fatigue.

I’d prefer to call this zero sum scenario a zero trust paradox. Rising complexity makes it harder for innovation to have a meaningful impact.  Deployment is politically and/or technically painful and protracted because of the limited “elbow room” for innovation.  And security stacks are getting even more complex as IIoT devices are being added at a healthy clip.

Cities are getting poorer while hackers are getting richer. Indeed, rising complexity is more likely a hacker’s playground than an increasingly secure infrastructure.

This came out loud and clear over an incredible steak dinner with an old friend with some major security insight and responsibilities. So I won’t name him. 🙂

Is there a solution to the paradox? Yes: the transformation of the TCP/IP stack to include a new overlay layer, which should have been included in the first place.

Posted by: Greg Ness | April 24, 2019

Connecting the Dots on OT/IT Convergence

Gabe is Back

In the heady days of massive network infrastructure growth there was a single analyst who knew the vendors cold.  And all of us on the Wall Street briefing circuit knew Gabe Lowy.

Gabe didn’t waste time with small talk. On the way to the conference room he would ask you a few questions, then tell you what you were about to tell him, from your product update to your competitors’ strengths and weaknesses. And you hadn’t even fired up your laptop…

And why, you ask, is reminiscing about Gabe’s insight in the early days of enterprise networking important to cyber security for converged infrastructures?

Because he’s back, but this time unencumbered. So I was naturally interested in reading his recent post: Will Catastrophic Loss Drive OT/IT Convergence?

OTIT Teamwork

In addition to pointing out the inherent problems with today’s “business as usual” mindset when it comes to physical cyber risks, Gabe offered a solution. He drew an insightful parallel between the emergence of DevOps and the much-needed convergence of OI/IT, and what happens if that doesn’t happen.

A common, blended organization tackling both makes the most sense. The alternative, which cannot be fixed by money or trained personnel, is a bigger deal than losing email and social security numbers…

April 25 Update: Another European manufacturer crippled by ransomware

And he promises more.  Gabe is well worth following.

Podcast: New Age Piracy

A chilling Unsolicited Response podcast on Marine Cybersecurity with a Master Mariner at Moran Cyber is a wake up call, and not just for the risks of ships being hijacked by hackers. At about ten minutes there is a discussion about the common control infrastructures between ships and hospitals, factories and office buildings.

In a nutshell, with converged infrastructure virtually any “smart” physical environment is hackable. I wrote a Tempered blog (The Stakes are Higher than Ever) in response to the podcast: “These systems control the physical environment. Whomever controls them controls virtually everything.”

Forbes: Are Smart And Sustainable Buildings An Unsolvable Equation?

Tempered CEO Jeff Hussey weighed in on the issue of convergence in Forbes as he also explained what motivated organizations to make their facilities smart. But there is a catch:

Despite the sizable number of positive business impacts IoT devices can have on businesses, many organizations have balked at the idea of deploying IoT devices and control systems, citing an overwhelming level of complexity and a lack of personnel with IoT training as their reasoning. The gap in IoT skills is a direct result of the information technology (IT) and operational technology (OT) convergence. Unfortunately, bridging that gap isn’t an easy equation. Simply adding IT staff to an OT team does not produce the correct answer. It’s back to complex mathematics again.

Connecting the Dots

OT/IT convergence needs to be a team sport.  Or else almost everyone loses.

Stakes are Higher Than Ever

Promiscuous Connectivity

The TCP/IP stack made it easy for billions of devices to connect over the internet in just a few decades, starting in the 1990s. Now we’re expecting more than 75 billion devices to be connected by 2025. Maybe TCP/IP was too good at its initial mission to ensure easy, rapid connectivity. But that’s just chapter one of the emerging cyber security problem.

Chapter two is even bigger, from both an opportunity and damage standpoint. The key to understanding the risk isn’t to quantify it in terms of more infected computers but rather unauthorized control over physical environments. Bruce Schneier takes us there in his new book Click Here to Kill Everybody: “The Internet, once a virtual abstraction, can now sense and touch the physical world.”

The current defense in depth strategy which has evolved to address stack promiscuity has become so complex even trivial additions to a network can drive significant increases in the operating and capital expenses required for effective defense.  We call this reverse correlation (between rising complexity and declining protection) stack fatigue.  This was before digitization and the “smart era.”

Digitization is Paving the New Hacker Superhighway

As organizations digitize their office buildings, factories, hospitals and even ships at sea to boost efficiency and productivity, they are exposing critical data and physical system functionality to the internet and cyber attacks. Think of the difference between taking down a hospital billing system and shutting down blood freezers, environmental or even ship controls.

A recent podcast on maritime cybersecurity in response to an article on Threatpost about how hackers could sink a ship at sea puts it in perspective.  About ten-plus minutes in Alex Soukhanov, Director and Master Mariner at Moran Cyber coolly explains just how vulnerable the common control systems and sensors in all kinds of smart facilities, floating and terrestrial. Smart water and power systems, smart assembly lines, smart navigation all use common sets of smart devises for managing critical systems.

These systems control the physical environment. Whomever controls them controls virtually everything.

Digitization is accelerating the convergence of OT/IT infrastructures and in turn creating a new generation of high growth and ultra-permeable attack surfaces. The proliferating attack vectors in this new converged network are increasing complexity, degrading protection and exposing mission critical systems to unauthorized access as even primitive malware can go global in a matter of days.

And this just in: “Vulnerabilities discovered in industrial equipment increased 30% in 2018:

The number of vulnerabilities discovered in industrial control systems (ICS) grew 30% in 2018 compared to the prior year, with the share of critical or high severity vulnerabilities increasing by 17%, according to a report from Positive Technologies published Thursday.

Targeting of devices used in industrial, energy infrastructure, and manufacturing settings has increased over the past several years, as state-sponsored groups have sought to gain access to industrial systems for espionage purposes.

Indeed, the stakes are higher than ever. HIP anyone?

Posted by: Greg Ness | April 5, 2019

Will the next war be cyber?

Next War (1)

In 2018 I moderated a Future in Review panel on Russian cyber meddling in Ukraine. One of my comments during the panel (“What happens in Ukraine doesn’t stay in Ukraine.”) ended up making it into Newsweek only to be inadvertently validated by the Russian election interference news cycle. At the time I was referring to the IoT malware outbreaks that had spread from Ukraine to the rest of the world, not the Russian election meddling about to seize headlines for months.

Ten days later another article in Newsweek drove the issue home: UKRAINE WAS PUTIN’S TESTING GROUND FOR HIS HYBRID WAR ON THE WEST. Nolan Peterson, a conflict journalist stationed in Ukraine, had put it all together and called it a hybrid war.

Maybe it doesn’t even need to be a hybrid war. Maybe it will be a cyber war.

You don’t have to be a military history buff to understand the impact of technology on warfare, from Greek fire or even the horse and chariot  in ancient times, to the role of mechanized armor in the lightning fast and virtually painless French capitulation in early WW2. The ongoing pattern of Russian “trust attacks against culture and systems” suggests the world has already entered a new era of vulnerability unlike any other. And we’re not prepared by any means.

Earlier today I listened to a timely podcast on maritime cyber security. About 10 minutes in it gets quite chilling as the discussion shifts to how easy it might be to capsize a ship and similarly attack control systems from factories to power grids.  In other words, widely available knowledge is enough to threaten mayhem. While hackers would have to know how to manipulate specialized systems in some cases, control systems are fairly universal across vessel types and types of land-based smart buildings.

A recent article on health care cyber attacks similarly explored all kinds of IoT attacks, from shutting down hospitals (which has happened) to generating false findings and records. Conclusion: ships, hospitals, factories, buildings are increasingly sharing interconnected device infrastructures which can be compromised with common cyber attack skills.

What happens in Ukraine could happen anywhere else… based on the motives of the attacker.

Last month I wrote about OT/IT convergence and cyber security, or the connection of more smart devices to the Internet, the resulting attack vector sprawl, and how ill-prepared traditional IT processes and solutions are equipped to protect this new converged infrastructure.

Untitled design (22)

After listening to the podcast I wondered if French military leaders watched the rise of the petroleum era and said to themselves “But that couldn’t happen here” (in French, of course), or were they merely preoccupied with what they needed in WW1?  Are we in the West making the same mistake, measuring military capabilities based on past technologies and circumstances? Do we see these tests as Nolan did, as a very disruptive evolution of warfare? (BTW- Nolan is A former U.S. Air Force special operations pilot and a veteran of the wars in Afghanistan and Iraq)

Given the capabilities of an attacker to take down infrastructure, including ships and hospitals, and bring them up again as needed, are we seeing the emergence of something much more powerful and game-changing?

e-Tron Bomb Anyone?

Remember the neutron bomb that would kill people and leave buildings intact?  How about an attack that shuts down everything “smart” and can turn it back on without having to even land on a beach or cross a physical border. If so, would the next war be cyber and end with a whimper instead of a bang, like the fast conquest of a nation with a proud military history?

Bueller, Bueller…Bueller?

Older Posts »