February 4, 2013 By Bill Schrier
The New York Times had the audacity to research and write a story critical of Chinese Prime Minister Wen Jiabao’s family. In return for its journalism, the Chinese government apparently unleashed a four-month long hacker attack against the Times stealing, among other data, every one of its employees’ passwords. This effort was apparently searching for the sources for the story. Ars Technica has a short, frightening, account of the hack.
And, of course, the Chinese government succeeded – would people crticial of the regime dare to talk to the New York Times now, knowing its technology can be hacked?
There are many related and frightening stories – the Wall Street Journal was attacked, a power station in the United States has been offline for three weeks due to an attack based on a USB drive, and, of course, Anonymous (or someone) has been hard at work with denial of service and web defacing attacks on banks and government agencies. Could a City, County or State government be subject to a similar attack?
A few years ago, when I was CIO in Seattle, I would have dismissed the notion out of hand.
A City government does not hold the secrets to making a nuclear weapon in its digital vaults, nor do cities have active networks of foreign spies (with the possible exception of my friends in the Big Apple) whose identity needs to be uncovered by foreign powers.
Today I feel exactly the opposite.
Cyberwar is real. Cyberwar is happening today, even as I’m writing this. And the New York Times attack is only the latest. The evidence is everywhere. Nation-states (and perhaps others) are creating malware with the express purpose of attacking other nations or private company. Stuxnet is one example, as is the malware which fried 30,000 computers at ARAMCO in Saudi Arabia. Many governments have been compromised with malware to steal money from their accounts by stealing finance officers passwords.
Why would anyone – other than a criminal botnet out to hack finances and bank accounts – target a City or County or State government?
The New York Times attack highlights the reasons clearly.
Suppose a Mayor or Governor publicly opposed allow trainloads of coal to pass through their city or state, in order to be loaded onto ships, sent to China, and used to power the Chinese electrical grid. Wouldn’t such opposition essentially constitute economic warfare and potentially provoke a cyber response?
Suppose a Mayor or County Executive, hoping to combat a rash of gun violence, initiates programs for a network of video surveillance cameras and gunshot detection technology (read: microphones) in a City. Could that provoke Anonymous or a similar organization?
Defacing a City or County website is bad. Stealing taxpayer money from government bank accounts is worse. Compromising SCADA systems to shut down a water supply or electric grid is dangerous. But we haven’t yet seen the worst potential attacks, such as bringing down a 911 telephone network or freezing a police or fire computer-aided dispatch system or perhaps crashing a public safety radio network.
And these overt acts pale by comparison to covert actions which may be occurring undetected – systematically compromising and falsifying utility bills, or hacking into and changing criminal and court records. We have no evidence such covert acts have ever occurred, but given the myriad of different levels of government and many repositories for the information, such databases must represent a juicy and lucrative target for criminal networks, Anonymous and even nation states. All these potential threats indicate cities, counties and states cannot be complacent, but rather need active cyber security programs, preferably in cooperation with other agencies.
Yes, Dorothy, a City could be hacked to its knees. Worse yet, it might not be discovered for months or even years after the act.
This Digital Communities white paper highlights discussions with IT officials in four counties that have adopted shared services models. Our aim was to learn about the obstacles these governments have faced when it comes to shared services and what it takes to overcome those roadblocks. We also spoke with several members of the IT industry who have thought long and hard about these issues. The paper offers some best practices for shared government-to-government services, but also points out challenges that government and industry still must overcome before this model gains widespread adoption.