The Internet Isn't 'Critical Infrastructure'
from the cyber-hysteria dept
A new report (PDF, via Slashdot), by a security analyst named Gadi Evron, analyzes the recent Estonian "cyber-attacks" and makes recommendations about how to deal with such attacks in the future. While it makes some good suggestions, it also rather dramatically overstates the nature of the threat. For example: "The Estonian authorities need to revise some of their former preconceptions and define the Internet as critical infrastructure, equally strategic to national security as its electricity grid and water supply." This is rather silly. If the water supply is cut off, people can die of thirst or sanitation problems. If the electricity grid fails, it can lead to the death of old people dependent on their air conditioners or medical devices. If the Internet fails, it's a big headache for a lot of people, but it's unlikely to be a life-threatening emergency.
The report points out that some mission-critical activities, including voting and banking, are carried out via the Internet in some places. But to the extent that that's true, the lesson of the Estonian attacks isn't that the Internet is "critical infrastructure" on par with electricity and water, but that it's stupid to build "critical infrastructure" on top of the public Internet. There's a reason that banks maintain dedicated infrastructure for financial transactions, that the power grid has a dedicated communications infrastructure, and that computer security experts are all but unanimous that Internet voting is a bad idea. The Internet's architecture is optimized to be cheap and ubiquitous; such a network is never going to be perfectly secure or reliable. There are too many botnets, incompetent administrators, and other problems on the Internet. And so transactions that absolutely have to be done correctly and on time need to be done on a dedicated network, or at least the people doing them need to have a backup plan in case the Internet has problems.
But the report takes the opposite approach, essentially concluding that because people do important things on the Internet, the Internet needs to be treated as an essential national security asset. This reaches absurd lengths when Evron writes that because attacks often originate from botnets consisting of compromised personal computers, "personal computers need to be reprioritized and considered as critical infrastructure." He doesn't discuss what that means in any detail -- maybe they can post soldiers with automatic weapons outside peoples' home offices. Evron concedes that "the attacks in Estonia did not hurt critical infrastructure, energy, and transportation," but nevertheless insists that "an Internet-staged attack on energy could easily disrupt entire supply and distribution chains, prompting severe shortages." He never elaborates on how that would work, but if he's right, the solution is to do a better job of separating critical infrastructure from the public Internet.
Wide-scale cyber-vandalism is a real problem, and it's good to be talking about ways to respond to it more effectively. But we need to keep a sense of perspective. Launching a distributed denial-of-service attack -- even a really big one -- is nothing like conventional warfare or a terrorist attack. Terrorism and warfare lead to massive loss of life and destruction of property. Internet vandalism rarely involves more than a few hours' inconvenience and lost productivity. That's certainly something we should try to prevent, but we shouldn't blow it out of proportion.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: critical infrastructure, internet, priorities
Reader Comments
Subscribe: RSS
View by: Time | Thread
Banks maintain dedicated infrastructure?
The Internet probably isn't life-or-death critical, but it's absolutely "critical infrastructure." The business disruption if it were unavailable is significant enough to justify that label.
[ link to this | view in chronology ]
Re: Banks maintain dedicated infrastructure?
The loss of a few retail banking locations anywhere does not a critical infrastructure make.
Anything that can take down the entire North American part of the Internet would have repercussions well beyond banking or anything else. It would also be incredibly hard to do due to the size difference between Estonia and the much larger and more redundant Internet of Canada and the US.
As Tim says, the solution proposed is silly and, in this case, the cure is worse than the alleged problem.
ttfn
John
[ link to this | view in chronology ]
Re: Banks maintain dedicated infrastructure?
Never mind that most phone calls are now routed over IP networks.
[ link to this | view in chronology ]
Re: Re: Banks maintain dedicated infrastructure?
[ link to this | view in chronology ]
Timothy Lee makes sense
Seriously, good post. A tool which wasn't used by anyone just over a decade ago, which the majority (80% ?) of the population does not have access to, and most people do not know how to use, simply can not qualify as critical infrastructure.
[ link to this | view in chronology ]
Telephony, telemedicine...
Interesting that you made absolutely no mention of telephony. Isn't the phone network considered "critical infrastructure", particularly the ability to make emergency calls? To the point where government regulators are looking seriously at the growth of VoIP, to ensure that customers of such services will still be able to make emergency calls?
Another instance is the growth of telemedicine. Some are even experimenting with robotic surgery controlled remotely. Imagine if the connection went down after you had cut a blood vessel, but before you could tie it off? Not nice.
So, yes, the Internet is certainly becoming critical infrastructure, even if you don't think it is yet.
[ link to this | view in chronology ]
Re: Telephony, telemedicine...
If you're performing telesurgery over a best-effort Internet connection, you should have your medical license taken away.
[ link to this | view in chronology ]
Re: Re: Telephony, telemedicine...
Also, critical infrastructure depends on how you define it.
Is the ability of supermarkets to place re-stocking orders critical? No? What would happen if there were no food deliveries to New York city for 4 days?
[ link to this | view in chronology ]
Re: Telephony, telemedicine...
The VoIP issue around 911 calls is that people can dial 911 on VoIP but a call from say, Anchorage, to 911 is just as likely to end up in a call centre in Dallas as anything seriously delaying response time. That is the issue the regulators are looking at. Not the broader issue of how VoIP ties into the much wider telecom network.
Should a Central Office switch go down you can't make any calls anyway, 911 or otherwise. It happens. Not often but it does happen.
Telemedicine circuits are nailed down physical circuits that do not go through the Internet. That's way too slow. Not to mention the way the Internet routes a connection speed and video fidelity become an issue. So the circuits involved are dedicated and go nowhere near the Internet. The "pipe" is huge rated in GB/sec which is guaranteed. I've installed, tested and trouble shot a few of those in my time.
The telecom network and associated technologies that ride on it are not bound to or reliant on the Internet. So don't go calling the Internet "critical infrastructure" because of concerns about them. Simply put, they're different.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
all are pretty "critical" there fella ;)
[ link to this | view in chronology ]
to Lucretious
You think that the electrical grid in your country relies on Internet infrastructure to remain functional ?!
1) New Outlook worm discovered
2) Internet clogged with viagra-filled rolex replicas.
3) Holy shit, we just lost Canada
Communications ?! Most last-mile Internet communications run on existing non-dedicated infrastructure (except for fiber here and there), not the other way around. Cell voice communication is also not related to IP, neither is radio/television, etc...
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
hence the reply to my own post stating that I'm a dope ;)
[ link to this | view in chronology ]
I really should be banned from posting. ignore the last post I made.
God, what a dope i am.
[ link to this | view in chronology ]
Internet and National Security
[ link to this | view in chronology ]
Wrong!
To be honest, I know that there are plans to make the Internet a bit more critical for medical purposes. Especially for diabetics and other people who can use the Internet to upload thei bloodsugar values to their doctors so the doctor can alter their medicines appropiately. There will be plenty of medical devices that will communicate with these doctors from the patients home. Having a dedicated network to the patients home is very expensive. Keeping the patient hospitalized is also expensive. Having a patient at home with some remote devices to monitor their health is just good common sense. But only for non-critical devices at this moment since the Internet itself is non-critical.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
critical
area163, youtube.ca neutralized net.
[ link to this | view in chronology ]
Zech
[ link to this | view in chronology ]
Internet is critical
/sarcasm
Serirously though, I think you're right, internet should not be a critical infrastructure, not yet. If they actually need critical networks, it should be well out of internet reaches.
[ link to this | view in chronology ]
ARPAnet vs. Internet
If it were desirable and/or necessary to build an Internet-like network suitable for CNI, then many things would need to be revisited -- enough that I think "start over" would succinctly describe the process.
Here's an example of what I mean: take SMTP (Simple Mail Transport Protocol) as an example. SMTP is "best-effort"; there is no guarantee that your mail message will be delivered or even that you'll be notified if it isn't delivered. However, it works a sufficiently high percentage of the time that many people are convinced that it can be relied on. It can't. It shouldn't. Similar examples abound -- which has unfortunately not stopped any number of people from presuming that things are otherwise and designing/deploying services on top of them. These are failures-in-the-making, houses built on quicksand.
[ link to this | view in chronology ]
The Internet IS Critical
The claim that the internet is not critical is foolish, near-sighted, and quite frankly ABSURD.
Poorly thought out article is poorly thought out.
[ link to this | view in chronology ]
Re: The Internet IS Critical
Mind you, if any do they're looking to strangle themselves should their Internet connections go down for any reason completely unrelated to to attacks.
All of them have high speed point to point or distributed connections that they lease from Telcos or Cablecos which bypass the Internet simply because it isn't reliable enough or secure enough to rely on for critical tasks. These industries and businesses know that even if a self serving security "analyst" doesn't.
Yeah, the electrical grid is considered critical infrastructure. The telecom network is considered critical infrastructure but both go down. Blackouts occur. Switches fail.
For goodness sake, get a grip!
ttfn
John
[ link to this | view in chronology ]
Re: The Internet IS Critical
[ link to this | view in chronology ]
Re: The Internet IS Critical
Unsurprisingly, these are often the same people who whine when their faulty assumption turns out to be... faulty.
Those equipped with sufficient experience are well aware that critical communications require dedicated infrastructure designed, built and operated for that purpose, and the Internet isn't it.
[ link to this | view in chronology ]
Is too! :)
I think the Internet should be seen as part of a country's communication infrastructure (which is clearly critical), along with the phone system and any private communication networks that exist.
[ link to this | view in chronology ]
Umm... Some of y
[ link to this | view in chronology ]
I've got a simple question
The linked to report references countries that are really just starting into the Internet and their connections could easily be taken down but they don't fully rely on it yet.
[ link to this | view in chronology ]
Re: I've got a simple question
However: a sufficiently-well designed DoS attack launched from a few thousand ordinary desktop systems with sufficient network diversity would be enough to cause serious problems on the scale of "North American network". Given that there are currently at least 100 million fully-compromised systems out there (with access for sale) it's clear that the computing resources are trivially easy to acquire at modest cost...which leaves only the expertise.
And that's available as well, albeit at markedly higher cost due to its scarcity. (So why haven't we seen such an attack? Because it's not profitable. Yet.)
[ link to this | view in chronology ]
Re: Re: I've got a simple question
For example: Microsoft gets hit by DoS attacks all the time. Last I heard they were the number one target online. Not once have I noticed a problem. The trick is that routers are smart enough to block DoS attacks nowadays, servers are better suited to stand up against them, and Microsoft has several servers running the same data all around the country for just such a situation.
How would one go about taking out the "North American Network"?
[ link to this | view in chronology ]
Re: Re: Re: I've got a simple question
That's why I said "sufficiently well-designed"; simple attacks may cause local issues and may be annoying, but they're unlikely to cause large-scale problems. I'm not about to provide a how-to guide here, but I'll suggest that studious reading of traffic on NANOG, various security mailing lists, dns-ops, etc. combined with a little topological thinking will soon suggest some possibilities. (In particular: consider where attack sources are located relative to attack targets. Then think about exactly how anti-DoS mechanisms work.)
[ link to this | view in chronology ]
Actually it IS critical
[ link to this | view in chronology ]
Re: Actually it IS critical
[ link to this | view in chronology ]
RE: Re: Re: I've got a simple question
[ link to this | view in chronology ]
Internet voting
There is no technical reason why it could not be successfully implemented. There may be political, budgetary or other reasons, but a well designed system would be subject to no more or less fraud than any other electronic voting system.
That said, I still prefer paper for this sort of thing.
[ link to this | view in chronology ]
Cyber warfare exists but it is more than the Internet
Unfortunately what I see in this article is a serious misperception of what the Internet is and what war does. The Internet is inclusive of all of the world wide web hosted sites, the SCADA networks of many core infrastructures, and even your cable television at home. The Internet is an inclusive term that is all of the packet networks that are connected together.
Many people do not understand that there are different kinds of war and not all are found in the terms of kinetic (bombs & bullets) warfare. There are also trade wars, cold wars, and so much more. The totality of conflict is a spectrum from low intensity policing to nuclear war. See the Gold Water Nichols Act of 1986 for the first foray into limited scope conflict legally.
Cyber warfare can take the appearance of kinetic weapons such as when DHS released video of a generator blowing up because the phase had been changed by the SCADA system. Systems that until recently that were connected to the Internet for ease of operation. Until mid to late 1999 the central control units for the different North American Power grids were controlled through ISDN routers.
At any place you find command, control, communication, coordination, information systems you find the possibility of cyber warfare. In fact cyber warfare sits at the same nexus as all communications channels. This is consistent with the writings of Sun Tzu and knowing/spying on your enemy, It is consistent with Karl Clausewitz considerations of spying and controlling communication.
Consider that every unmanned aerial vehicle (UAV), many of the radios, telefaxes, and so much more of the general military architecture uses the different packet networks and you begin to realize the validity of the threat. Changing the targeting of a UAV would attack the very integrity of the vehicles capability.
The Estonian example is not a good example of cyber warfare. It is more like cyber hooliganism. What is a good example of conflict in cyber space is Titan Rain and other spy capers. The Estonian example exploited the availability of systems and in some cases the integrity of the message. Titan Rain though was an exploit of confidentiality. As the McCumber Cube is turned on end and the basic security services are exploited the capabilities of cyber warfare are more easily perceived.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
But this post is just a rant, you should delete it.
wbr
[ link to this | view in chronology ]
Real-life story
Also...
Shohat says "...which the majority (80% ?) of the population does not have access to, and most people do not know how to use, simply can not qualify as critical infrastructure."
The majority of people don't have access to, or know how to use military weapons, vehicles such as airplanes, trains, and ships, or fire and rescue apparatus. Does that mean they cannot qualify as critical infrastructure?
[ link to this | view in chronology ]
Re: Real-life story
No, that qualifies as getting lucky. But it doesn't sound like you learned much from it. Next time you might not be so lucky.
Do you even know what "infrastructure" means?
[ link to this | view in chronology ]
Re: Re: Real-life story
> Then your group wasn't very prepared or competent. To expect local communications systems to survive a hurricane is foolish.
We were outside of the storm strike-zone waiting to go in. The failure wasn't local, it was nearly state-wide.
We were a volunteer crew that shipped in from out-of-state. You might think that a state that faced so many hurricanes would have a more robust communications system, at least for its emergency services. You might also think it would make sense for Fire and Police to be able to talk to each other on the same radios. After 9/11 the newly formed DHS ear-marked hundreds of millions to upgrade these systems, but none of it has yet filtered down to the people who buy the radios or use them.
I wish I could say it was only Louisiana. Unfortunately most areas of the US don't have enhanced-911, and some still don't have any form of 911. There are more than a few of us in EMS that hope someday soon the internet can provide what the states and telcos haven't.
> Do you even know what "infrastructure" means?
Typically it is the public facilities and services needed to service and support development e.g. roads, electricity, sewerage, water, health and education facilities. But in the IT infrastructures we also see that it is the architectural elements, organizational support, corporate standards, methodology, data, and processes, as well as the physical hardware/network. This also applies to the Safety & Security infrastructure which is as much a logical construct as a physical one, including both fixed and mobile facilities, dispatch systems, protocols, and when they are working, communications systems. OK, so the airplanes and trains were a bit of a stretch - I was trying to make a point.
[ link to this | view in chronology ]
Real-life story
Also...
Shohat says "...which the majority (80% ?) of the population does not have access to, and most people do not know how to use, simply can not qualify as critical infrastructure."
The majority of people don't have access to, or know how to use military weapons, vehicles such as airplanes, trains, and ships, or fire and rescue apparatus. Does that mean they cannot qualify as critical infrastructure?
[ link to this | view in chronology ]
Real-life story
Also...
Shohat says "...which the majority (80% ?) of the population does not have access to, and most people do not know how to use, simply can not qualify as critical infrastructure."
The majority of people don't have access to, or know how to use military weapons, vehicles such as airplanes, trains, and ships, or fire and rescue apparatus. Does that mean they cannot qualify as critical infrastructure?
[ link to this | view in chronology ]
Submit button got stuck?
[ link to this | view in chronology ]
Submit button got stuck?
[ link to this | view in chronology ]
Submit button got stuck?
[ link to this | view in chronology ]
RE: Re: Actually it IS critical
Well, AC, your example doesn't qualify since one (1) doctor!=medical care for a large number of people. Disruption of basic utilities to millions of people, including the power to your doctor's coffee pot, does qualify.
[ link to this | view in chronology ]
Re: RE: Re: Actually it IS critical
The Internet isn't a "basic utility".
[ link to this | view in chronology ]
internet
[ link to this | view in chronology ]
[ link to this | view in chronology ]