[BreachExchange] Who’s winning the cyber war? The squirrels, of course

[Inga Goddijn]

http://www.kogonuso.com/2017/01/whos-winning-cyber-war-squirrels-of.html

For years, the government and security experts have warned of the looming
threat of "cyberwar" against critical infrastructure in the US and
elsewhere. Predictions of cyber attacks wreaking havoc on power grids,
financial systems, and other fundamental parts of nations' fabric have been
foretold repeatedly over the past two decades, and each round has become
more dire. The US Department of Energy declared in its Quadrennial Energy
Review
<https://energy.gov/sites/prod/files/2017/01/f34/Transforming%20the%20Nation%27s%20Electricity%20System-The%20Second%20Installment%20of%20the%20Quadrennial%20Energy%20Review--%20Full%20Report.pdf>,
just released this month, that the electrical grid in the US "faces
imminent danger from a cyber attack."

So far, however, the damage done by cyber attacks, both real (Stuxnet's
destruction of Iranian uranium enrichment centrifuges and a few brief power
outages alleged to have been caused by Russian hackers using BlackEnergy
malware) and imagined or exaggerated (the Iranian "attack" on a broken
flood control dam in Rye, New York)
<http://arstechnica.com/security/2016/03/dam-you-justice-dept-to-indict-iranians-for-probing-flood-control-network/>,
cannot begin to measure up to an even more significant
cyber-threat—squirrels.

That was the message delivered at the Shmoocon security conference on
Friday by Cris "SpaceRogue" Thomas, former member of the L0pht Heavy
Industries hacking collective and now a security researcher at Tenable. In
his presentation—entitled, "35 Years of Cyberwar: The Squirrels Are
Winning"—SpaceRogue revealed the scale of the squirrelly threat to
worldwide critical infrastructure by presenting data gathered by
CyberSquirrel 1, a project that gathers information on animal-induced
infrastructure outages collected from sources on the Internet.
SpaceRogue explains why it's all about the squirrels.
Thomas sought to dispel what he called the "FUD" around cyber-attacks on
critical infrastructure, citing dire predictions from a number of sources,
including "the pre-eminent infosec expert Ted Koppel
<http://tedkoppellightsout.com/>" (whose recent book, *Lights Out*, focuses
on the vulnerability of the power grid). And with government officials such
as the Federal Energy Regulatory Commission Chairman Cheryl LaFleur
declaring that "one [successful cyber attack] is too many," SpaceRogue
likened the government's posture to the Cheney Doctrine, also known as
the "One-Percent
Doctrine <http://ronsuskind.com/books/the-one-percent-doctrine/>." As
Thomas explained, that doctrine is "if there's a one percent chance of
something occurring, we must employ 100 percent of our resources to prevent
it. This is essentially [what happened with] Iraq, and we're now applying
it to cyber and equating cyber to nukes and [mutual assured destruction].
It really doesn't work that way."
That sort of stance is made even more unnerving by the fact that many of
the cases where "cyber" has been attributed to incidents with energy
infrastructure turned out to be false alarms.

Even in the few cases where a network intrusion resulted in disruption of
the electrical grid—specifically in Ukraine, where two attacks caused power
outages—the impact was relatively brief and was comparable to outages
caused by other factors, Thomas noted.
To "counteract the ludicrousness of cyberwar claims by people at high
levels in government and industry," Thomas said, he launched
CyberSquirrel1. Inspired by a presentation
<https://jerichoattrition.wordpress.com/2013/09/02/10-greatest-squirrel-attacks-of-all-time/>
at Thotcon by Josh Corman (now the director for Cyber Statecraft at the
Atlantic Council) and Jericho of Attrition.org, SpaceRogue
started CyberSquirrel1 initially as a Twitter feed on March 19, 2013. The
account simply "collected from a Google alert for news," he said. But it
soon evolved into a much larger data gathering effort, collecting from
search engines and other Web sources to populate a spreadsheet. Jericho
joined in to enhance the data set the next year, adding more details and
events—but even so, Thomas noted that he was only catching a fraction.

Squirrels are not the only "actors" tracked by CyberSquirrel1—birds,
snakes, raccoons, rats, and martens factor in among the top animal threats
that have been captured by the project's spreadsheet. Jellyfish have even
gotten into the act, shutting down a nuclear power plant in 2013
<https://www.theguardian.com/world/2013/oct/01/jellyfish-clog-swedish-nuclear-reactor-shutdown>.
CyberSquirrel1's
data so far has tracked "over 1,700 outages, affecting nearly 5 million
people," Thomas noted. "If you consolidated them into one location, it
would basically take out the power for the San Francisco metropolitan area
for two months." Shockingly, there have even been eight deaths attributed
since the tracking began to follow animal attacks on infrastructure—six
caused by squirrels downing power lines that struck people on the ground.

As of January 8, even if you count the Ukraine attacks still not firmly
attributed to Russia, even frogs (with three outages) have more successful
attacks on power grids than state actors. Squirrels worldwide, however, are
the clear cyberwar leaders: 879 successful attacks against infrastructure.
There's also that swan that performed the denial of service attack on a
train
<http://metro.co.uk/2017/01/13/swan-holds-up-train-by-waddling-on-the-track-for-two-miles-6380202/>
in the UK on Friday, January 13—truly showing the breadth of the animal
kingdom's toolbox.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170117/9b407343/attachment.html>