An article from CNN’s John D. Sutter appeared Wednesday discussing the evolution of hacking from prank-like internet amusement to attacks that damage real-world infrastructure at this year’s Black Hat conference.
The article centered on a presentation given by Cofer Black, former director of the CIA’s Counterterrorism Center, describing what he sees as an impending “Code War.” Black is famous for, among other things, warning (in August 2001) the U.S. government of an impending al Qaeda terrorist attack. It goes without saying that Black’s warnings should be heeded.
It’s something we’re also hearing about first-hand in customer interactions and more general software discussions with attendees at industry events – namely, protection against intrusions that may go beyond disrupting websites and web services. Instead, concern is forming around using these entry points to damage something on a more fundamental/infrastructure level that cannot be so easily remedied by shutting down a particular service.
As an extreme example, Black mentions the Stuxnet worm discovered last year that is designed to infiltrate Siemen’s industrial software. While theories abound as to who could have had the resources and knowledge required in creating such an expensive, complicated attack (and why the attack seemed designed to target Iran and its nuclear programs in particular), Black’s larger point is that these types of attacks will become easier, cheaper and more common.
Perhaps because of the multitude of high-profile attacks that have been taking place over the last 12 months, we’ve been hearing about this as an increased concern from companies in a variety of industries. It’s not that the attacks have just now become possible, but that their proliferation has transformed them from unlikely possibility to a reality. What was once an “if,” is now a “when.”
Black says that, in a way, the 9/11 attacks were a validation of sorts for his team. A controversial statement if it were to be misinterpreted, but it is one that we can relate to here. While we’re not a tech security company, our experience has given us great insight into the often-flawed software that makes its way from development into production, and the multitude of risks that companies are exposed to as a result. Hopefully it will not take another attack on the scale of Stuxnet for this message to sink in.