For Americans, from almost as soon as World War II ended until around the end of the Reagan presidency, America experienced what is now known as the Cold War, a period in which Americans were in fear of nuclear threat from eastern Europe, specifically the former union of the USSR. Americans were fearful of Russia’s socialist and communist policies, as well as the fear that they could strike a nuclear attack; Russians despised Western values and democracy, and feared, too, a nuclear war. Thus, the Cold War, a war without soldiers, but threats of nuclear violence. My parents were born in the 1940s, and grew up during the Cold War, and I was born in time to see the end of the Cold War. However, a new kind of war has begun. In the late 1980s and early 1990s, the internet began to boom as a communications vehicle, no longer just for education institutions, but for businesses and private persons. Chat rooms became widely popular, and instant messaging and email because common place.
I have been a federal employee, on and off for the last 25 years and have worked for four different agencies. When September 11, 2001 happened, all Federal Agencies scrambled to put together not only physical, but technological defenses. The federal government learned quickly that of the thousands of IT Specialists they had, none of them had standard knowledge. In any given agency, IT Specialists skills were stovepiped. By stovepiping their knowledge and responsibilities, when critical execution was required, there was no standard knowledge available. As a result, many agencies, specifically the Department of Defense (DoD) and Department of Homeland Security (DHS), began a program in 2002 with final implementation by 2010 that all IT Specialists, regardless of actual job duties, would be minimally qualified in CompTIA Security+. This gives every IT Specialists in the DoD and DHS the minimum knowledge to maintain their agencies critical infrastructure.
This is vitally important because, since the end of the Cold War, the United States has been fighting a new type of war, a cyberwar. As a military spouse of an active duty Navy Chief, I have had to move across the country and back, and have worked on several military installations. As such, I have worked with and for military leaders for the past decade. I specifically and clearly remember one Marine Corps brief given where the Base General spoke; at that time, it was 2007, my husband had returned about 18 months before from one of the most dangerous areas of Iraq, and we had begun in earnest the fight in Afghanistan. The General said, the United States was currently involved in three wars, the one in Iraq, the one in Afghanistan, and a Cyberwar. He said, if we didn’t believe it, the DoD was daily fending off attacks from the Chinese, and it was getting worse every day. In addition, al Qaeda terrorists had become more advanced and figured out how to hide messages in images and transmit information electronically. But the biggest cyber threat is Asia, and specifically China.
In a congressional report release on October 8, 2012, Chinese firms Huawei Technologies and ZTE Corp. pose significant threats to U.S. national security, have strong ties to the Chinese government and military and should be avoided by U.S. business for their information technology and telecommunications business.(Clayburn, 2012)
Huawei and ZTE have grown to be leaders in the Chinese market in telecommunications and Huawei is one of the leading providers in China of 4G technology. For the U.S. government, the exponential growth of Huawei to the largest producer of telecommunications components in the world, combined with the fact that “that neither company cooperated sufficiently with the investigation”(Clayburn, 2012) has led the United States government to fear “that the Chinese government could exploit Huawei's presence on U.S. networks to intercept high level communications, gather intelligence, wage cyber war, and shut down or disrupt critical services in times of national emergency.”(Kroft, 2012) China has recently been linked to cyber attacks on the Department of Energy which includes the National Nuclear Security Administration, as well as servers at the New York Times and Wall Street Journal.(Gertz, 2013)
As a Department of Defense employee, I believe the threat is credible and reasonable. Spies who have been caught and convicted of espionage against the United States—an alarming number are spying on behalf of China. In today’s information technology age, it’s more than possible for the technology to be advanced enough for components to have embedded code that would permit remote spying and worse, theft of national secrets and the ability to take down the national infrastructure leaving us vulnerable. So, while the United States is founded on a free market system, the national interest trumps the free market; should Congress and the American people be worried, in my opinion, Yes.
Friday, November 1, 2013
Friday, February 22, 2013
Article Review: "Carhacking"
Most Americans have heard of cyber crimes and cyber security, but beyond what they hear on the news, know very little about it. Cyber crimes typically affect the average American only in terms of Personally Identifiable Information (PII) and identify theft. To that extent, many Americans are vulnerable to cyber crimes that target their social security numbers, dates of birth, et al; cyber criminals attempt to gain access to personal records, bank accounts, mortgage information, etc. I have personally had two credit cards “hacked,” in which the criminals did not gain the credit card information physically, they gained the information via some cyber means, most likely capturing the information via an online transaction conducted at another site, and then exploiting the information to make the transactions. Both hacks cost the two institutions several thousand dollars, with one being charged more than $6,500 in transactions in one day.
The article, “Carhacking” in the January/February 2013 issue of Government Executive by Aliya Sternstein, addresses a new concern in the cyber security realm. Cars today, even at the lower price range, often come standard with a wide range of multimedia and information-sharing and technology features, such as built-in CD and DVD players, UBS ports, Bluetooth systems, satellite radio systems, and wireless services such as the Ford SYNC or the OnStar system. Each of these features, while making the consumer’s drive more comfortable and enjoyable, also opens them up to potential cyber security threats.
The article references several real life examples where vehicles have been “carhacked” in recent times. In Austin, Texas in 2010, a disgruntled employee from an auto dealership remotely carhacked customer vehicles and deactivated the ignition systems. In another event, yet another disgruntled auto dealer employee “manipulated in-car systems that lock the engine when clients skip payments—essentially an alternative to repossession…he immobilized the starters and Global Positioning Systems on about 100 vehicles, leaving drivers’ parked cars stranded.” Presumably, the employee manipulated the system early to wreak havoc on the dealership, but that opens up the question about the dealership even having the system in place, and what would happen if the systems were immobilized while driving?
The article presents several other false but plausible scenarios; a Senator driving home, listening to a CD from a constituent. The CD is malicious, with code that causes the vehicle to brake suddenly while she is travelling at 60 miles per hour. In conjunction with terrorists behind her, she is killed. Another supposed scenario, an FBI agents car phone Bluetooth system is hacked into, and as the agents discuss a case in the “privacy” of the vehicle, their conversation is, in essence, bugged.
While the article indicates the chances of this occurring today are low, researchers have been able to unlock doors, deactivate starters, and have overridden various car safety systems. During one research test, they were able to disengage brakes. The National Highway Traffic Safety Administration (NHTSA), the agency responsible for motor safety, has currently released a statement that “NHTSA is aware of the potential for ‘hackers’ and other cyber security issues whenever technology is involved; however the agency is not aware of any real-world cyber security issues in vehicles.” Yet, their 2013 budget request reveals a $10 million dollar line item to study vehicle cyber risk.
Personally, I own a 2010 Ford Fusion. The vehicle has a built in CD player, Bluetooth system, Ford SYNC, and built in USB ports to sync multimedia devices. I use the Bluetooth capability on a daily basis to synchronize my Bluetooth phone, and enable hands-free phone calling (as is now the law in Pennsylvania where I live.) The Ford SYNC system periodically asks me (unprompted by myself) to run a “vehicle health report” which it sends to our email address, which we pre-programmed when we purchased the vehicle. The vehicle records tire pressure, percent of oil quality left before the next change is required, and miles until empty on gas, among other things. We use the USB ports to charge our multimedia devices, as well as to connect those devices, and our smartphones, and broadcast podcasts and internet radio streams over the Bluetooth through the car’s stereo system.
On occasion, we’ve picked up other phone conversations in our vehicle on our car Bluetooth receiver. In theory, that shouldn’t happen; you pair your device to your vehicle only. In addition, the vehicle health report runs while you drive; could that be intercepted? According to many in the car industry, the belief is legislation and regulation would be ineffective; the government would always be a step behind cyber criminals. Most believe the car industry should lead the cyber security charge. According to Ford, they are already beginning to take “cyber security precautions when assembling vehicles, including SYNC-enabled cars” as well as “simulate possible vulnerabilities during production.” The Ford SYNC now has a “built-in firewall” and also determines “which programs can be launched in car systems. Also, the vehicle control system network is separate from SYNC’s [and] software updates much be ‘code-signed’ or validated as Ford-authored to launch.”
This is all good news for consumers, who are probably all unaware of the cyber security dangers in the first place. All car manufacturers who are employing newer technology on board cars should take the lead in protecting their consumers. I believe regulation will only bog down the innovative process of car manufacturing, and car manufacturers are able to self regulate and provide the highest tech, cyber secure equipment. If they don’t, consumers won’t purchase their products.
Sternstein, A. (2013, January). Carhacking. Government Executive.
Subscribe to:
Posts (Atom)