Thursday 20 June 2019

If this man wanted to blow up Dublin ... he could

The attacks on the CAO website show how vulnerable we are to cyber war, writes Bill Tyson

Extra stress was piled on tens of thousands of hopeful students this week when the CAO website was crippled in multiple cyber attacks. Over the weekend hackers flooded the site -- which allots university places -- with so much data it had to shut down.

Another attack then followed, which triggered the unrequested issuing of 22,000 new passwords to applicants.

The CAO insists that the new passwords are safe to use and it is still on track to process this year's applications.

But the way attackers, without any apparent financial motive, were able to cause such mayhem at will highlights an alarming deficiency in our national internet security.

And experts have called on the Government to urgently put in place a strategy to protect businesses and the State from damaging 'cyber attacks'.

It may sound like something from a sci-fi movie, but such attacks can include blowing up gas networks or oil refineries, taking down power supplies, destroying infrastructure and shutting down communications.

In his new book Cyber War, security expert Richard Clarke warns that terrorists can already "move money, spill oil, vent gas, blow up generators, derail trains, crash airplanes, send a platoon into an ambush or cause a missile to detonate in the wrong place".

And Clarke, who has been described as the 'counter-terrorism czar' of both the Bush and Clinton administrations is not alone in his fears.

The US military recently described cyber attacks as the biggest threats to peace since "airpower transformed the battlefields of World War Two".

The country has appointed its first senior 'cyber warfare' general days after its air force declared that 30,000 troops had been reassigned "to the frontlines of cyber warfare".

Lined up against them is a growing army of Islamic cyber-warriors, who overwhelmingly outnumber the US defenders. Militants don't even have to be computer whizzkids to join up. One website offers a user-friendly 'app' -- e-jihad -- which makes cyber attacks a doddle.

Aspiring e-jihadists download the app. They select from a list of target websites (graded as weak, medium, or strong depending on your taste) and simply click the 'attack' button.

The most an inexpert e-jihadist armed with an 'app' can do is overload these offending websites with traffic, causing it to crash.

But some of his more skillful accomplices will have the expertise to inflict a lot worse than that. Cyberspace is not just the internet; it's everything connected to it. Particularly vulnerable are networks controlling utilities such as gas and electricity supplies, which are known as SCADA systems. In Cyber Wars, Clark warns that terrorists are already capable of hacking such systems to cause explosions in the same way that they turned western technology against itself by flying planes into skyscrapers.

And it could happen here.

"If someone wanted to blow up Dublin, they could in theory try to get into the gas network and shut down an important valve," says Andy Harbison of Grant Thornton's IT forensic and investigation unit. "However, I would hope that safety mechanisms are in place to shut down the system in such an event."

But according to Brian Honan, head of the Irish Reporting and Information Security Service (IRISS), attacks on Irish businesses are occurring "on a daily basis". He says most criminals target websites to host criminal activity such as hosting a fake banking site (phishing) or spreading computer viruses that enable them to secretly control or extract information from your computer.

Honan believes that it is essential to have a national cyber security policy in place for the country's future. Otherwise, he says, the plan of Communications Minister Eamon Ryan to create 30,000 jobs in 'smart industries' is in jeopardy.

A spokesman for the minister said his department was aware of the cyber security issue and had commissioned a report last year from consultants Espion that's "being considered at an interdepartmental level".

The CAO attack was the third on that site in a matter of months. Last year our largest ISP (Internet Service Provider), Eircom, was taken down in a 'Denial Of Service' (DoS) attack -- the same type that crippled the CAO site.

To carry out this type of assault hackers rig computers to overwhelm the target site with requests for information. They can harness the power of thousands of computers to do this in networks known as 'botnets' -- without their owners' knowledge.

Honan lists a range of relatively cost-effective defences such as having the ability to add more bandwidth in an emergency (burst capacity).

Yet even with stepped-up defences there seems that little can be done against a large-scale attack.

In the world's biggest cyber battle yet -- Titan Rain -- Chinese-based hackers secretly took control of 750,000 computers in the US alone through a virus known as a Trojan horse. These computers were then used to at least partly cripple top sites by bombarding them with data. The victims included aircraft makers, military installations, NASA and the US stock exchange.

The computer owners had no clue their PC was taking part in an attack on the Pentagon -- apart perhaps from a slight loss of speed when uploading favourite photos to their Facebook page.

But why would anyone attack Ireland? Are we not thousands of miles away from the nearest conflict?

Actually, the battlefield in question nullifies Ireland's geographic remoteness. In cyberspace, al-Qaida could attack Kildare as easily as Kabul.

Cyber attack victims include Georgia, Denmark and Estonia. The attackers were never identified but each assault occurred after they had offended a more powerful nation or religion.

Danish sites were hit after newspapers there printed an offensive cartoon of Mohammed, Estonia was attacked after riling the Russians by relocating a Soviet era statue and Georgia became a casualty too in its ongoing war with Russia in 2008.

It is hard to see us getting on the wrong side of the Russians, but it's not so easy to avoid offending Islamic militants. One offensive crack from a curmudgeonly newspaper columnist could be enough to unleash an e-jihad cyber storm.

Even if we somehow manage not to offend anyone, we could still get caught in the cyber crossfire.

During the Russia-Georgia cyber war Russian government websites hosted in the US were attacked with such ferocity that all websites in the same centres were taken down.

Ireland could get sucked into a cyber war merely by hosting a website that ticks off somebody, somewhere, in the ever-more powerful, interlinked and explosively sensitive world of cyberspace.

Irish Independent

Today's news headlines, directly to your inbox every morning.

Don't Miss