Risk
7/9/2008
11:36 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

It's Time To Defend The U.S. Against The Ultimate Denial Of Service (DOS) Attack

Thursday, Congress will be hearing testimony on a potential attack that could shut down most every electronic device, everywhere, and render the entire U.S. power grid dysfunctional for months, if not for more than a year.

Thursday, Congress will be hearing testimony on a potential attack that could shut down most every electronic device, everywhere, and render the entire U.S. power grid dysfunctional for months, if not for more than a year.The House Armed Services Committee will be getting an earful of testimony from William R. Graham, who was President Reagan's science adviser and is the current chairman of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack.

Simply put, an Electromagnetic Pulse attack would occur when a nuclear weapon is discharged at a very high altitude. The explosion affects the ionosphere and Earth's magnetic field in such a way as to cause an electromagnetic pulse to rush down to the surface. That pulse then bakes just about every electronic device within a very wide geographic area. By some estimates, a single device detonated over Kansas could cripple the nation's entire technical infrastructure.

From the 2004 Executive Report by the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack:

Depending on the specific characteristics of the attacks, unprecedented cascading failures of our major infrastructures could result. In that event, a regional or national recovery would be long and difficult and would seriously degrade the safety and overall viability of our Nation. The primary avenues for catastrophic damage to the Nation are through our electric power infrastructure and thence into our telecommunications, energy, and other infrastructures. These, in turn, can seriously impact other important aspects of our Nation's life, including the financial system; means of getting food, water, and medical care to the citizenry; trade; and production of goods and services. The recovery of any one of the key national infrastructures is dependent on the recovery of others. The longer the outage, the more problematic and uncertain the recovery will be.

It seems to me, from a layperson's perspective on this issue, that it's not feasible to protect against widespread damage from such an attack -- it's just not economically viable to protect all electronic components. Yet, it is feasible to significantly mitigate the impact of an EMP attack by hardening key power generating facilities, switching stations, and telecommunications infrastructure -- so that much of the damage that is inflicted by an EMP explosion to the core communications and power infrastructure can be restored in a time period that is measured in days and weeks, certainly not months or more than a year.

What's increasingly of concern about the potential of a EMP attack against the critical infrastructure is how relatively cheap such an attack could be. From the same report:

What is different now is that some potential sources of EMP threats are difficult to deter -- they can be terrorist groups that have no state identity, have only one or a few weapons, and are motivated to attack the U.S. without regard for their own safety. Rogue states, such as North Korea and Iran, may also be developing the capability to pose an EMP threat to the United States, and may also be unpredictable and difficult to deter. Certain types of relatively low-yield nuclear weapons can be employed to generate potentially catastrophic EMP effects over wide geographic areas, and designs for variants of such weapons may have been illicitly trafficked for a quarter-century.

If that's the threat from North Korea and Iran, what's our risk if a significant adversary such as China or Russia decide to turn our lights out for a year?

It's been four years since Congress was warned about the real-world impact of an EMP attack. Let's hope the update from William Graham on Thursday has some news about what steps our government has taken to protect us from this threat.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.