Risk
7/9/2008
11:36 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

It's Time To Defend The U.S. Against The Ultimate Denial Of Service (DOS) Attack

Thursday, Congress will be hearing testimony on a potential attack that could shut down most every electronic device, everywhere, and render the entire U.S. power grid dysfunctional for months, if not for more than a year.

Thursday, Congress will be hearing testimony on a potential attack that could shut down most every electronic device, everywhere, and render the entire U.S. power grid dysfunctional for months, if not for more than a year.The House Armed Services Committee will be getting an earful of testimony from William R. Graham, who was President Reagan's science adviser and is the current chairman of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack.

Simply put, an Electromagnetic Pulse attack would occur when a nuclear weapon is discharged at a very high altitude. The explosion affects the ionosphere and Earth's magnetic field in such a way as to cause an electromagnetic pulse to rush down to the surface. That pulse then bakes just about every electronic device within a very wide geographic area. By some estimates, a single device detonated over Kansas could cripple the nation's entire technical infrastructure.

From the 2004 Executive Report by the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack:

Depending on the specific characteristics of the attacks, unprecedented cascading failures of our major infrastructures could result. In that event, a regional or national recovery would be long and difficult and would seriously degrade the safety and overall viability of our Nation. The primary avenues for catastrophic damage to the Nation are through our electric power infrastructure and thence into our telecommunications, energy, and other infrastructures. These, in turn, can seriously impact other important aspects of our Nation's life, including the financial system; means of getting food, water, and medical care to the citizenry; trade; and production of goods and services. The recovery of any one of the key national infrastructures is dependent on the recovery of others. The longer the outage, the more problematic and uncertain the recovery will be.

It seems to me, from a layperson's perspective on this issue, that it's not feasible to protect against widespread damage from such an attack -- it's just not economically viable to protect all electronic components. Yet, it is feasible to significantly mitigate the impact of an EMP attack by hardening key power generating facilities, switching stations, and telecommunications infrastructure -- so that much of the damage that is inflicted by an EMP explosion to the core communications and power infrastructure can be restored in a time period that is measured in days and weeks, certainly not months or more than a year.

What's increasingly of concern about the potential of a EMP attack against the critical infrastructure is how relatively cheap such an attack could be. From the same report:

What is different now is that some potential sources of EMP threats are difficult to deter -- they can be terrorist groups that have no state identity, have only one or a few weapons, and are motivated to attack the U.S. without regard for their own safety. Rogue states, such as North Korea and Iran, may also be developing the capability to pose an EMP threat to the United States, and may also be unpredictable and difficult to deter. Certain types of relatively low-yield nuclear weapons can be employed to generate potentially catastrophic EMP effects over wide geographic areas, and designs for variants of such weapons may have been illicitly trafficked for a quarter-century.

If that's the threat from North Korea and Iran, what's our risk if a significant adversary such as China or Russia decide to turn our lights out for a year?

It's been four years since Congress was warned about the real-world impact of an EMP attack. Let's hope the update from William Graham on Thursday has some news about what steps our government has taken to protect us from this threat.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.