Judith
Hello Everyone! This
morning on 911 we have the mysterious thriller-writer Eric Gates as our guest
on Author 911. Eric is the author of the highly acclaimed Cull Series and Outsourced,
Full Disclosure and How Not to be An Aspiring Author. His books are amazing
and so is his wealth of information about things most of us don’t know
about! So, move over Patricia Arquette,
we’ve got the real deal.
Hi Eric, many, many thanks for joining us this morning on
Author 911 to talk about cyber terrorism. Authors have been writing about this
fear for years, particularly Tom Clancy in Clear
and Present Danger, The Sum of All Fears,
and Patriots Games and you have done
extensive development with SANTA in The Cull
Series and other systems in your other books. Can you talk about them for us and how you
used information in the development of these systems? But first, for the purposes of our discussion
can you offer a definition of cyberterrorism?
Eric
Steering away from a standard dictionary definition, I think
it’s better if we turn back the clock a little and explain some of the basics. Back in the day when I first became involved
with Information Technology Security (note, we don’t say Computers as this
somewhat prophetic phrase foresaw the use of IT in many other manifestations,
some of which we now call smartphones, tablets, cars, traffic systems, hospital
systems and a long list of etcs), those who wanted unauthorized access fell
into two camps: the hackers and the crackers.
The former treated their exploits as puzzle-solving – a game mentality
pervaded and it was all about circumventing the controls over access and either
leaving a mark (Kilroy was here) or taking a copy of something to prove they
had succeeded. The cracker, on the other
hand, used the same methods but to steal information or destroy it or the
systems that managed it. They were
motivated by their beliefs or by money (industrial espionage). Cyberwarfare (the use of IT as a means to
wage war) was born more from the crackers than the hackers, although covert
cyberspying follows many of the tenets of the hacker (success is not leaving
any trace of your exploit).
As in conventional warfare, the cyber battlespace (military
term for where the war is fought) came into its own once the Internet and the
World Wide Web became prevalent. Prior
to this, to successfully ‘hack’ and target a system you had to be in the same
room as the machine or find a way to interface with that machine by introducing
code into it (Trojan Horse anyone?). This
doesn’t necessarily imply that all cyberwarfare is done by people sitting in
secure rooms behind rows and rows of computer monitors. I still recall a couple of really innovative
instances where the internal chips of photocopiers and printers were modified
to store images of everything that passed through them; then they were sold on
the Black Market to countries considered enemies. That’s cyberwarfare too.
So, where do these neat ‘hacking’ tools come from? Well, believe it or not, there’s a
supermarket of sorts. By now just about
everyone has heard of the Dark (or Deep) Web, Darth Vader’s version of the
Internet. Let’s digress a minute and
I’ll explain this. Imagine the largest
shopping mall in the World has just opened in your city. You visit it for the first time and the very
first thing you do, after walking through the doors, is consult the layout plan
which tells you where every store is and what they sell. That’s the Internet, made up of millions of
individual computers and servers full of all kinds of information and INDEXED
by the Search Engines we use every day. Now,
outside the mall, a huge chunk of the car park is taken over by a mish-mash of
stalls selling all kinds of stuff. There’s
no real order to this flea market; no easy way to locate where a given product
is being sold – in short NO INDEXING. This
is the thing that gives us that Aladdin’s Cave thrill of discovery as we wander
the aisles and encounter the unexpected.
That’s the Dark Web. Those stalls
are invisible as far as the mall’s layout plan is concerned and they use this
very factor to sell everything from drugs to weapons to… you name it. They also sell ‘hacking’ tools: bits of code
or keys that have the specific purpose to break into IT systems and to steal
and/or destroy the information held there.
And this may come as a surprise to you: our Governments shop there
too! In fact, they are one of the major
buyers on a regular basis – that’s the equivalent of an Army buying from an
Arms Dealer, so nothing new there. As a
Brit by birth living in a Spanish-speaking country, I used to be asked
frequently who won the war in the Falklands/Malvinas? My response was always the same: the French. Once the look of bewilderment settled on the
face of my questioner, I pointed out they were the ones selling weapons and
support to both sides.
Now you don’t have to be a nation state to buy stuff in this
supermarket, just know how to access the Dark Web and where the appropriate
stalls can be found. Then it’s just a
case of finance. When individuals or
terrorist cells purchase their ‘weapons’ there, that’s when you have
‘cyberterrorism’. Mainly their goals and
motivations are similar to those of the aforementioned crackers. They attack what we call Critical Infrastructures,
the backbone of our way of life. This
could be the electrical grid, power stations, communications, hospitals, and
another long list of etcs. The recent
attack on Sony was not a Critical Infrastructure attack, rather a Critical
Asset attack (in that only Sony and its competitors were affected – there was
no domino effect on US Infrastructure).
The retaliatory (?) dysfunction of the Internet on several occasions in
North Korea, however, was a Critical Infrastructure attack.
Now specifically, the IT systems I refer to in my novels are
either generic (ie. Invented by me as a device for the novel but based upon
existing technology – such as the SANTA system in ‘the CULL’ series) or real
(the systems mentioned in ‘Outsourced’, although I tasked them to
novel-specific targets). SANTA is basically a surveillance system
powered by Artificial Intelligence which allowed me to permit its ‘growth’ as
the novel series progressed – it changed in the same way as the two
protagonists changed, acquiring (revealing) new skills that helped it, and the
tale, evolve. Does SANTA exist? Probably, and that’s scary: imagine you find
yourself on a no-fly list because a computer system didn’t like the websites
you visited. If you really want to blow your mind, read Book 3 (the CULL –
Blood Feud) then follow the clues using my website as Katie’s writer friend’s
site. I’ve left a nice Easter Egg there for fans of the series… or is it?
Sorry about the long answer but it’s a complex subject and
difficult to summarize in a couple of paragraphs.
Judith
I know you have an extensive and impressive background in
information systems and information security.
Can you tell me about your experiences in this area?
Eric
For over forty years I was a Consultant specializing in IT
Security Internationally. My clients were as varied as you could imagine and
most of the projects I worked on are as classified and secret today as they
were they were live. And yes, there have been hidden microphones, car chases,
people following, threats, and all manner of things I cannot go into – let’s
just say my martial arts skill came in handy more than once. It was exciting
work… and boring work – there never seemed to be any middle ground. I’ve broken
cryptographic systems with pencil and paper in a room full of ‘interested
parties’ in a very Agatha Christie moment, broken into systems and buildings to
test their security (got shot at once too), even jumped from one rooftop to
another between a couple of skyscrapers (not something I wish to repeat). No,
I’m not Jason Bourne! Nowadays, I just write about that stuff – it’s much
harder!
Judith
I have always heard the some of the most vulnerable areas of
attack in the US and anywhere else for that matter, would be any military
system infrastructure the power grid, water storage defenses such as dams that
can be manipulated to cause massive flooding etc. What systems do you view as our most
vulnerable? How do you assess the risk
of cyber terrorism against the West?
Eric
Going back to my first answer, Critical Infrastructure is a
concept we have been talking about for over thirty years. It’s not a question of which is the most
vulnerable system, but which system is made most vulnerable because of the lack
of effort put into protecting it. When an army, or individual, attacks a
fortress, they will always attack the weakest point. With Critical
Infrastructure, any weak points, through the domino effect, will always lead to
indirect damage in associated systems. A simple example in your terrain,
Judith: an attack takes place on the electricity grid. This doesn’t have to be
a logic bomb; it could be something as simple as a major blackout caused by a
physical device taking out a power station (explosives or ElectroMagnetic Pulse
weapon). Result: no power. Now Judith’s hospital has Uninterrupted Power
Supplies for its critical systems, and in-house generators that kick in to
allow the hospital to keep functioning.
But, whilst management have spent millions on ensuring their tech keeps
working, no one has given any thought to maintaining communication with staff.
No power means cellphone relay towers are down, phone batteries die and cannot
be recharged. Key staff, off-site when the emergency occurs cannot be located.
They become the critical infrastructure.
To factor in the plausibles and possibles you need
professionals with peculiar mindsets to produce effective Critical
Infrastructure Recovery and/or Disaster Recovery Plans and most organizations
do not have these people on staff as they are too specialized for most business
structures especially in times of financial crises such as we have all
experienced. This is defensive Cyberwarfare and unless your Fortress is
protected, you shouldn’t be going all-out offensive.
Judith
Wow, Eric, that example is so likely to happen someday.
Nothing good can happen in a hospital, or any complex system without
communication. Perhaps some of this content should be integrated into their
Disaster Plans and operating documents.
What are your thoughts about cyberterrorism and surveillance
systems. How are they used in counter
terrorism or terrorist activities?
Eric
There’s an on-going battle between the need to protect our
liberties and the need to retain our privacy. In all ‘business’ ventures (and
the military and Intelligence circles are just that albeit using different
terminology), exaggeration of potential threats (crying ‘wolf’) is a tried and
trusted tactic to obtain a larger share of the budget. Yet, it’s been my
experience that most of the measures undertaken happen AFTER the risk
materializes. I remember once being asked to perform a risk analysis on the
probability of a Financial Institution’s Data Centre being taken out by a flood
(it was in the basement of a building). I pointed out the flood in question had
occurred the previous month! All they were looking for was a chunk of paper to
justify a bigger budget. That’s the wrong mindset, and that’s why far more
money is allocated to FEMA (in the States) than to effective Critical
Infrastructure protection and education. There’s an old saying about an ‘ounce
of prevention’, right?
Surveillance systems are a part of our lives now. The
question isn’t, should we allow more to be installed, but how can we ensure
those who use them don’t abuse them. I remarked to my wife last week as we
watched the news from France regarding the terrorist attacks how I expected
most EU countries to announce measures to facilitate Internet surveillance by
Law Enforcement and Intelligence Agencies within two days – I was wrong: France,
the UK, and Spain announced new laws the very next day.
Will this be effective? There’s another adage called
Information Saturation (better known as not being able to see the wood for the
trees) – if the results of surveillance produce far more data than we can
process, what’s the point of adding more data gathering? Surely we should
concentrate on improving how efficiently we utilize what we have. Currently it
seems we collect info only to cover our backs when post-incident investigations
are under way.
Judith
Do you think al Qaeda, ISIS, Taliban, and other extremist
groups have the skill sets needed to damage the west? How about other areas of the world?
Eric
The concept of small cells or ‘lone wolves’ can easily be
applied to the battlespace of Cyberwarfare. Keep in mind that ‘hacking’ and
‘cracking’ predated the Internet era – don’t believe me? Look up Phone
Phreaking on Google. Remember, as long as you have the cash, the stalls of the
Dark Net are open to all.
Judith
Eric, many thanks! This information, while more than scary,
can give us many ideas in our thrill writing.
We’ll see you again soon back on Author 911.
Eric
Thanks, Judith, as always for having me!
Latest: Outsourced
What's the deadliest gift a fan could send to a
novelist? And if that fan was a professional assassin?
the CULL- Bloodline, the CULL - Bloodstone, the CULL - Blood Feud (the CULL series books 1-3)
FULL DISCLOSURE, Leaving Shadows and 2012,
and the non-fiction
How NOT to be an ASPIRING Writer
available AMAZON (paper & e-book) and bookstores worldwide.
check out Eric Gates Website to read extracts and discover the inside secrets...
follow me on Twitter: @eThrillerWriter and on my Blog http://my-thrillers.blogspot.com/
What's the deadliest gift a fan could send to a
novelist? And if that fan was a professional assassin?
the CULL- Bloodline, the CULL - Bloodstone, the CULL - Blood Feud (the CULL series books 1-3)
FULL DISCLOSURE, Leaving Shadows and 2012,
and the non-fiction
How NOT to be an ASPIRING Writer
available AMAZON (paper & e-book) and bookstores worldwide.
check out Eric Gates Website to read extracts and discover the inside secrets...
follow me on Twitter: @eThrillerWriter and on my Blog http://my-thrillers.blogspot.com/