Audio Link: Interview Featuring Dr Eric Cole | Cybersecurity and the Grid - Part 1
- January 3, 2018
- 822 views
Dr Eric Cole served as the CTO at McAfee and chief scientist at Lockheed Martin Corporation. He is the author of a handful of books, including his forthcoming book, Online Danger: Online Danger: How to Protect Yourself and Your Loved Ones from the Evil Side of the Internet, which is due for release on February 20, 2018. Dr Cole graciously went into great detail about some of the hot-button tech issues that I believe everyone should be aware of. Below is a transcript for the interview I conducted with Dr Cole a few weeks ago. Owing to the length of the interview, this article will be made into two parts. Part two will come out next week.
Ben: Hacking traffic lights and other electrical infrastructure has been a feature of some relatively recent action movies such as The Italian Job (2003) and Live Free or Die Hard (2007). In 2014, it was shown that it was indeed pretty easy to hack traffic lights. Obviously, the risks aren't just limited to traffic lights. It has also shown that satellites are also disconcertingly easy to hack. What stops a rogue actor or enemy of the state from recreating the plot from a James Bond film? Also, am I now on a CIA watchlist for asking these questions?
Dr Cole: Well, first and foremost, you have to remember in a lot of cities, traffic lights, especially, are still independent and standalone. Now, the scary part is every day and every week that passes, they are interconnecting them more and more together, and more cities are looking at ways to interconnect all of them. So, for example, if the president is in town, or a dignitary, or the fire department needs to get to a fire scene, they can actually basically clear out a route. They can draw a line on the map and all the lights can turn green to basically clear a path for them, so . . . we’re probably a few years out for all locations in cities; but, yes, that is something that’s feasible.
Now, many of these systems tend to be what we call closed systems. They do not necessarily have direct access to the internet. So, the movies are true that the general method of hacking into those systems [is] fairly straightforward, but it’s not as easy as the movies seem. Normally, you do need to get some sort of physical access to that network. But, like I said, [for] every day that passes, it’s getting easier ‘cause more of these places have wireless networks that you can use to connect and get in, and they’re actually talking about interconnecting many of these different systems to the internet, which also gets scary as they do that, ‘cause these systems are just not built for that level; they were built for ease-of-use to monitor and control traffic, not necessarily for security.
Now in the case of traffic lights, you have to ask yourself, “What would an adversary really gain?” Like, what would be the benefit of doing that? Could somebody malicious go in—like in Die Hard—and crash cars where every[thing] turns green and things like that? Yes, but what you have to remember is most of these lights, the actual lights themselves, have safety features in them, where it will not let both sides turn green at the same time. It will let both sides turn red, right? But it won't let both sides turn green, so there are actually different safety controls in there that would make it a little harder for somebody to do [that]; but, once again, if somebody really, really, really wanted to, anything with computers, they can get into. But once again, that’s really not any different than the real world. If somebody really, really wanted to physically rob a bank, they could.
Now, you might say, “No, they have all the controls.” Well, what we’ve seen in many cases in the 80s and 90s is what if somebody who has those codes, they kidnap their family? They threaten to kill their family unless they give up those codes or open it up. So, just like in the real world, there’s nothing that’s 100% secure. You just have different controls and measures in place.
Now with satellites, it’s the same thing. Satellites have many levels of control, so when you see somebody is—yes, there are some times where you can get potentially basic monitoring access to the satellites—but once again, being able to reprogram or crash a satellite—like I think it was the recent xXx movie, right? With Xander Cage, right? Where we’re going in and doing [it] that way. They basically were crashing satellites. Once again, that’s very, very, very hard to do, but remember: once those satellites are up in space, you can't physically access them, and there’s no wires, so there does have to be ways that you can get access and move or reposition those satellites in order for them to have values.
So, any time there’s an access path, one of the things I always say is: “Anything that could be used for good can be used for evil.” But, once again, there [are] many controls, many passwords, many different safety checks in place. So, always potentially feasible, but not necessarily something that’s trivial or easy to do like the movies say; but I will tell you, I periodically with my kids watch some of these older movies—I shouldn’t say older, but three, four, or five years ago—and when the movie came out, it was sort of, yeah, science fiction. And today, I'm like, “You know something? There’s a lot more reality to that, and a lot more likelihood, right?” That that is possible, because one of the things that just concerns me as a cybersecurity professional is many of these different systems—from electrical, to nuclear, to satellite, to weapons, the whole method—was they were built to be air-gapped or to be isolated; they were never meant to be interconnected to any other systems. That was their security. So, therefore, because they were based on an air-gapped conception, a lot of the other security measures weren’t as robust as they need to be.
Well, now, what are we doing? We’re deciding to interconnect these systems, which is terrifying. So, in some cases, yes, when you’re looking at water supplies, dam controls and things like that, there are some big exposures there, because we’re taking these systems that don’t have robust security because they were meant to be isolated, and we’re now starting to do some interconnection with them together. So, yes, every day, every month, every year that passes, it’s becoming easier and scarier for somebody to potentially get access.
Ben: Bitcoin is continuing to go from strength to strength. As I write this, Bitcoin has just pushed past US$9,500. Where do you see Bitcoin and other crypotcurrencies heading? How do you think making Bitcoin available for futures trading will affect the long-term value of Bitcoin? Can you see Bitcoin one day being used to pay for a hamburger at McDonalds? Where do you foresee the market cap for Bitcoin heading? What do you think of blockchain as a concept in general?
Dr Cole: Yeah, it sort of amazes me, because when—and I think it was over the last year, or two years—when a lot—and it was mainly in New York because of the financial [crisis]—but when a lot of the companies that are trading and brokering a lot of bitcoins, when many of their executives were arrested and charged with money laundering because you can use bitcoins to potentially buy weapons, buy drugs, buy guns, right? Buy anything you want with this untraceable currency. They basically said that the government—because it’s unregulated—that, you know what I mean, this was bad. These people were aiding and abetting, and they were actually arrested and put in jail, which we can have a debate, right? And, yes, that probably is legit; but if you look at the argument, cash can be used for the same thing!
So, it just cracks me up—because cash is regulated by the government, the fact that drug dealers used cash was okay, but the fact that Bitcoin was not regulated by the government and was used by drug dealers, that was bad and the people in charge of those Bitcoin companies got arrested. So it’s sort of a little bit of a double standard there in how that’s being done, so it’ll be interesting, but I'm bringing that up to say I really thought that would sort of be the end of bitcoins, ‘cause everyone is going to be afraid to set up and run that.
So I was thinking there’s new cybercurrencies coming out, and the ones that have a little more involvement with the government, a little more regulation, I was figuring would be the ones that would replace that; but, yeah, watching the numbers—and, actually, I was traveling in Saudi Arabia last week, and all the students were talking about that it went over 10,000 [dollars per bitcoin] last week. So just from the writing from the high-nines to 10,000, it’s sort of amazing. So that didn’t seem to really have any impact on it. Now, once again, the question is, “What roles are governments going to play, and are they going to continue to take that enforcement piece and not allow these folks to start up these companies on it.”
So it’ll be interesting to play out, but, no, I think cybercurrency is the future. I mean, it’s definitely where things are going, and it’s funny because I always have people going: “But, Eric, it’s just 0s and 1s; why should we trust that?” And what I’ll do is I'll hold up a twenty-dollar bill and I'll hold up a piece of paper, and I'll say: ‘Both of these are pieces of paper. Why can one let me buy a pizza, and the other one can't?’ ” It’s perceived value. That’s the only reason why money is worth anything. It’s because people perceive it to be. It’s just paper like any other paper. So, it’s the same thing with cybercurrencies—it’s perceived value. As long as people perceive it to have value, right?
Then there’s a value associated with it, and the thing we haven’t seen yet—that people are saying is impossible, but I'm a believer that everything is possible if you put enough energy and effort—is with regular dollars, people can make counterfeit bills. So, it’s counterfeit, you know, it’s illegal—we track it down. What if people figure out how to go in and make counterfeit bitcoins? Now, here’s the scary part: To make counterfeit dollars, there’s a limit in terms of the paper, the production—a high chance of getting caught every time I go to a store; so even though it’s illegal, there are still some controlling how much a single person could do. But if you’re talking a digital, untraceable currency and somebody figures out how to make a fake or counterfeit cybercurrency, they could [make] millions of millions of dollars very quick, very fast, with little chance of potentially getting caught there.
So it is sort of getting scary, and your joke: “Do you think we’ll get to a point where you could buy hamburgers with bitcoins?” You can buy a Ferrari today with bitcoins; they just announced that recently. So, once again, I don’t know if that’s a good comparison—a Ferrari versus a hamburger—but, yes, I think you’ll get to the point where you can buy food, other things like that, with bitcoins, where you basically would trade them in, and then you can get the food. Very similar to sort of the idea of a debit card, where, when you buy food, it takes it out of your account. It would sort of be a similar matter.
Now, the infrastructure for it to scale to fast-foods and restaurants and others is not there, and that’s something we would have to fix there; but, yeah, I definitely think—like I said, I don’t know if it’s bitcoins—but, definitely, cybercurrency is here to stay.