Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Office Squid |
| Pocketless Trousers to Protect Against Bribery »
July 6, 2009
Terrorist Risk of Cloud Computing
I don't even know where to begin on this one:
As we have seen in the past with other technologies, while cloud resources will likely start out decentralized, as time goes by and economies of scale take hold, they will start to collect into mega-technology hubs. These hubs could, as the end of this cycle, number in the low single digits and carry most of the commerce and data for a nation like ours. Elsewhere, particularly in Europe, those hubs could handle several nations' public and private data.
And therein lays the risk.
The Twin Towers, which were destroyed in the 9/11 attack, took down a major portion of the U.S. infrastructure at the same time. The capability and coverage of cloud-based mega-hubs would easily dwarf hundreds of Twin Tower-like operations. Although some redundancy would likely exist -- hopefully located in places safe from disasters -- should a hub be destroyed, it could likely take down a significant portion of the country it supported at the same time.
Each hub may represent a target more attractive to terrorists than today's favored nuclear power plants.
It's only been eight years, and this author thinks that the 9/11 attacks "took down a major portion of the U.S. infrastructure." That's just plain ridiculous. I was there (in the U.S, not in New York). The government, the banks, the power system, commerce everywhere except lower Manhattan, the Internet, the water supply, the food supply, and every other part of the U.S. infrastructure I can think of worked just fine during and after the attacks. The New York Stock Exchange was up and running in a few days. Even the piece of our infrastructure that was the most disrupted -- the airplane network -- was up and running in a week. I think the author of that piece needs to travel to somewhere on the planet where major portions of the infrastructure actually get disrupted, so he can see what it's like.
No less ridiculous is the main point of the article, which seems to imply that terrorists will someday decide that disrupting people's Lands' End purchases will be more attractive than killing them. Okay, that was a caricature of the article, but not by much. Terrorism is an attack against our minds, using random death and destruction as a tactic to cause terror in everyone. To even suggest that data disruption would cause more terror than nuclear fallout completely misunderstands terrorism and terrorists.
And anyway, any e-commerce, banking, etc. site worth anything is backed up and dual-homed. There are lots of risks to our data networks, but physically blowing up a data center isn't high on the list.
Posted on July 6, 2009 at 6:12 AM
• 45 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Lightning strikes sounds like a more plausible threat.
And when does the cloud stop being a cloud. A few "mega servers" sounds like multiuser servers. In fact is anything new at all with this rubbish cloud hype?
We eagerly await the comments using the argument "but I was there".
I do agree with your analysis, mostly. I think that the weak point is in apparently lumping together the goals of all potential terrorists.
This type of target will attract a Kaczynski-style Luddite type of terrorist, in contrast to the current popular terrorist profile of a middle-east Islamic anti-west type of terrorist.
I remember watching some of 9/11 at work in the UK over the Internet so some connectivity still existed (it was slow as tar but packets were getting through.)
Hopefully lessons have been learnt and more diverse routes through physically independent optical fibres are now more common.
As for "cloud computing" being new, as far as I can see it's a sensible return to the mainframe/terminal model but updated to provide the rich desktop experience that is now expected.
Enderle's already got a reputation amongst Apple followers. With this sort of writing, that same rep's going to spread to the security arena...
I suspect that "cloud computing" will happen in a big way for many people.
And because of that alone it will be a considerable target. But primarily for crackers and theives not realy terrorists (unless state sponsored and then it's debatable as to if they are realy terrorists or not).
Terrorists appear to have developed a distinct dislike for technology ever since a cruise missile flew down on a sat phone.
I have a feeling that as with all technology "cloud computing" will progress "as is" untill it has it's "Titanic" moment.
Where upon it will be re-evaluated by both the suppliers and customers, and take another step towards becoming a mature technology.
However will "cloud computing" take over big time?
I sincerly doubt it.
History tells us why.
For instance most medium to large organisations have run their "payroll" on other peoples systems in the past and the majority have brought it in house as the declining cost of technology alowed.
I see "cloud computing" in the same way, initialy it will enable organisations that might not otherwise be able to afford it to get access to significant resources. However once they have the taste for it they will develop more and more projects that utilize such resources.
At some point the large organisation will cross a threshold where it would be more economical to run such systems themselves or the service will become to critical etc at which point it will migrate back "inhouse" just as payroll did.
Likewise at some point medium sized organisations will do the same.
This will leave "cloud computing" to the smaller or more specialised organisations just as "co-lo" sites do today.
Economy of scale invariably brings the cost of technology down with time, and this will always cause a "tipping point" for an organisation depending on how it evaluates the value of what it does.
I don't think that the author misunderstands terrorism so much as the author wanted to combine two popular topics into a single article without much expertise on either. So, you take a contemporary paranoid view of how terrorists would like to attack everything, combine that with a new technology concept (based on an old technology concept) and BOOM, you have an article which is just as poorly written as 98% of the other articles out there.
What if someone routes critical infrastrucuture scadas into a public cloud?
There doesn't yet seem to be a law, 'sides common sense, to stop them.
"At some point the large organisation will cross a threshold where it would be more economical to run such systems themselves or the service will become to critical etc at which point it will migrate back "inhouse" just as payroll did."
You do not help your argument by choosing payroll since I don't know of a single company that doesn't outsource this function. Most companies will outsource what makes sense - their supply chain system? Most likely not. Payroll - in a heartbeat.
Where you see a backlash against outsourcing is when companies have outsourced -everything-. Not just the systems that make sense. This is where you seen companies pulling back inhouse components they deem critical.
@ Mat - yes, that's what i think too.
cloud computing is an attractive choice for companies with fewer resources, as it's scalable, securable, and extremely cost-effective, and the information contained 'in the cloud' can be backed up just as easily as any other.
there are easier targets that will do more dramatic damage, so it seems an unlikely scenario for those who are really 'out to get us.'
Yes, the technology exists and in fact is mundane; however, seemingly few mission-critical systems/applications/services are in fact deployed in a fully redundant manner (should be active/active; active/passive is never tested, and always fails when folks switch over to it because it hasn't received proper upkeep).
Look at the recent HSBC UK outages; look at the huge payment processor outage a couple of days ago because one single DC had a problem; look at how Rackspace continue to have outages because of power issues in a Dallas, TX DC (happened for the 3rd or 4th time this past weekend). Look at the United outage over the weekend which grounded all United flights in the US. Look at the Amazon EC2/S3 outages, the Google AppEngine outages, etc., etc.
The simple fact is that everyone pays lip services to redundancy and resiliency, but they don't write their code, build/run their servers, or design/operate their networks in such a manner as to make it a reality; major high-tech Silicon Valley firms who make products and offers services to accomplish precisely this don't take advantage of their own technology and resources to accomplish true resiliency.
I call this syndrome 'The Emperor's New Cloud'.
Not even every data center in lower Manhattan went down. Some did however need to send someone to the roof to make sure the vents for the HVAC systems were clear to prevent overheating.
The author is also ignorant of how VISA processing is done today. The threat he warns of exists in our current card processing.
"You do not help your argument by choosing payroll since I don't know of a single company that doesn't outsource this function."
Sorry I did not make it clear.
Historicaly payroll started of outsourced came in house again and now as you note has been outsourced again as a different tipping point has been arived at.
As has been noted many times history moves in cycles as does the economy.
This is what I expect to happen to "cloud computing", initialy an organisation will not be able to justify the cost of the resources available in "cloud computing". However they will develop applications for it on a "time share" basis.
As time goes on the number applications most organisations have will grow and at some point bringing it back in house for various reasons be it due to direct costs, indirect costs or even risk costs.
Eventually the next generation of systems will require even greater or more specialised resources (who knows web3/virtual prescence/personal gene analysis). And the cycle will repeat again. It will have a different name but it will in essence be the same cyclic effect of resource availability -v- resource cost.
Couple of points/questions:
1. Wouldn't the big North American blackouts qualify as a bigger disruption to infrastructure than the Twin Towers attack? And those were due to some dodgy monitoring equipment at a power station, nothing any terrorist did.
2. Did the author of that article somehow miss the fact that Google (and others) are busy distributing their data centres more *widely* in order to bring down average end user latency numbers? Centralising the data centre works for batch processing tasks, or tasks where users have already learned to expect delays (e.g. credit card processing). But for a lot of cloud computing, "responsiveness" is a selling point, and Google, Amazon et al are spending a lot of money on providing it.
Oh, wait, Rob Enderle. That's the bloke that was wittering on for years about how SCO was going to prevail and Linux was doomed (and getting thoroughly demolished by Pamela Jones along the way). He still gets writing gigs?
Rob Enderle has a history of blowing clouds of heated rhetoric into subjects he doesn't understand or make any effort to educate himself about. Has a knack for getting people spluttering, which is probably better for his bloviation business than actual informative journalism would be. Worth rebutting, briefly, then moving on.
On infrastructure take-downs, I remember thinking at the time of the great 1997 UPS strike, which was estimated to have bitten about $400 billion out of the economy, that if I were a terrorist wanting to hurt the U.S. I'd be better off learning to foment labor unrest than studying how to make and deliver bombs.
"Muckraker" is one of the more charitable terms one could use to describe Rob Enderle. As Carlo says, he is best rebutted as briefly as possible and then ignored.
I wonder if the original author's talk of infrastructure is a reference to the failure of Telehouse Manhattan, which at the time (IIRC) handled something like 70% of all transatlantic Internet traffic. It survived the loss of mains power on 9/11 as designed, with IPSes taking over immediately and keeping things running smoothly until the generators could be brought on line a few minutes later. It only failed a couple of days later, when the generators ran out of fuel.
All of which just goes to show that the Internet also worked as designed, re-routing traffic around the point of failure. 70% of the bandwidth may have been lost, but who noticed?
@Carlo Graziani - effectiveness of fomenting labor unrest: In 1966 in Great Britain, the then Prime Minister, Harold Wilson, announced that Communists were using the seamen's strike, and imposed a state of emergency.
Note that Wilson's government was Labor Party, i.e. more socialist than any US administration has ever been. He was nothing like a Nixon or a Reagan trying to make political capital out of anti-union sentiment. On the contrary, his party was largely funded by labor unions. Link:
Offtopic: NYTimes on Symantec vs. McAfee http://www.nytimes.com/2009/07/06/technology/...
Kind of makes me sad -- practical security is only a small part of what these companies do, especially for consumers. They scare people that don't know much about computers and they make themselves as visible as possible to sell subscriptions.
Security for consumers has to be free and "baked in" by operating system vendors, browser vendors, search enginges, etc. A few malware-infected systems hurt everybody (they send a lot of our spam), and it just works better to have secure software than to have "security" sold as a loud add-on.
mr schneier, sir, you had a reason to paraphrase mr enderle as "the author" and not give us his name in your article, right?
Maybe farfetched, but consider what a week of internet outage would do to a hospital, assuming they were dependent on the cloud.
@.~.: I think it's the old formal-debate principle that the important part is the argument and it's validity, not the identity of it's proponent.
I agree that cloud computing is not a particular risk, but...terrorism is not all about causing terror, anymore. The new thing is systems disruption, characterized by very cheap attacks that are very expensive to their targets. For example, the Iraqi insurgency has made a practice of attacking oil pipelines. The same thing has been happening in Nigeria, to such an extent that it has significantly affected the price of oil. A recent domestic example is the cutting of fiber pipelines serving communities in California.
John Robb's "Global Guerrillas" blogs, and his recent book Brave New War, are good starting points.
What makes this sort of threat even more laughable is that cloud computing infrastructure is specifically designed to tolerate failure. When you have a cluster of > 100, 000 machines, it's a given that they won't all be working 100% of the time. In fact, I remember hearing a rumor that Google doesn't even bother repairing broken machines in their data centers when they fail -- it takes too long to physically find them, so they just shut them off remotely and fix them later (if at all).
In fact, this level of failure tolerance is one of the major selling points of cloud computing. The commercial providers don't just sell computing resources: they sell highly redundant, professionally backed up and hardened computing resources.
If anything, cloud computing data centers are far more resistant to a terrorist attack than conventional servers.
The design in theory... and GOOD practice IS designed to tolerate failure... however look at Rackspace just last week.
Xero taken offline by massive US data centre failure - http://www.nbr.co.nz/article/...
Rackspace has 9 'fault tolerant' facilities around the world and yet this accounting software provider was hit by a still-unexplained, catastrophic failure.
A major Windows newsletter just reported to their subscribers that their web site went down due to a fire at the location of the hosting provider. They could have provided backup but the fire marshal shut down the emergency electicity generators and ordered an evacuation of the facility. So, does anyone think that cloud computing will do this any better. I doubt it as it will significantly raise the cost to have IDLE backups at alternative physical sites waiting for a prime site failure. Keeping costs down still seems to be the rule of the day.
Actually the twin towers falling caused a small quake in the Comcast building basement that was just across the street. The datacentre that was in it was badly damaged, and AFAIK it hosted transatlantic backbone endpoints: from the GEANT network (the European academic network) all USA locations were unroutable for a big while. But email kept on working, routed who knows where.
So, yeah, disabling a few transcontinental internet exchanges is a more plausible scenario (satellite uplinks aren't enough, both from bandwidth and latency standpoints), but they're repaired easily. Unless you start yanking at a number of transoceanic fibers at the same time (well within the economic capability of well funded groups I guess).
Another nitpick: "Although some redundancy would likely exist -- hopefully located in places safe from disasters..."
Does there exist a place in this universe that is "safe from disasters"?
Well, yeah ... anything by Enderle, filter it out, not worth your time.
I wonder if he pays them to publish him....
I used to work in WTC1 - and I further recollect the landline telephone system (even in midtown) was affected for MONTHS after 9/11.
"Hopefully lessons have been learnt and more diverse routes through physically independent optical fibres are now more common."
Never forget that economic efficiency works against resiliency, so, given enough time, SPOFs will flourish. Brittle failure is encouraged by the need for economic efficiency.
Rob Enderle is one of the idiots who supported The SCO Group enthusiastically during the first couple years of their crusade against IBM, Novell and all other Linux users.
Wow, what a monumentally stupid comparison.
When you take out a data center, it doesn't blanket the surrounding area with radioactive fallout.
Daft as the arguments made are, there is a grain of truth in them. Being in the UK one of the first things that alerted me to what was happening on 9/11 was the sudden non availability of large portions of the internet, which seeing as i was a IT manager for a network centric organisation at the time, was pretty important.
What that shows is that it is the network that is the point of vulnerability for a physical attack rather than the location of the data, it is unfortunate that with the increasing commercialisation of the internet the original ideal of a robust multipathed network has been overlooked in favour of a cheaper, more vulnerable alternative.
The danger with cloud computing is not so much the physical vulnerability of the data as its security, if anyone were to suggest to me that adopting the cloud as the principle means of storing data was a good idea they had better check their resume was up to date. The cloud should only be used for data that one is happy to be made public and how much of your organisations communications, both internal and external, is that?
Laugh all you want, I'll even give a good chuckle for fun, but with todays world, and slashdot today, the risks are real.
There always are some unique issues around power control, generally.
I can crash/hang my new tv through power issues. Cellphones have some things with batteries and how power/charge and if phone works. I can crash my new sony blueray as well. ACPI systems and some hardware are not cool.
Reminds me of the Guns and Roses, Use Your Illusion, Civil war song, and "...For example to create a vacuum, then we f'll that vacuum. As popular war advances. Peace is closer."
Confused? We all should be, define terrorism and pump and dump business. The pogo stick system is falling over, for good, bad, and ugly reasons.
Sorry for repost, prior comment was cut off
@ Nomen Publicus
"I remember watching some of 9/11 at work in the UK over the Internet so some connectivity still existed (it was slow as tar but packets were getting through.)"
That was actually not connectivity but the sheer traffic with the number of people trying to get some news on the web about 9/11 - that slowed down the whole internet.
Something similar happened two weeks ago on Michael Jackson's death when his news almost took down the internet with him.
So, Bruce, what is more easy: infect one million computers by Conficker worm, or disrupt several clusters? And what of those targets are less to monitor and recover?
At the other hand, it's more easy to loose war, when all physical infrastructure located at the same location. But cloud infrastructure more virtual. Bits and bytes of database and programs can be easy recovered to another datacenter. May be some difficults in routing to this new place of datacenter? No, no, no, routing to your server based on digital signatures, located at each big provider.
Terrorists can expose National Library of Congress - sorry, but this is way to more fear, than expose some shit in internet.
Pleeeeease. Give me a break.
It was surprising to read the sections Bruce quoted and not wonder if the source wasn't some sort of satirical blog. I mean :
"As we have seen in the past with other technologies, while cloud resources will likely start out decentralized, as time goes by and economies of scale take hold, they will start to collect into mega-technology hubs"
Or the infrastructure thing...
But then I opened the link and it turns out it was Rob Enderle's article! That explains everything. It seems that his bussiness model is to make articles full of "facts" that sum up to be utter non-sense. It is unbelievable guys like him still get to make articles and get paid for them...
Bruce, it's unfortunate that you didn't state in the excerpt that the author was Rob Enderle. A lot of people clicked through and gave him a page view who, being familiar with the quality of his writing, otherwise wouldn't have.
Terrorist + Risk + New Buzzword
Sigh, comments here really are just are attack an unpopular cry wolfer, instead of at least looking at an issue that is in the news.
Given that H1N1 can be a major issue when a bad mutation happens, and the pump and dump tsunami economy, if I was a terrorist or rogue nation, cyberwar would be a major strike. Yes, there are much cheaper, simpler, and rewarding methods, but cyberwar has it advantages. See also, http://www.alertnet.org/thenews/newsdesk/... Note the danger of re-routing programming of pipelines, reminds me of movie, Live Free or Die Hard.
This state of denial about real risks reminds me of before 9/11.
Oddly, I get the feeling that comment handling here is geared to reflect that denial, to further make the claim of the state we are in.
"but cyberwar has it advantages"
You should watch the Ranum briefing on cyberwar. Cyberterrorism has it's advantages but cyberwar can be like destroying a country while you're in it. Leaves you ultimately at a tactical disadvantage.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.