Security expert Bruce Schneier has warned that cyber-extortion is on the rise, but gave the caveat that it mainly affects "fringe" industries, such as online gambling, rather than critical national infrastructure organisations.
Schneier wrote in a blog post on Tuesday that the security company he founded, Counterpane, has seen proof of attack capability followed by extortion demands — but said the attacks he had seen had not been against power companies. He wrote the blog post in response to a CIA statement, reported by security training body the Sans Institute, that a cyberattack had caused a power blackout in multiple cities in a country outside the US. The CIA also said it had evidence of blackmail demands following demonstrations of successful "intrusions through the internet".
"Cyber-extortion is certainly on the rise; we see it at Counterpane," Schneier wrote. "Primarily it's against fringe industries — online gambling, online gaming, online porn — operating offshore in countries like Bermuda and the Cayman Islands. [Cyber-extortion] is going mainstream, but this is the first I've heard of it targeting power companies."
Schneier counselled calm, saying that it was not known whether supervisory control and data acquisition (Scada) arrays, which many critical national infrastructure organisations use to control and measure systems, had been compromised.
"This CIA titbit tells us nothing about how the attacks happened," Schneier wrote. "Were they against Scada systems? Were they against general-purpose [computers] — maybe Windows machines? Insiders may have been involved, so was this a computer security vulnerability at all? We have no idea. I'd like a little bit more information before I start panicking."
Alan Paller, director of research for the Sans Institute, told ZDNet.co.uk on Tuesday that Tom Donahue — the CIA analyst who reported the attack to a Sans Institute conference a week ago — had not divulged the countries involved, nor the method of attack, nor when the attacks had occurred. However, Paller confirmed that US power companies had not been involved.
"All we know from Tom [Donahue] is that it was not US companies [that were attacked]," Paller wrote in an email exchange with ZDNet.co.uk. "The CIA is involved because Tom [Donahue] is the person responsible for the US cyberthreat analysis, and he and his management chain must have felt the risk to US companies was elevated because it had happened for real in other countries, and because the quality of security in many US utilities needs immediate and substantial improvement."