Sometimes they let me out in public to talk to people and last night was one of those occasions. Last night I attended an INSA event where various security related issues were discussed. The main speaker was Admiral Mike McConnell, the former head of the NSA and former DNI, and he said something which I greatly fear is true, particularly regarding major infrastructure.

"The USA will do nothing to stop cyber attacks until a large attack against the country is successful - and at that point the government will step in and do the wrong thing"

The problem right now is that, as Ralph Langner says, the cat is out of the bag regarding cyber attacks on the controls of critical infrastructure:

I have speculated that the development of Stuxnet may have cost several million dollars, somewhere in the upper seven-digits. The next cyber weapon will be considerably cheaper, since much of the attack vector and the specifics of how to use automation equipment will simply be copied. So let's assume the next Stuxnet costs below one million dollar and is for sale on the black market (it's just a question of time). It is then that some not-so well equipped nation states and well-funded terrorists will grab their checkbooks. Let the street price drop to the five-digit region and organized crime is in. Sabotage with the motivation of extortion will get a commonplace scenario. At this time targets are no longer limited to critical infrastructure but will especially cover the private sector -- a TARGET-RICH AREA where it cannot be assumed that organizations will install countermeasures large scale in a reasonable amount of time.

I am sure this is essentially correct too. The really critical infrastructure, such as nuclear power stations, will probably be secured but many factories and industries have pipelines, storage tanks and so on that are filled with flammable, poisonous or explosive chemicals and the SCADA networks for all those thousands of devices will not be correctly secured because there is a limit to how many competent security experts there are in the world and far too much for them to do.

My guess is that if there is a major loss of life caused by an attack - and recall that we have already see lives lost as an accidental side-effect of malware - Admiral McConnell is going to be proven absolutely correct. The government(s) will over-react and try to ban things and block access and force ISPs and hosting companies to implement strict "walled gardens" of access. This is unlikely to stop a subsequent attack but will kill the freedom to innovate that has produced so much value online. It may in fact end up hampering the "white hats" who will, as a general rule, have to abide by the restrictions imposed while the criminals will, of course, not be under the same restrictions.

I would love to be proven wrong - and I hope that some of the ideas being mooted recently, such as RPZ and ThreatSTOP, end up curbing the criminals - but I'm worried that we will not be effective enough to stop all the attacks. After all part of the problem of defense is that the attackers only have to get lucky once, whereas the defenders have to be lucky 100% of the time.