That brings back memories of going through the bowels of the Bio-sciences building to find out an exam score. If ever a building was designed by MKULTRA, it was the U of A BioScary building.
I was talking with a colleague who works in the defence communications security intelligence field this summer regarding the possible end-game for BlackBerry.
Currently, for US and Canadian government BlackBerry's, they do a scheduled production run in the US (all chips, semiconductors, etc. are produced in known secured facilities to ensure end-to-end security is maintained).
They could just do the same with either the iPhone or Android devices. Code review all software, microcode, crypto algorithms, etc. to ensure that security requirements are met and no foreign actors are slipping in anything unwanted. Alternately, they could just buy the rights to produce the BlackBerry in perpetuity.
It should work until someone jailbreaks and roots their phone to run Angry Birds, Candy Crush or other "productivity" apps.
I was referring more to EAL7 Interactive Link Data Diodes (IL-DD) as the "whatsits", but products meeting that Common Criteria spec are mind-farking expensive.
Doesn't really matter, as Stuxnet showed, sneakernet is still effective as a injection vector. What really matters is having solid incident response, disaster recover and business continuity plans.
Security in IA (Industrial Automation) land has traditionally been isolation ("We are an island. No data comms in or out.") and physical (To keep out those pesky tool using primates).
It doesn't help that critical infrastructure (CI) is also forklift upgraded anywhere between 10-25 years, depending upon the environment. Infosec was not even on the radar back in the day.
Things are changing for the better, but there is still a significant gap between the current state of affairs and where it should be. The big driver is knowing that CI is now going to be actively targeted in cyberwarfare operations, and governments are starting to put pressure on those companies that have important infrastructure. New controllers that are coming out will have greater security features, lock-out, etc. but it takes time for all pieces to come together (infosec standards and practices, product, regulations, engineering, etc.)
The cost of ICS (Industrial Control Systems) and IA (Industrial Automation) equipment is never cheap. When you factor in the cost per hour of downtime (or the risk) of anything of significance (oil refineries, water/waste water, electrical power generation, etc.) it is nothing short of staggering. When you factor in startup time from interrupted process, it can hit stratospheric heights in no time.
Seriously. The last facility where I was working at an interruption to process had a downtime cost of $5M/hour, with a minimum time to restart operations at 6 hours (and that is not a large facility, for what it is worth), up to 12 hours if there were complications. So, something goes "blip" and they lose $30M-60M guaranteed.
If you are a Plant Manager, buying 10 whatsits for $10K a piece isn't a rounding error in your operations budget if your MTBF was reduced by %1 as a result.
Don't laugh. The company I currently work for is filled with Sales Engineers, most who have Engineering degrees and professional designations (P.Eng in Canada, P.E. in the US, etc.)
If selling product was the core focus of the company, our sales force would be nothing more than a bunch of trained monkeys with product catalogs, whereas our trained monkeys can solve differential equations as well.
It's a good role. They have the engineering know-how to solve problems, understand issues that the customer is facing, and have good social skills. They are also compensated very well.
Not every Engineer has dreams of being a desk jockey, you know.
Jus en Bello.
In the event that a cyber attack did cause collateral damage (unlikely, in this case, but maybe not for future ones), whomever is pressing the launch button better be in uniform.
Why? Military operations against actual targets are legitimate acts of military aggression. The Laws of Armed Conflict (LOAC) are the legal basis for determining whether an act is legitimate act or a war crime.
This is why we don't prosecute fighter pilots for targeting a bus with a JDAM, that is known to be carrying Al Queda operatives along with their wives and children (this is a gross oversimplification, but you get the point). Civilian casualties are regrettable, but kinetic operations are not going to be shelved on that basis alone. If a civilian pulled the trigger to release that JDAM, they would be guilty of murder. Same thing applies to cyberwarfare operations.
Welcome to the future.
You want to grope me? Knock yourself out. Just be prepared for some colour commentary on my part ("Ooooh yeeaah. Cup those balls!", "How much for a happy ending?", etc.). It makes my regular business travel that much more entertaining.
However, you do not touch my children. Ever.
We recently had to go on a family vacation, and were randomly selected for an enhanced security screening. The agents wanted to pat down our two children, and we flat out refused. They insisted, and the TSA agents' delivery tone was the standard issue "You are going to do as we say, Citizen" intonation that law enforcement officers are coached in, but I'm immune to it after having had spent my early life in the military.
I slowly, clearly and forcefully replied, "Listen very carefully. If you lay a hand on any one of my children, I will have you arrested for sexually assaulting a minor. Do not touch them. You do not have our permission."
One scoffed: "Sir, we have to subject them to a pat down."
"Wrong. Officer?" (waving to get the attention of a LEO that was posted in the screening area)
He walked over and matter-of-factly asked, "Sir? Is there a problem?"
"If either of these people touch my children, in any way, I will officially press charges of assault, sexual touching of a minor, and anything else that is applicable."
He genuinely perked up at this point. (He must secretly hate the TSA as much as the rest of us), "Understood, Sir." Turning to them he said, "He's not joking. I'm not joking. Don't touch their children. If you need to see what's under their clothes, the parent will disrobe them in a private screening area removed from public view. Clear?"
The TSA agents were far more cooperative and humbled after that, for some reason. We were waved through after the parents were given a good one over, along with everything else we were toting through. But they didn't touch the kids, or ask to see them disrobed.
With the exception of the arithmetic, logarithms and trigonometry, algebra and plane geometry, not a chance in Hell.
Now, how well would a prospective applicant fare with some of today's knowledge? Introductory quantum mechanics can be taught at the high-school level. Now someone out Victorian era and give them the mathematical equations and they would fail due to not having the conceptual foundation to understand it.
Hold onto your seat for the big reveal: Knowledge advances over time, but correspondingly, some knowledge is made obsolescent. How well would any of do at knapping flint knives and spears? You might make a passable one, but not one that would qualify as a quality tool in the Paleolithic era.
Progress, folks. It's a good thing.