Long ago, 2000, and far away, in Australia, a malevolent hacker targeted the sewerage system. Courtesy of the site AssembleIt.Net, excerpted from Australia’s Hacked History
In April 2000 a man, Vitek Boden was arrested and charged with offences relating to the unlawful entry into Maroochy Shire Council’s sewerage system and environmental damage. His attack via wireless technology altered electronic data that led to malfunctions of the sewerage system. This caused a clean up cost of $13,110 and untold damage to the environment. The Crown’s case against Boden relied heavily on circumstantial evidence which exposed several areas for criticism for the defendant.
For the Queensland police it was difficult to prove that Vitek Boden was the man physically sending the data from the computer found in his possession to the systems. This is the problem with the information systems, while they allow expansive access for greater action and management from a legal perspective it provides many challenges to ensure we live in a just and free society.
For Boden in Queensland in 2001 it so happened that these challenges to the investigation were not raised until the Court of Appeals in 2002 and as a result the verdict remained virtually the same. For Boden the legal outcome may have not come in his favour but it triggered serious development in security protocols, capabilities of digital forensic investigators and improved system stability and security. Now we are 10 years on and it appears that security measures have improved greatly. Yet tracking large scale attacks that use vast arrays of Botnets don’t figure into the system security and architecture of all, they are only employed by a select few State and Corporate bodies. It is likely that we the public must suffer another breakpoint moment – where after an attack we break with our previous methods to avoid a similar circumstance. This is another example of the reason for convergence on the issue of internet governance – as technological methods and structure are constantly evolving so should our method to prevent catastrophic damage to economy’s, states and peoples.
Putting aside the evidentiary question of proving criminal responsibility – changes in technology have made some things easier to prove, and others harder . Those important questions raise a host of questions that deserve a nuanced discussion which which we won’t address here. The question is this – might it not be wiser to remove certain critical infrastructure mechanisms from networked – particularly remote and distributed networks – controls on the Internet? If they must be on geographically widespread networks, perhaps sewerage, nuclear power plants, hospital power systems, airport runway controls – perhaps they need not only virtually distinct networks, but at a minimum, physically distinct networks – separate fiber optical cables, perhaps in separate underground channels? By accident, negligence, or deliberate attack, having everything on one network, vulnerable to widespread simultaneous failure can create outcomes not easily remedied – and sometimes not quickly detected.
To give a simple example, redirecting a fraction of untreated waste water into a drinking water system could create a health crisis whose existence might take us days to identify, the cause another week, and once identified, we’d likely be able to reset all the valves and pipes to their proper configuration in a matter of hours.
The principles of distributed networks and redundancy – entirely sensible for communications systems – may, when it comes to critical physical infrastructure – be inferior to human beings, guard dogs, fences – and sometimes other “old” tech (the French use geese as part of the perimeter security at nuclear plants, geese being prone to rudeness to strangers, noisy, and hard to shut up. Like New Yorkers, actually, but with feathers).