Recent events have brought to light the vulnerability of our industry, and our systems in general.
Late last month, immediately following the election, where numerous radio stations were hijacked and involuntarily played offensive content. (Ars Technica, 2016) Though no charges were filed for the involuntary breach of compliance, one can see where this new possibility can cause caution in the radio industry.
Functioning as a privatized public utility, it is our duty as a radio station to be on hand as an emergency public alert system, and while we may have previously considered ourselves low opportunity targets, we are now made aware of the amount of harm that could be caused with a vulnerable Emergency Alert System. This has the potential to escalate from minor annoyance on an affordable entertainment medium, to a very powerful avenue for domestic terrorism.
It is our civil duty, as caretakers of these public frequencies, to prevent any conceivable threat, and implement any safeguards within our practical power.
While reading The Cuckoo’s Egg by Clifford Stoll, an auto-biography that summarizes his pursuit and capture of a hacker working for the KGB in the 80’s, I was shocked at the relaxed nature concerning security that existed in the late eighties. Passwords were not only weak, but unguarded, and left openly for others to access. (Stoll, 1989)
It was through these unforeseen vulnerabilities that the hacker Markus Hess was able to hop across “secure” networks across the country, including academic nuclear testing facilities in California, and Army Bases in Alabama. Our industry seems to have the same naïve outlook on security as seemed to be prevalent in the academic cyber security circles of the eighties.
Our current liabilities include antiquated operating systems, weak passwords, open source firewall, weak wireless passwords, and accessible sites. I appreciate the convenience and retention of simple passwords, but another recent Low Power FM radio hijacking has exposed the risk of passwords under 24 characters. (Radio Insight, 2016) Best practices for proper passwords are officially updated, and we have been left behind. Also behind are out exposed servers, that still operate on Windows XP, an OS that has been officially unsupported for 3 years. The updating of our infrastructure should be made an utmost priority, lest we become the next media example of improper security practices.
Security vulnerabilities aside, we should also address the physical security of our sites. Sites without gates, or gates without locks, or doors without deadbolts mean we are only a pair of bolt cutters away from the infiltration and hijacking of our signal. I recommend we start from the road forward, making reliable fortifications at every bottleneck, forcing honest folk to remain honest, and inhibit any malicious actor at every opportunity. Naturally you cannot ensure impedance, but slowing the aspiring assailant could do wonders for catching any potential perpetrator.
Of course these issues can’t be remedied without work. Many challenges face us in the arduous future, like the miles of travel we must undertake to access all of our physical sites to manually update our passwords, cataloging and inventorying our adjustments, and informing the relevant faculty of the recent revisions. While your knee jerk reaction may be to refrain or postpone signing off on these sorts of expensive expeditions, we should consider the recent DDOS attack on dyndns, a web address service we employ and were lucky to not suffer any outages during the recent downtime. (Dyn 2016)
Our extensive IP facing arsenal, while convenient for the past ten years, has now become a liability we have the responsibility to address.
Going forward, our priorities need to include updating the weakest points of our infrastructure, namely the expired operating systems, and open source firewall. While PFsense is a reputable program, it may make more sense to purchase a paid firewall with consistent updates and 24-hour support. Although our solution has worked well for us in the past, and has not had an accident, doesn’t mean that in the face of a brute force attack it will hold up. If a new firewall system is not in the budget, then we should at least authorize a stress test or penetration test to ascertain the capability or our defenses.
Other attempts at bolstering our defenses should include the installation of formidable gates on all of our sites, and the implementation of security cameras that we can access in the instance of emergency, insuring we have reliable information concerning the history of our devices, and enabling us to ascertain when or whether they had been tampered with. A reliable IP camera solution could also provide us with site conditions, as it would be easy to install a weathervane in view of the camera, in order to indicate wind speed and the other various conditions at the transmitter site.
Already, I can predict your protests. We haven’t had an attack before, what benefit would we incur by forking over all this money for hypothetically preventative measures? How much can we expect to lose were our systems to be compromised? While it is true, we are responsible for very little compliance, as we don’t deal with personally identifiable information, therefore are not liable for any fines or data breaches, any inadvertent adjustments to our systems could cost us money. If we suffer any downtime or loss in quality during an advertisement, we could be forced to refund the purchase. Furthermore, we are still paying for any potential costs to rectify the issues, while losing more money on lost advertisements until the problem is fixed. A reactive approach will not ever be considered cost effective. By spending some money in security, we could save countless thousands down the road by not falling victim to a malicious attack on our systems.
While the FCC has turned a sympathetic eye in these initial incidents, I can only imagine tolerance to travel so far, and eventually it will become the responsibility of the station to safeguard their frequencies, and beyond preventing fines, benefits would also include safer facilities, we more accountability on location, with security footage increasing our conditional awareness. Not only would our facilities be immeasurably safe, by the implementation of dead bolts and vehicle deterrents, but we would also be better informed of our own facilities, with up to date documentation outlining every inch of our extensive networks.
If these reasons were not cause enough for a call to action, so be it. But if you agree with me, and believe more must be done to bolster our defenses, I have compiled a list of necessities that will be essential in this endeavor. As mentioned, new gates and different locks are essential. Security cameras, while pricey, will pay for themselves with one successful prosecution, and may have an effect on our insurance rates. The high dollar items would include a commercial firewall, which as our first line of defense, deserves to be an updated and supported solution.
New computers, to replace the Pentium 4 machines running Windows XP will incur the highest cost. During my last computer audit I put the number of obsolete machines at seven, with a reasonable replacement price of 300 dollars, we are looking at around 2100 dollars in PC replacements alone. By my estimates, it will take one person two weeks of reconfiguration to implement these infrastructure upgrades, assuming of course there are no problems that require immediate attention, thereby interrupting the rollout procedure.
I believe the aforementioned methods and upgrades are our most practical preventative measures, everything that we could be expected to do to prevent unauthorized access to our precious public utility, the radio. If we were to ignore these vulnerabilities, we would be risking complete systems failure, from neglect or ignorance, from authorized or unauthorized access to our transmitters. Other foreseeable incidents include of course malicious attack. If we continue to operate with our same relaxed security standards, it is only a matter of time before we fall victim to someone infiltrating our system for no better reason than the ability to do so. Murphy’s Law is still applicable to computer security, if someone can break in, someone will break in.
In either instance, inadvertent incident, or malicious attack, any downtime or breech of compliance would result in unwanted expenses, which runs contrary to our interests. Further neglect would result in obsolescence, so even if you remain unmoved by potential security threats, these methods serve multiple purposes, and in updating our security settings, we also update our infrastructure, allowing for more years of neglect, and postponing an inevitable crash from happening within the next few quarters.
I hope by now I have convinced you that security should be our utmost priority, and it is only a matter of time before we fall victim to the attacks that are slowly crawling up the communication food chain, and that if we were to wait and merely react once we fell prey to a malicious actor, that we will inevitably spend more in repairs than we would in prevention. I believe you will make the correct decision and authorize the expenses I have listed and recognize our duty to protect our public frequencies from the potential threats to national security I have described.
References:
https://arstechnica.com/security/2017/02/unsecured-radio-transmitters-get-hacked-play-anti-trump-song/
Stoll, Clifford (1989) The Cuckoo’s Egg: Tracking a Spy Through a Maze of Computer Espionage. Doubleday.