Beyond Digital Mayhem
Steve King, CISM, CISSP
Cybersecurity Marketing and Education Leader | CISM, Direct-to-Human Marketing, CyberTheory
Be careful what you wish for. This week, a committee within the National Security Council issued a report calling for decisive action by the Trump administration on a set of bold Cybersecurity measures that must be put in place immediately in order to avoid a 9/11-level cyber-attack.
The National Infrastructure Advisory Council (NIAC) is a task force that was commissioned by the NSC to review and evaluate a long list of federal capabilities to determine actions necessary to secure critical infrastructure against targeted cyber-attacks. Critical infrastructure means dams, bridges, power grids, airports, etc.
The report confirms our contention that while the government and the private sector may have lots of appropriate technologies to defend critical systems, they have not been applied in a way that can be effective against an adversary in cyberspace. This belief is not ours exclusively. It has been demonstrated in study after study and shared by most Cybersecurity professionals in the private sector.
When you are relying on a 10 year old technology to “protect” sensitive employee information at the Office of Personnel Management, you need look no further for the enemy.
The report defines a “narrow and fleeting window of opportunity before a watershed, 9/11-level cyber-attack to organize effectively and take bold action” and goes on to “call on the Administration to use this moment of foresight to take bold, decisive actions.”
The task force recommends establishing separate, secure networks for critical infrastructure, information-sharing through automated threat intelligence distribution, and the use of modern scanning tools and processes for periodic threat assessments. This is all solid Cyberthreat-101 stuff that should have been in place years ago.
We serve small private sector companies that have implemented all of the above with puny budgets even though all they are protecting is a few hundred employees’ social security numbers. This is not a budgetary problem.
The task force has gone so far as to recommend limited time, outcome-based market incentives to encourage CNI (Critical Network Infrastructure) owners to invest in state-of-the-art technologies, as though the threat of a cyber-attack that will shut down a large section of the electrical grid is not sufficient incentive all by itself. In other words, it seems if we can’t get these critical network infrastructure guys to address the issue on a national security basis, maybe we should bribe them.
How about firing them all instead?
The critical infrastructure owners are all under contract with the Department of Homeland Security and all sixteen sectors fall under the shared partnership with DHS and the subordinate organizations responsible for Cybersecurity, including the Office of Cybersecurity and Communications alongside the Office of Infrastructure Protection within the National protection and Programs Directive. Can you sort of see the problem here?
The task force is recommending experts in government alongside the sixteen electricity, finance and communications sectors to review the recommendations, chart a path forward and take decisive action. [smile] I am covering any and all even money bets of up to $100 US that nothing will happen before the next 9/11-level Cyber-attack.
So, what’s the risk level? Very high. And very real.
We saw a successful probe on our critical infrastructure in 2013 when Iranian hackers broke into the command and control system of a dam in Rye Brook New York through a cellular modem. While the attackers would have been able to release water from behind the dam via remote access, the sluice gate had been coincidentally disconnected for maintenance at the time of the intrusion. And we have seen similar probes in the Ukraine where Russian attackers repeatedly demonstrated that they could successfully bring that nation’s infrastructure to its knees with a few keystrokes. Do you think it’s cold here in the winter? Try the Ukraine with no electricity.
Just last month, the Petya or NotPetya virus took down Eastern Europe’s national banks, state power companies and largest airports in a demonstration of the effects of a not particularly sophisticated cyber-attack on government infrastructure.
Most U.S. infrastructure is privately owned and poorly defended, and they are particularly vulnerable to cyber-attack because they rely on open-source software, third-party utilities, and interconnected networks. The ability to run their maintenance systems remotely, as well as update software via the web, gives hackers all the access they need. These interconnected networks are even more tempting because they usually control operations as well, magnifying the impact of an attack.
Attacks against operations technology are different than information technology attacks because OT attacks can easily produce kinetic effects – opening flood gates, shutting down grids, destroying control circuitry.
For decades, many in the Cybersecurity community have been warning that hackers would soon make the leap beyond purely digital mayhem and start to cause real, physical damage in the world. In 2009, when our own Stuxnet malware silently accelerated a few hundred Iranian nuclear centrifuges into self-destruction, it was a preview of this new era.
“This has a whiff of August 1945,” Michael Hayden, former director of the NSA and the CIA, said in a speech. “Somebody just used a new weapon, and this weapon will not be put back in the box.”