Beyond Digital Mayhem

Beyond Digital Mayhem

Be careful what you wish for. This week, a committee within the National Security Council issued a report calling for decisive action by the Trump administration on a set of bold Cybersecurity measures that must be put in place immediately in order to avoid a 9/11-level cyber-attack.

The National Infrastructure Advisory Council (NIAC) is a task force that was commissioned by the NSC to review and evaluate a long list of federal capabilities to determine actions necessary to secure critical infrastructure against targeted cyber-attacks. Critical infrastructure means dams, bridges, power grids, airports, etc.

The report confirms our contention that while the government and the private sector may have lots of appropriate technologies to defend critical systems, they have not been applied in a way that can be effective against an adversary in cyberspace. This belief is not ours exclusively. It has been demonstrated in study after study and shared by most Cybersecurity professionals in the private sector.

When you are relying on a 10 year old technology to “protect” sensitive employee information at the Office of Personnel Management, you need look no further for the enemy.

The report defines a “narrow and fleeting window of opportunity before a watershed, 9/11-level cyber-attack to organize effectively and take bold action” and goes on to “call on the Administration to use this moment of foresight to take bold, decisive actions.”

The task force recommends establishing separate, secure networks for critical infrastructure, information-sharing through automated threat intelligence distribution, and the use of modern scanning tools and processes for periodic threat assessments. This is all solid Cyberthreat-101 stuff that should have been in place years ago.

We serve small private sector companies that have implemented all of the above with puny budgets even though all they are protecting is a few hundred employees’ social security numbers. This is not a budgetary problem.

The task force has gone so far as to recommend limited time, outcome-based market incentives to encourage CNI (Critical Network Infrastructure) owners to invest in state-of-the-art technologies, as though the threat of a cyber-attack that will shut down a large section of the electrical grid is not sufficient incentive all by itself. In other words, it seems if we can’t get these critical network infrastructure guys to address the issue on a national security basis, maybe we should bribe them.

How about firing them all instead?

The critical infrastructure owners are all under contract with the Department of Homeland Security and all sixteen sectors fall under the shared partnership with DHS and the subordinate organizations responsible for Cybersecurity, including the Office of Cybersecurity and Communications alongside the Office of Infrastructure Protection within the National protection and Programs Directive. Can you sort of see the problem here?

The task force is recommending experts in government alongside the sixteen electricity, finance and communications sectors to review the recommendations, chart a path forward and take decisive action. [smile] I am covering any and all even money bets of up to $100 US that nothing will happen before the next 9/11-level Cyber-attack.

So, what’s the risk level? Very high. And very real.

We saw a successful probe on our critical infrastructure in 2013 when Iranian hackers broke into the command and control system of a dam in Rye Brook New York through a cellular modem. While the attackers would have been able to release water from behind the dam via remote access, the sluice gate had been coincidentally disconnected for maintenance at the time of the intrusion. And we have seen similar probes in the Ukraine where Russian attackers repeatedly demonstrated that they could successfully bring that nation’s infrastructure to its knees with a few keystrokes. Do you think it’s cold here in the winter? Try the Ukraine with no electricity.

Just last month, the Petya or NotPetya virus took down Eastern Europe’s national banks, state power companies and largest airports in a demonstration of the effects of a not particularly sophisticated cyber-attack on government infrastructure.

Most U.S. infrastructure is privately owned and poorly defended, and they are particularly vulnerable to cyber-attack because they rely on open-source software, third-party utilities, and interconnected networks. The ability to run their maintenance systems remotely, as well as update software via the web, gives hackers all the access they need. These interconnected networks are even more tempting because they usually control operations as well, magnifying the impact of an attack.

Attacks against operations technology are different than information technology attacks because OT attacks can easily produce kinetic effects – opening flood gates, shutting down grids, destroying control circuitry.

For decades, many in the Cybersecurity community have been warning that hackers would soon make the leap beyond purely digital mayhem and start to cause real, physical damage in the world. In 2009, when our own Stuxnet malware silently accelerated a few hundred Iranian nuclear centrifuges into self-destruction, it was a preview of this new era.

“This has a whiff of August 1945,” Michael Hayden, former director of the NSA and the CIA, said in a speech. “Somebody just used a new weapon, and this weapon will not be put back in the box.”


要查看或添加评论,请登录

Steve King, CISM, CISSP的更多文章

  • Connected Device Security: A Growing Threat

    Connected Device Security: A Growing Threat

    Many cybersecurity analysts have warned of the rapidly emerging threat from an expanded IoT space. And as you have…

    3 条评论
  • China’s Ticking Time-Bomb.

    China’s Ticking Time-Bomb.

    It should now be clear to even the casual observer that China has been spying on us for years and stealing reams of…

    7 条评论
  • Comparing Major Crises To COVID-19: A Teachable Moment

    Comparing Major Crises To COVID-19: A Teachable Moment

    Lessons from past financial crises might prepare us for the long and short-term effects of COVID-19 on the economy and…

  • The Escalating Cyber-Threat From China

    The Escalating Cyber-Threat From China

    A Modern-day Munich Agreement In an article penned back in May of 2015 in a policy brief published by the Harvard…

    1 条评论
  • Cybersecurity: Past, present, future.

    Cybersecurity: Past, present, future.

    We have made a flawed assumption about cybersecurity and based on that assumption we have been investing heavily on…

    15 条评论
  • Three Marketing Tips for Improved Conversion Rates

    Three Marketing Tips for Improved Conversion Rates

    While we are all devastated to one degree or another by this outbreak and with the knowledge that it will likely change…

  • Coronavirus in the Dark.

    Coronavirus in the Dark.

    So, yes. It is now very clear that the outbreak of the COVID-19 virus and the concomitant investor panic leading to a…

    13 条评论
  • Panicky Investors Issue Dire Warning On Coronavirus

    Panicky Investors Issue Dire Warning On Coronavirus

    Sequoia Capital just issued a dire warning to its portfolio companies. “Coronavirus is the black swan of 2020.

    5 条评论
  • AI in Cybersecurity? Closing In.

    AI in Cybersecurity? Closing In.

    "AI Needs to Understand How the World Actually Works" On Wednesday, February 26th, Clearview AI, a startup that…

    8 条评论
  • Do CapitalOne Shareholders Have a Case Against AWS?

    Do CapitalOne Shareholders Have a Case Against AWS?

    An adhesion contract (also called a "standard form contract" or a "boilerplate contract") is a contract drafted by one…

    1 条评论

社区洞察

其他会员也浏览了