22 June 2017

Russia's new cyber weapon turns up the heat on US efforts

by Charlie Mitchell

Reports that the Russians have an advanced new cyber weapon designed to penetrate and cripple opponents' electrical grids, and perhaps other critical infrastructure, have struck a Cold War note with lawmakers. Yet, it was greeted as old news by cyber professionals. 

The weapon was used in December to temporarily bring down portions of the electrical grid in Ukraine, according to an analysis by security firm Dragos that was first reported in the Washington Post. 

Members of the Senate Armed Services Committee quizzed Defense Secretary Jim Mattis on the weapon at a hearing last week, and sources said the House and Senate homeland security and intelligence panels are taking a close look. 

The vulnerability of the electric sector has been frequently cited by military leaders as a potential Achilles' heel for U.S. armed forces, which rely on local power companies at almost all of their domestic bases. And a sustained blackout caused by a cyber weapon could impose astronomical economic and human costs on the United States. 

The 2016 Ukraine attack is now seen as merely a small-scale test, according to the Dragos report, because this weapon in theory could be used to wreak havoc on any industrialized country. 

"It's probably a busy day for electricity owners and operators," one source active in the cyber-threat information-sharing process said after news emerged of the Russian "CrashOverride" weapon. "Every state, local and federal regulator is probably calling them all." 

This, the source said, "is Phase 1: Panic Mode. Which leads shortly to Phase 2: Assurance mode. This is when the owners and operators explain how they are mitigating the threat." 

The source added: "The surprise here is not that a foreign actor is looking for ways to turn out the lights through a cyberattack. The surprise here is that the attack was spotted." 

The news puts a spotlight on the process of sharing information about cyber threats, which has been the focus of much federal policymaking in recent years, and on how organizations of all kinds are organized to tackle cyber risk. 

The system for sharing cyber threat indicators, with an eye toward blocking and limiting the impact of hacks, is well-advanced in the financial and information technology sectors, and is growing in others including the electricity and oil and gas industries, according to business and government sources. 

But it's not clear whether this first line of defense against cyber weapons is getting adequate support from the federal government. 

A Department of Homeland Security program for sharing cyber threat indicators with industry has only 129 "agencies and private sector entities participating," according to a DHS spokesman. 

A DHS official in March told lawmakers that encouraging participation remains a concern and that the program still needs to provide better analysis of the information it's sharing in order to make it useful to private companies. 

"The program is not growing at the rate necessary to rapidly share indicators to link us up in a national net to thwart the fast growing cyber criminal enterprises," said Mike Echols, a former DHS official. 

Beyond the mechanics of creating a workable system for sharing alerts about cyber threats, major questions remain around basic organization and principles for warding off attacks. 

"An infrastructure attack is the highest level of threat" against the United States, said one security consultant who works closely with the federal government. "This is a continuation of the Cold War, but nobody is looking at it holistically and fixing things." 

The source said the processes of detecting threats, and devising strategies of defense, are "siloed" within individual industries and, at the government level, specific agencies. That creates seams in the defense that enemies can and do exploit. 

Cyber pros say news such as the "CrashOverride" report grabs attention but mainly serves to restate well-known problems and shortcomings in the U.S. response to cyber threats. That will begin to change when there's a sustained commitment across government and the private sector to define roles on cybersecurity and developing integrated strategies to respond to the threats. 

Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers, and author of "Hacked: The Inside Story of America's Struggle to Secure Cyberspace," published by Rowman and Littlefield.

No comments: