14 October 2014

Cyberwar: Not if. Not when. Now.


CHARLIE MITCHELL 
SEPTEMBER 29, 2014


When Target Corp. and Neiman Marcus were hacked, it was a costly black eye for those companies and a nuisance for consumers. 

When intruders cracked into the computer files of a prime contractor for the Department of Homeland Security, it was a warning that no one, including the government's own security arm, was immune from the threat. 

"What agencies haven't been hacked?" Sen. Tom Coburn, R-Okla., asked Obama administration witnesses at a recent hearing. "The fact is, they've all been hacked." 

The penetration at DHS contractor USIS was an embarrassment for the administration and created headaches and worries for thousands of federal employees whose personal information was accessed illegally by unknown perpetrators for unknown reasons. 

That's scary enough in this cyber-dependent world. 

But beyond such nuisances, embarrassment, potential lawsuits and warnings, a major cyberattack — aimed at the electric grid, for instance — could be a nationwide disaster. 

"Even in the last 10 years the risk environment has changed from nuisance to persistent criminal activity, to disruptive, to potentially destructive," said Robert Dix, vice president for global government affairs and public policy at Juniper Networks. 

The destructive capacity of nation-states and even nonstate actors is growing rapidly, Dix observed. 

The impact is being felt across our economy, according to Internet Security Alliance President and CEO Larry Clinton, whose organization represents companies from many critical infrastructure sectors. 

“Virtually every aspect of our lives is now dependent on cyber systems, and these systems are under constant, and often successful, attack," Clinton said. "Our nation’s critical infrastructure, including public utilities and national defense systems, as well as corporate intellectual property and our personal data, are vulnerable to cyberattack, and the situation is getting worse, not better." 

The problem will not go away because it is rooted in the very nature of the digital economy. "Our cyber systems are inherently vulnerable," Clinton said. "They were designed to be open, not secure." 

Grid attack 

The vulnerability of the nation's electric grid is a sharp focus of policymakers because every essential service and the entire economy depends on it. 

Military leaders have been particularly vocal in raising concerns about the grid. Virtually every military base is served by a power company. 

In one scenario pored over by military planners, China might try to cut off the electricity supply to Fort Bragg by a private power company in North Carolina, thus grounding key U.S. airborne forces in an unfolding confrontation over Taiwan. 

The Senate version of the 2015 National Defense Authorization Act would require the Pentagon to assess the vulnerability of every one of its facilities to a cyberattack against the grid. 

"While the committee recognizes that military installations that rely on commercial electricity utilities have made some important strides in bolstering cyber defenses, there is no question that electricity grids supplying power to mission-critical DOD facilities remain highly vulnerable to cyber-attacks by nation-states and other sophisticated actors," reads the bill produced by the Senate Armed Services Committee. 

The electricity industry points out that much of the sector operates under mandatory cybersecurity controls administered by the federal government. The Department of Energy has just released guidance to help the entire industry develop risk management plans shaped by the National Institute of Standards and Technology's groundbreaking framework of cybersecurity standards, which was released at the White House in February. 

Further, cybersecurity has "surged" in perceived importance among electric-sector executives, according to a recent survey by Black & Veatch, a consulting firm. 

There is much hyperbole about the havoc that an attack on the national grid could cause. 

While strolling across the University of California's San Diego campus at a government-sponsored workshop on cybersecurity last year, an independent security analyst explained how easy it would be for saboteurs to cut off the juice. 

Because of the modern economy's dependence on real-time delivery of everything from baby food to bottled water, 80 percent of us would be dead within weeks, he said. 

It’s difficult to verify such a claim, but when the Washington Post posits, as it did last winter, that "an AK-47 may be a bigger threat to the electricity grid than a cyberattack," it is more clearly awry. 

The Post was referring to a 2013 incident that haunts deliberations over grid security. Mention "Metcalf, California," and policymakers cringe. 

In 2013, someone fired bullets from a high-power rifle into an electric utility substation in Metcalf, disrupting utility operations for days. The lights didn't go out, thanks only to the quick efforts of power company employees. 

Still, utility operators, their regulators and plenty of critics quickly considered the implication: A relatively simple cyber intrusion could have inflicted far more damage. 

Oceans are no defense 

For many years, policymakers found comfort in the notion that potential adversaries with the capacity to inflict real cyber damage on the United States have little desire to do so. 

It was claimed that the Chinese, for instance, own far too many Treasury notes to want to harm our financial system. 

But the gap between capacity and intent is narrowing. 

"The attack community is becoming much more sophisticated," said ISA's Clinton. "Attack methods available only to nation-states a few years ago are now available to common criminals. In addition, the explosion of mobile devices and the 'Internet of Things' has vastly expanded the surface available to attack." 

A brand-new "smart" refrigerator, gleaming in the corner of a company's lunchroom, could offer a sophisticated hacker an entry point into a corporation's most important databases. That's aside from the risks posed by every personal device an employee plugs in at work. 

There are plenty of economic incentives and few risks in launching cyberattacks, Clinton says. 

"Cyberattack methods are easy and cheap to acquire, cyberattacks are immensely profitable, and law enforcement is virtually nonexistent — less than two percent of cybercriminals are successfully prosecuted," he said. 

These increasingly sophisticated, cheap and easy attack methods are growing like weeds in the cybercrime sphere but the most consequential impacts may be felt elsewhere: Foreign government-backed cyberwarriors and would-be terrorists are aware of these tools, too. 

Increasingly, those who spend their time worrying about cyber vulnerabilities are concerned that someone is getting ready to strike. 

One lawmaker even put a date on it: within the next 18 months. 

House Intelligence Committee Chairman Mike Rogers, R-Mich., recently warned that Congress needs to take action this year, Inside Cybersecurity reported. 

"We had better get it done in the lame duck or we are going to have a major catastrophic event within 18 months that we're all going to look back and go, 'My God, why couldn't we get our act together?' " Rogers warned. 

Where’s the enemy? 

At the nation-state level, China is pouring resources into both defensive and offensive cyber capacity. Intrusions from China have been detected in the natural gas pipeline system that increasingly fuels our electricity generators. That's one hint that China is scoping out a potential cyber battlefield of the future. 

The United States and China established a much-ballyhooed working group to address cyber threats, but Beijing suspended this joint effort in May when the U.S. indicted five Chinese military officers on economic espionage charges. 

The Russian government is also determined to compete in terms of cyber power. 

"The Russian perspective is neither Russia or the U.S. will be the No. 1 cyber power. That's their position," Eneken Tikk-Ringas, a senior fellow for cybersecurity studies at the International Institute for Strategic Studies, said at an event in June. 

Both Russia and China are building cyber weapons that could be deployed against our electric grid or financial system. 

Neither country would be likely to use these weapons unless they were at war with the United States. The Ukraine crisis highlights the risk, but a cyberattack on the American homeland by a major power seems a remote possibility in the absence of actual armed conflict. 

That leaves smaller, antagonistic regional powers such as Iran and North Korea. They could be looking for a real weapon to use against us. 

Tehran is blamed for attacks on Saudi Aramco and U.S. banks, and probably is eager to avenge the Stuxnet cyberattack that temporarily disabled its nuclear weapons program. Stuxnet is seen as the work of America and Israel, although neither government has acknowledged it. 

There are affiliated groups such as the so-called Syrian Electronic Army, which put U.S. security officials on high alert as tensions rose in 2013 between Washington and the government of Syrian President Bashar Assad. Some experts said that group could deface a website but couldn't cripple a power generator. Whatever its capacity, the group seems focused on more immediate challenges to Assad's power, such as the Islamic State terrorist group. 

U.S. security officials say the usual terrorism suspects aren't quite there yet and could not bring down America’s electricity or financial systems. 

"Cyber is one of those areas where terrorists [presently] don't have great capacity," Nicholas Rasmussen, deputy director of the National Counterterrorism Center, testified Sept. 10 before a Senate hearing on homeland security. 

But they are working on it, and Rasmussen said their threat could "evolve." 

Uneven response 

"Everyone knows it's not 'if' we get a cyberattack, it's 'when,' " said Sen. Saxby Chambliss of Georgia, the top Republican on the Senate Intelligence Committee. "If we get a catastrophic attack on our watch, shame on us." 


Chambliss and other lawmakers, including the Democratic and Republican leadership of the congressional intelligence and homeland security panels, point to broad agreement on what Congress needs to do to shore up the nation's defenses. 


The main thing Congress can do, says Chambliss, is pass a cyberthreat information-sharing bill that eases communication between the private sector and government and gives industry legal protection. 


So what's holding lawmakers back? 


"The elections," Chambliss shoots back without hesitation. 


Beyond that, cybersecurity is a tough issue from a policymaking perspective. 


Everything is in the mix — from privacy rights and civil liberties to the appropriate roles and responsibilities of government and the private sector. 


Groups including the American Civil Liberties Union and Center for Democracy & Technology say the information-sharing bill championed by Chambliss and Sen. Dianne Feinstein, D-Calif., would reverse established privacy and civil liberties principles, and endanger government watchdogs. 


Chambliss and Feinstein reject that and say they have made numerous tweaks that strengthen the bill's privacy protections. 


Still, as Chambliss pointed out, Senate Majority Leader Harry Reid, D-Nev., hasn't shown much desire to touch this issue. 


Add in jurisdictional disputes among congressional committees and dozens if not hundreds of competing legislative priorities, and it's no wonder cybersecurity has languished on Capitol Hill. 


Many in industry believe they need economic help, in the form of incentives, to make costly investments in the type of cybersecurity necessary to fend off advanced persistent threats. Incentives could include liability protection, tax credits or many other policy levers, but Congress has been unable to provide them, and the Obama administration continues to mull what would be effective. 


With Congress nibbling around the edges, cybersecurity policy has remained largely in the hands of the administration and private sector. 


To the relief of many in industry, the White House dropped what was viewed as a regulatory approach to cybersecurity after failing to move a cyber bill through the Senate in 2012. 


Some industry sources believe the administration is itching to write regulations. But its main policy driver, since February 2013, has been Obama's Executive Order 13636, which set up collaboration on cybersecurity among private-sector stakeholders, the White House, NIST, the Department of Homeland Security and other federal agencies. 


Despite lingering skepticism, the administration says its initiative is intended to harness the creativity and power of the private sector and infrastructure such as the electric grid and communications systems. 


The White House disavows any intention to impose new regulations. Independent regulatory agencies such as the Federal Communications Commission have committed to letting industry try its hand at creating a new, post-regulatory "paradigm" for cybersecurity. Others including the U.S. Environmental Protection Agency have explicitly stated that the private sector's efforts are satisfactory. 


Some industry officials, such as ISA's Larry Clinton, see an almost unheard-of "synchronization" of policy views between the Obama administration and congressional Republicans. 


"To their credit, policymakers are well ahead of much of the world in conceptualizing effective public policy," he said, citing Obama's executive order as "probably the most insightful and creative statement on this issue from any world leader." 


The president's executive order matches the 2011 recommendations from a House Republican task force on cybersecurity appointed by Speaker John Boehner, R-Ohio, Clinton said. 


"Both … recognize that due to the multiple different systems in use and how quickly both the technology and the attack vectors change, that a traditional regulatory structure will be ineffective, and probably counterproductive," Clinton said. "Instead, both call for relying on a collaboration of government and industry ... Unfortunately both Congress and the administration have been slow to turn this creative and sustainable approach into concrete legislation that outlines a truly comprehensive approach to the problem.” 


There is a shared responsibility to address the challenge between government and the private sector, according to Juniper's Robert Dix. But on the government side, he believes it's essential that Congress pass bills to improve information sharing and smooth communications between government and industry. 


"All of those things could happen tomorrow," Dix said. "You can't protect everything all the time, so industry needs access to actionable intelligence." 


For its part, the private sector has responded to the growing threat with innovations "at an unprecedented pace," Dix said. 


Public awareness lags way behind. A public education campaign led by Washington could improve "cyber hygiene" in homes and workplaces that would address about 80 percent of the problem, Dix says. 


Giving industry better access to actionable intelligence and taking a tougher approach toward hackers would help get at the remaining, and more difficult, 20 percent, Dix said. 


The bottom line is "we need to work with more urgency on the basic blocking and tackling." 


Big questions remain about what the appropriate roles are for government and the private sector, and what would constitute "success." 


Everyone seems to agree that we cannot declare victory in cyberspace. Threats evolve, so companies need constantly to invest billions of dollars in security, and policymakers in the nation's capital will keep asking whether it's enough. 


For the time being, hackers will continue going after consumer data and intellectual property, but a high-impact attack, such as an effort to bring down the power system, cannot be ruled out. 


With NIST in the lead, the Obama administration's voluntary framework of cybersecurity standards pulls together industry's best technical work and creates a common lexicon that can be used by engineers and executives alike. 


It's a great start, industry representatives say, but it's only a start. 


“Cyber threats include a malicious brew of cyber crooks and foreign powers that threaten America’s trade secrets and vital infrastructure. Policymakers must do more to help businesses blunt these threats,” said Ann M. Beauchesne, vice president for national security and emergency preparedness at the U.S. Chamber of Commerce. 


“Legislation meant to spur information sharing about threats quickly and to safeguard ways between government and business is ready to move on the Senate floor, and lawmakers are strongly urged to vote on it,” she said. 


Industry sources say the government still needs to get its act together and truly leverage its vast resources to raise awareness to the threat among companies and average citizens. Some have called for a "Smokey Bear" kind of publicity campaign to make cybersecurity a "front-of-mind" topic for business executives and schoolchildren alike. 


They say Washington needs to get its house in order by updating security for federal computer networks, improving training and clarifying the way it interacts with the private sector. 


Some want the government to pay the difference in cost between what a company would invest in cybersecurity based on the corporate bottom line, and what the government wants to see invested based on national security. 


Industry representatives don't want a compliance regime that would create cybersecurity "checklists" that every company must follow. 


Obama administration officials say that's fine, for now. They agreed, in Executive Order 13636, that some form of incentive is needed to help cover costs, but have yet to determine exactly what is appropriate. Officials are also examining barriers to information sharing and have already issued a statement that such activity among companies should not trigger antitrust concerns. 


The administration, in many ways, is also challenging the private sector to come up with metrics that prove, if such a thing is possible, that it is actually improving its defenses. 


Both sides, the government and private sector, are investing tremendous amounts of time and money to prevent the "cyber Pearl Harbor" that former Defense Secretary Leon Panetta warned about. 


However tenuous, they have created a collaborative atmosphere on cyber policy that would be almost unthinkable in other public policy realms. 


The reason is simple: Failure is unacceptable. But lots of very smart people think there's a clock ticking and we still have a long way to go. 


Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers. Previously, he served as editor-in-chief of Roll Call newspaper and RollCall.com, and as managing editor of National Journal's Congress Daily. 




No comments: