For a long time now the United States has been engaged in a constantly evolving set of battles on several cyber-fronts, including business, health care, industry, education, and government.
These have been largely a disorganized set of skirmishes that usually result in the theft of valuable personal information, ransom attacks in which money is extorted in exchange for abducted information or computing assets, the co-opting of business processes that have led to outright financial theft, and hacktivism, which raises havoc in political processes.
Each industry sector has tried to defend against these attacks in a variety of ways, including upgrading cybersecurity technologies, increasing training and staffing, hardening assets, and adopting new policies and strategies.
[lz_ndn video= 32940434]
Yet despite these sometimes extravagant efforts, the bad guys keep winning.
Why? It’s because we are fighting an asymmetrical war with expanding attack surfaces, and we lack a unifying purpose.
That unifying purpose is becoming more important as attack surfaces go beyond business networks to institutional constructs such as the U.S. power grid. Without leadership from Washington and a coalescing of the hundred or so siloed agencies that are apparently charged with defending the nation’s critical infrastructure from existential cyberattacks, who will do it?
We have just seen a report that details a cyber espionage campaign that has broken into dozens of energy firms in the U.S., as well as in Turkey and Switzerland. The attacks showcase an accelerated pace beginning this past March and steadily growing through today.
We have been able to identify the actors perpetrating the attacks as a hacking group known as Dragonfly, which many other cybersecurity firms, such as CrowdStrike, believe to have ties to the Russian government. Dragonfly has carried out cyberattacks on the energy sector in various countries going back to 2011, but its operations seem to be picking up steam and are focused on the U.S. energy grid.
Our Department of Homeland Security claims that “DHS is aware of the report and is reviewing it. At this time there is no indication of a threat to public safety.” Did that make you feel warm and cozy? Good. You might need it this winter.
Foreign hackers have attempted to break into U.S. energy companies supporting the power grid on several occasions in the past, but no group has gone quite this far — nor been this successful. DHS has issued comparable statements in the midst of prior hacks and has downplayed the lack of backups described in Ted Koppel’s revealing book “Lights Out.”
It is a remarkable shift in sophistication that the attacks are now successfully centered on the operational networks of these energy companies — a long way away from a random hit on an administrative network. Instead of being several steps away from penetration, as they were last year, they are now inside the tent. From this perch, they will be easily able to remotely control the circuits, knobs and levers that operate the plants and flows of electricity across the network.
The power plants along the Eastern seacoast are the most vulnerable, with the least possible recovery through backup generators. These are fictional backup generators that don’t actually exist anyway. A power plant compromise could easily mean a year or more without power to its network.
If that weren’t bad enough, hackers could launch a coordinated shutdown of multiple energy suppliers plugged into the same power grid and cause tens of millions of people to lose electricity at the same moment. North Korea doesn’t need to fire up an electromagnetic pulse (EMP) to create the same level of destruction. We don’t need to worry about a rogue nation exploding a nuclear weapon in the atmosphere and kicking our behinds. We seem to enjoy kicking our own behinds instead.
It has now been more than 110 days since the clock started on the White House cybersecurity policy executive order, eight deadlines have passed, and eight more are quickly approaching. So far, the results are not encouraging.
Beginning with missed deadlines by several key agencies, the recent resignations en masse of several members of the National Infrastructure Advisory Council (which advises the Department of Homeland Security on infrastructure issues and cybersecurity), and the weak report card from people like Josh Corman, a cybersecurity policy expert at the Atlantic Council, the prognosis is not great. Corman recently cited inside intel that many agencies have started work on the initiatives, but most would probably not complete in time.
I am hoping that the Trump administration will recognize that the people charged with moving the ball are failing miserably and conclude that a more dramatic response is in order. I am also hoping that based on his background, he will look to the private sector for immediate and emphatic remediation, recovery and progress toward a new plan.
A Cabinet-level appointment of a chief cybersecurity czar from the private sector would be a great start. A partnership with cybersecurity research and product companies in the private sector would be a great second step. Keeping Congress out of the loop through executive orders would be a brilliant third step.
I may be dreaming and even naïve, but I find it hard to believe Trump doesn’t understand how serious the threat from cyberspace has become and how unprepared we as a nation are to deal with a new kind of warfare. In spite of snarky criticism from the likes of Arizona Sen. John McCain, who has stood idly on the sidelines for 16-plus years watching us fail to implement a cybersecurity program, the Trump team needs to deliver a plan that actually works — and in time for the U.S. to return to a leadership position on the world cybersecurity stage. If not, it’s going to be one cold, miserable winter.
Steve King is the COO of Netswitch Technology Management.