Trump Advisory Council Warns of ‘9/11-Level Cyberattack’
Member resignations distract from these troubling findings of infrastructure security team
The National Infrastructure Advisory Council (NIAC) is a task force the National Security Council commissioned to review and evaluate a long list of ways the federal government determines how to secure critical infrastructure — such as dams, bridges, power grids, and airports — against targeted cyberattacks.
The advisory council garnered headlines this week from the media for joining other councils in having members resign after several weeks of controversy dogged the White House. Less covered and of more importance to the nation was the first report the council issued this week — which generated little attention.
The report calls for the Trump administration to decisively act on a set of bold cybersecurity measures they claim must be put in place immediately in order to avoid a 9/11-class cyberattack.
They have assessed our national risk and have declared it real, present and high.
The recommendations arise from successful probes on our critical infrastructure, such as the break-in to the command and control system of a dam in Rye Brook, New York, through a simple cellular modem. There have been recent and similar probes around the world, in fact, in which attackers repeatedly demonstrated that they could successfully bring critical infrastructure to its knees with a few keystrokes.
Just last month, the Petya virus took down Eastern Europe's national banks, state power companies, and airports in a demonstration of the effects of a relatively unsophisticated cyberattack on key elements of government infrastructure.
The task force recognizes that most critical national infrastructure (CNI) in the U.S. is privately owned and poorly defended, and it is particularly vulnerable to cyberattack because it relies on outdated software, third-party utilities, and interconnected networks.
The ability to run their systems remotely, as well as update software via the web, gives hackers all the access they need. These interconnected networks are even more tempting because they usually control operations as well, magnifying the impact of an attack.
Attacks against operations technology (OT) are different from information technology attacks because OT attacks can easily produce kinetic effects — such as opening flood gates, shutting down grids, and destroying control circuitry.
The report confirms the contention that while the government and the private sector may have lots of appropriate technologies to defend critical systems, they have not been applied in a way that can be effective against an adversary in cyberspace. This conclusion has been demonstrated in study after study and shared by most cybersecurity professionals in the private sector.
When you are relying on a 10-year-old technology to "protect" sensitive employee information at the Office of Personnel Management, you need to look no further for the critical weakness in the system.
The report defines a "narrow and fleeting window of opportunity before a watershed, 9/11-level cyberattack to organize effectively and take bold action" and goes on to "call on the administration to use this moment of foresight to take bold, decisive actions."
The task force recommends establishing separate, secure networks for critical infrastructure; information-sharing through automated threat intelligence distribution; and the use of modern scanning tools and processes for periodic threat assessments. This is all solid Cyberthreat 101 stuff that should have been in place years ago.
The task force has gone so far as to recommend outcome-based market incentives (aka bribes) to encourage CNI owners to invest in state-of-the-art technologies, as though the threat of a cyberattack that will shut down a large section of the electrical grid is not sufficient incentive in itself.
In other words, it seems that if we can't get these critical network infrastructure guys to address the issue on a national security basis, maybe we should bribe them. How about firing them all instead?
The critical infrastructure owners are all under contract with the Department of Homeland Security, and all 16 sectors fall under the shared partnership with DHS and the subordinate organizations responsible for cybersecurity, including the Office of Cybersecurity and Communications alongside the Office of Infrastructure Protection within the National Protection and Programs Directorate. You can probably see the challenge here.
For decades, many in the private-sector cybersecurity community have been warning that hackers would soon make the leap beyond purely digital mayhem and start to cause real, physical damage in the world. In 2009, when our own Stuxnet malware silently accelerated a few hundred Iranian nuclear centrifuges into self-destruction, it was a preview of this new era.
"This has a whiff of August 1945," Michael Hayden, the former director of the NSA and the CIA, said recently in a speech. "Somebody just used a new weapon, and this weapon will not be put back in the box."
He is right. But the difference here is that in 1945 we were the protagonists with the new weapon. Now, we are the ones who are likely to be on the receiving end. If the Trump administration doesn't act quickly and decisively, it may be a very cold winter.
Steve King is the COO of Netswitch Technology Management.