We know that for a long time, we have been engaged in a developing set of battles on several cyber-fronts, including business, healthcare, industry, education and government.
These have been largely a disorganized set of skirmishes that usually result in the attackers making off with valuable personal information, ransom attacks where money is extorted in exchange for abducted information or computing assets, the co-opting of business processes that have led to outright financial theft, and hacktivism that delivers havoc to political processes.
Each industry sector has tried to defend against these attacks in a variety of ways from upgrading cybersecurity technologies to increased training and staffing to the hardening of assets and the adoption of new policies and strategies. Yet, in spite of sometimes extravagant efforts, the bad guys keep winning.
Why? It’s because we are fighting an asymmetrical war with expanding attack surfaces and we lack a unifying purpose. That unifying purpose is becoming more important as attack surfaces go beyond business networks to institutional constructs like the power grid. Without leadership from Washington and a coalescing of the hundred or so siloed agencies that are apparently charged with defending the nation’s critical infrastructure from existential cyber-attacks, who will do it?
We have just seen a report that details a cyber espionage campaign that has broken into dozens of energy firms in the US, as well as in Turkey and Switzerland. The attacks showcase an accelerated pace beginning this past March and steadily growing through today. We have been able to identify the actors perpetrating the attacks as a hacking group known as Dragonfly, which many other cybersecurity firms like CrowdStrike believe to have ties to the Russian government. Dragonfly has carried out cyber-attacks on the energy sector in various countries going back to 2011, but its operations seem to be picking up steam and are focused on the U.S. energy grid.
Our Department of Homeland Security claims that “DHS is aware of the report and is reviewing it. At this time there is no indication of a threat to public safety.” Did that make you feel warm and cozy? Good. You might need it this winter.
Foreign hackers have attempted to break into US energy companies that support the US power grid on several occasions in the past but no group has gone quite this far nor been this successful which translates to a power grid that is showing it’s increased vulnerability. DHS has issued comparable statements in the midst of prior hacks and has down-played the lack of backups described in Ted Koppel’s revealing book, “Light’s Out.”
The big change that we have seen now is the attacks are successfully centered on the operational networks of these energy companies which is a long way away from a random hit on an administrative network. Instead of being several steps away from penetration as they were last year, they are now inside the tent. From this perch, they will be easily able to remotely control the circuits, knobs and levers that operate the plants and flows of electricity across the network. The power plants along the Eastern seacoast are the most vulnerable with the least possible recovery through backup generators. These are fictional backup generators that don’t actually exist anyway. A power plant compromise could easily mean a year or more without power to its network.
If that isn’t bad enough, hackers could launch a coordinated shutdown of multiple energy suppliers plugged into the same power grid and cause tens of millions of people to lose electricity at the same moment. North Korea doesn’t need to fire up an EMP to create the same level of destruction. We don’t need to worry about a rogue nation exploding a nuclear weapon in the atmosphere and kicking our behinds. We seem to enjoy kicking our own behinds instead.
It has now been more than 110 days since the clock started on the White House Cybersecurity policy EO, eight deadlines have passed, and eight more are quickly approaching. And so far, the results are not encouraging.
Beginning with missed deadlines by several key agencies, the recent resignations en-masse of several members of the National Infrastructure Advisory Council (which advises the Department of Homeland Security on infrastructure issues and cybersecurity) and the weak report card from people like Josh Corman, a cybersecurity policy expert at the Atlantic Council, the prognosis is not great. Corman recently cited inside Intel that many agencies have started work on the initiatives but most would probably not complete in time.
I am hoping that the Trump administration will recognize that these people charged with moving the ball are failing miserably and conclude that a more dramatic response is in order.
I am also hoping that based on his background, he will look to the private sector for immediate and emphatic remediation, recovery and progress toward a new plan. A cabinet level appointment of a chief Cybersecurity czar from the private sector would be a great start. A partnership with Cybersecurity research and product companies in the private sector would be a great second step. Keeping Congress out of the loop through executive orders would be a brilliant third step.
I may be dreaming and even naïve, but I find it hard to believe that this guy doesn’t understand how serious the threat from Cyberspace has become and how unprepared we as a nation are to deal with a new kind of warfare. In spite of snarky criticism from the likes of John McCain who has stood idly on the sidelines for 16 plus years watching us fail to implement a Cybersecurity program, the Trump team needs to deliver a plan that actually works and in time for the U.S. to climb back into a leadership position on the world Cybersecurity stage.
Or it’s going to be one cold miserable winter.