Sandy turned off the lights, the phones, and the heat. A cyber attack could make it all happen again.
- By Joel BrennerJoel Brenner is the former national counterintelligence executive, the former inspector general of the National Security Agency, and the author of America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare (Penguin 2011). He practices law in Washington, DC.
Verizon’s chief technology officer surveyed a flooded major switching facility in lower Manhattan and put it bluntly: "There is nothing working here. Quite frankly, this is wider than the impacts of 9/11." Damage from Sandy is estimated to reach $20 billion, and interrupted phone service is among the least of it. Flooding in New York’s century-old subway system is without parallel. Bridges and roads, homes and businesses have been destroyed. Days after the storm, many businesses remain closed, their employees out of work. And tens of thousands are suffering — cold and in the dark.
Storms and floods are not the only infrastructure threats that invoke comparisons to 9/11. Secretary of Defense Leon Panetta made headlines recently when he noted that the economic consequences of a successful cyber attack on our financial system, electric grid, or other infrastructure could dwarf the economic consequences of 9/11. Actually, this wasn’t news. Former Director of National Intelligence Mike McConnell had said the same thing five years earlier. They’re both right. And the consequences of that kind of attack might not be merely financial. A cyber attack causing an explosion at a chemical plant, for example, could cause grievous loss of life.
This is not fantasy. We know we can blow up an electric generator using nothing but a keyboard and a mouse. Water systems have been polluted using a laptop. Centrifuges in nuclear plants have been physically destroyed with software. In August, a computer virus called "Shmoon" wiped all the information off 30,000 computers at Saudi Arabian Oil Co. The virus came from Iran. Today, half a dozen U.S. banks are under attack, almost certainly also from Iran. We know our electric grid is being probed from abroad.
Who’s paying attention?
The Senate can’t pass even watered down legislation that would simply require that critical infrastructure sectors develop their own security standards. In early August a bill sponsored by Senators Collins and Lieberman went down to defeat when the owners and operators of the electric grid objected vehemently about government-mandated standards. The objection was frivolous. The bill called for voluntary standards to be promulgated by industry, not government. Still, the owners demanded liability protection. From what? From the risk of observing their own standards! This is ironic, because if disaster struck, rate-payers (that’s us), insurance (we pay the premiums through our rates), and the government (that’s us again) would be stuck with the tab — not shareholders. No wonder the grid’s owners and operators have a higher taste for risk than the businesses that depend on them.
In fact, government policies actually encourage such risk-taking. Insurers play an important role in reducing risk because they have a direct interest in reducing claims, but this market dynamic works poorly when government shields shareholders from liability. Consider how government-subsidized flood insurance prevents markets from requiring people to assume the risk of their own choices. More significantly, the U.S. government currently indemnifies the owners of nuclear power plants on a no-fault basis for damage in excess of $12.6 billion. That limit is derisory compared to the potential damage from a nuclear meltdown. Raising or eliminating that limit would require higher insurance coverage, which in turn could lead insurers to play a tougher role in setting and enforcing their own security standards.
To be fair, the big, private-sector electricity generators and transmission companies are serious about security. But their security officials are no match for a state-sponsored attack. The Department of Homeland Security has Industrial Control System Response Teams, known as ICS-CERT. These fly-away teams respond to advanced cyber threats at the urgent request of system owners, and they reportedly spend most of their time dealing with power systems — electricity and gas. So the threat is real, yet many players in this industry still don’t understand it. In some cases, employees of grid operators can reportedly access remote field equipment through Bluetooth connections to the Internet. These practices are rash. An attacker doesn’t care whether he gets into the grid through a big company’s main generator or a carelessly connected municipal field station. Once he’s in, he’s in; and if the electricity goes out, everything stops.
That’s why isolating the key control systems of our critical infrastructure from the Internet should be a national goal. But the trend is in the opposite direction. If you have an iPhone, try this experiment: Search "SCADA" in the app store. (SCADA stands for "supervisory control and data acquisition.") You’ll find a handful of free or cheap mobile apps for accessing industrial control systems through their programmable logic controllers, or PLCs. As an ad for one of these apps puts it, "Plant engineers, PLC software developers, maintenance people, and in general anyone dealing with PLC based systems will be able to connect to them at any time, from anywhere." This is convenient, but it’s a security nightmare.
The Internet is porous and insecure, and if you can penetrate a publicly accessible network to steal information, you can also corrupt or wipe the information on the network, or shut the network down, or destroy the equipment that runs on it. Sound melodramatic? It isn’t. The Stuxnet cyber attacks on centrifuges in the Iranian nuclear program resulted in the physical destruction of centrifuges. If Saudi Aramco can wake up and find 30,000 of its computers wiped, the same thing can happen to your bank or your power company. The "Shmoon" virus apparently didn’t reach the control systems on the Saudi company’s extraction and refining operations — but only because the attackers couldn’t get to those systems. In North America, many of our electric grids operating systems are exposed to the public Internet and therefore penetrable.
The plain truth is that the United States cannot defend the electronic systems that create much of our wealth and power. The government alone cannot fix this. Most of our networks are privately owned and operated. Even if government had the resources to strengthen and police these networks (it doesn’t), we don’t want the government living in the channels through which we conduct our business and private lives. Nor do we want the government mandating invariably rigid standards for industry. Unfortunately, however, much of our critical industry is not stepping up to the task.
Congress should learn a lesson and deal with cyber vulnerabilities one at a time and not in an omnibus bill that won’t pass. Here’s what it should do:
1. Require the owners and operators of a narrow class of critical infrastructure to promptly develop cyber security standards in a government-approved process. Standards should be flexible and regulatory layers should be rationalized. Failure to meet these standards after a reasonable interval should be made public.
2. Amend or repeal laws to enhance the role of private insurers in security standards. When shareholders rather than government bear risk, risk drops because businesses buy it down. That dynamic should be encouraged, not suppressed.
3. Protect companies from liability for sharing threat information with the government, with insurers, and among themselves. Companies often complain that the government doesn’t share enough information with them — especially classified information. But why don’t companies improve security by sharing cyber threat information among themselves? The ostensible reason is fear of antitrust liability. The real reasons are potential damage to their brand and the belief that hoarding threat information creates competitive advantage. But the risk of brand damage can be avoided if sharing is restricted to threats, not damage; and it can’t be true that all companies in an industry have a competitive advantage in security. Those that don’t would improve their competitive position by sharing threat data. As a former antitrust prosecutor, I think the antitrust excuse is a red herring, but let’s remove the excuse. It’s easy to do, and cost free.
4. Encourage private investment in cyber security through favorable tax treatment. When Congress gets serious about an issue, its agenda shows up in the tax code.
We don’t just store information on our "information" networks; we use them to run everything we do — from the ventilation and security system in your office building, to the operation of the switches on Amtrak and big city subways, to the matching and clearing systems behind our securities exchanges, the governance of the electricity grid, controls over off-shore drilling rigs in the North Sea and the Gulf of Mexico, and local water treatment plants. Many of these systems are poorly protected. The vulnerability of our critical infrastructure is what permits a third-rate power like Iran to play jujitsu with a superpower. Let’s not wait for a disaster to happen. A nation that permits this vulnerability to continue is a nation that has lost the will to defend itself.