The things that have been holding back Russia, China, North Korea and Iran from a critical infrastructure attack on the U.S. could shift. When it comes to nation state threats on U.S. critical infrastructure, we think of four key actors: Russia, China, Iran and North Korea. Each country has been held back from attacking the U.S. for different reasons. Think about a graph with an x and y axis. The x axis represents capabilities and the y axis represents destructive intent. At the moment, Russia and China have the highest capabilities, but they fall lower on the scale of destructive intent. Of the group, they’re more rational and more dependent on their own critical infrastructure. On the other hand, North Korea and Iran have higher destructive intent, but fall lower on the capabilities scale. But it won’t stay this way forever. The level of destructive intent of Russia and China could change overnight – which is a concern given the capabilities they already have. And North Korea and Iran are strengthening their capabilities every day. North Korea’s attack on Sony is a good example. In the news, the focus was on all the embarrassing emails, but the attack was about more than just leaked emails – Sony’s networks were damaged. And Iran made headlines when it pulled off a damaging cyber attack against the Sands Casino. The U.S. has yet to experience a highly-damaging attack on critical infrastructure, but that may not be true for long.
Election security isn’t as bad as many people think – and it will only get better. For all the talk about election security, one thing is for sure – we’re in far better shape today than we were in 2016. I was in charge of cyber and infrastructure security at DHS when we officially designated election infrastructure as critical infrastructure. Most security researchers focus on the security of the voting machines themselves, but so much more comes into play and needs to be protected: voter registration databases, the process of loading ballots into the machines, vote tabulation, getting results to the Secretaries of State and to the news networks. Election infrastructure is much more complicated than just voting machines and government officials on both the federal and state levels have taken great strides to ensure the resilience of our elections against cyber threats. As awareness has grown, progress has been made – but there’s still much more to be done to ensure the integrity of our elections in 2018, 2020 and beyond. This is particularly true with regard to influence operations from Russia and potentially other adversaries, where the necessary whole-of-nation coordinated response has been absent.
Growing cyber-dependence will make critical infrastructure attacks harder to stop. Within infrastructure like the U.S. electric grid, there is still a fair amount of physical redundancy to back up cyber controls. But as we move to embrace virtual infrastructure, we are also abandoning that physical redundancy, making it easier for an attacker to have cascading impacts that can cause real damage. With fewer physical controls in place it will be harder to regain control of systems, minimise damage and stop an attack from progressing. Given the benefits of the networked world, the move to digitalisation isn’t going to slow down. It’s important that we realistically assess our dependence upon cyber and the potential consequences of a disruptive attack. Maintaining physical backups or other redundancies, changing operational processes, and even keeping less data can reduce the impact of a successful attack.
Unsophisticated attackers will get better at breaking into OT Networks, but will likely lack the level of sophistication needed to have a significant physical impact. Ever more sophisticated tools and techniques for hacking are available for downloading from the web. This means that the number of unsophisticated hackers able to break into systems will rise – but what they’re able to do once they get in is another question. If you look at Russia’s attacks on the Ukrainian power grid, attackers were able to remain undetected and do reconnaissance work for months. To bring down power for nearly 250,00 customers, they had to thoroughly understand the operations at the targeted plant. That level of sophistication can’t be bought and sold on the internet, which means that the real damage will continue to be done by actors with access to the right skills and resources.
The U.S. will get more aggressive in naming hackers. Until recently the U.S. did not publicly attribute various cyber incidents to specific nations, despite public pressure to do so. It can be difficult to attribute cyber activity with 100% certainty – but U.S. government officials were also concerned about public demands to respond if they were to attribute an attack. Until recently, the U.S. just didn’t have the tools needed to respond effectively. And many cyber incidents in recent years were just not worth going to war over. But tools are improving and the U.S. is getting better at other kinds of non-cyber responses, like creating a more robust sanctions regime and criminal indictments. The U.S. is already less afraid of attribution – which we saw last spring when it announced sanctions against Russia in response to attacks on U.S. critical infrastructure. As we continue to improve our non-cyber responses and further develop our cyber toolbox, we’ll see that the U.S. is less hesitant and more aggressive when it comes to calling out attackers.
Critical infrastructure organisations will fully embrace a cross-sector approach. The DHS established the National Infrastructure Advisory Council (NIAC), which is made up of leaders from private sectors like electricity, transportation, communication and others. The council has done a lot of good work. While at the DHS, I sat in on several tabletop exercises that resulted in some surprising realisations. For example, at one session it became clear just how interdependent electricity and financial services organisations would be in the face of a critical infrastructure attack. If the electric grid were taken down by a cyber attack, financial services organisations would be vital to help finance an industry response. The sectors are developing ways of working together before an attack occurs to understand how their organisations are interconnected and plan out how a cross-sector approach could lead to a smoother response should an attack occur.