I know: We’ll just isolate industrial control systems from the Internet.
The Greatest Threat The World Has Ever Known
Cyber espionage has moved from spy novels to reality and now into the realm of politics, where God-forbid, it will be transformed into the greatest threat to mankind the world has ever known.
Which it may well be.
In the last couple of years, cyber espionage has suddenly become a political football with diplomats and elected officials from the United States, China, Germany and many other countries decrying such attacks from their adversaries. The issue is tricky, both technically and politically, and while there have been a number of potential solutions or responses forwarded—from return hacking to economic sanctions—most of my ilk in the security field say there may not actually be a solution to the problem.
A Problem that Cannot Be Solved
“This isn’t a problem that can be solved. Don’t think it has a solution,” Joel Brenner, former head of national counterintelligence at the Office of the Director of National Intelligence and former senior counsel at the NSA, said in a keynote speech at the Kaspersky Government Cybersecurity Forum in Washington, DC on a Tuesday in October, 2014. “We are economically interdependent with the Chinese in an extraordinary way.”
Brenner pointed out a number of factors that have created the current state of affairs, including the interconnection of virtually every conceivable asset and what he says has been the stasis in defensive thinking and operations in the last 10 years or so.
“If you thought the state of cyber defense had become substantially better in the last ten years, you’d be wrong,” he said. “We’ve been walking backward on cybersecurity for more than a decade and we’ll continue to walk backward unless and until we can address the core issues. The defensive stance needs to change from filter and guard to hunt and kill.”
The animosity between the U.S. and China and other countries over cyber espionage and the theft of intellectual property has been increasing for several years now, and it has resulted in plenty of assertions and accusations from both sides. U.S. officials maintain that China and other governments use cyber espionage to gain economic advantages for their own companies in competition with U.S. counterparts, but that we never do anything similar in return.
But, I’m not sure that’s entirely true.
“I don’t think anyone’s hands are clean,” said Howard Schmidt, former White House cybersecurity adviser under President Barack Obama and a former security adviser to President George W. Bush.
He says that the current reality is something that we need to accept and deal with because it is going to be with us now for a long time – it may be a permanent part of the international business landscape.
The Grey Space Between War and Peace
“The vulnerability of our financial sector is there for all to see. And our power sector is just as bad. This is what the grey space between war and peace looks like, and we are in it,” he said.
Beyond the theft of intellectual property, PII and personal health information, the more serious threat that Brenner sees as a major concern for the U.S. is the connectivity of so many critical industrial control devices to the internet and the potential for serious and outlandish consequences in the event of a major attack.
“What’s to be done? The first thing would be to isolate from the internet the industrial control systems,” Brenner said. “Connecting the grid to the internet may have brought efficiencies, but it was foolhardy. There are daunting cross-sector interdependencies that I don’t think we understand well enough.”
I think we understand them alright. We just don’t know what to do about them. But one thing is certain. The onslaught of IoT is coming and no amount of hand-wringing in Washington is going to prevent it.
Nor should it.
Disconnecting From Reality
The idea of disconnecting the grid from the internet as he suggests, solves nothing. The grid must be connected somehow, and maybe that should be a private network that operates similarly to the one that connects Beijing to Shanghai in mainland China. The grid is after all, a national security high value asset. But until we get a directive that creates an initiative to do so and until we get actual cybersecurity experts with internetworking and cybersecurity skills to start working on the problem, we will generate even larger volumes of noise and continue with the same outcomes.
In the meantime, expect airplanes to drop out of the skies and trains to run right through depots and cars to spin hopelessly out of control while our bureaucrats play football with each other in Washington. Can you imagine how much fun we’ll have if the Federal Government response to the first IoT crisis is anything like the way Ebola has been handled?
Kinetic Cyber-Physical Attacks
And with the oncoming onslaught of IoT devices, they will bring with them a credible capability to achieve kinetic effects. Kinetic Cyber refers to a class of cyberattacks that can cause direct or indirect physical damage, injury or death solely though the exploitation of vulnerable information systems and processes.
Kinetic cyberattacks are a real and growing threat that is generally being ignored as unrealistic or alarmist. These types of attacks have been validated experimentally in the laboratory environment, they have been used operationally in the context of espionage and sabotage, and they have been used criminally in a number of attacks throughout the world.
While these types of attacks have thus far been statistically insignificant, the rapid growth and integration of cyber-physical systems into everything from automobiles to SCADA systems implies a significant kinetic cyber threat in the near future.
It is imperative that Congress, the Federal Government and the security community begin to take these types of threats seriously and address vulnerabilities associated with cyber-physical systems as well.
And that is before they debut riding 5G transmission speeds.
Fast Forward Seven Years
Everything that was true back in 2014, remains true today. Ebola has been replaced with COVID-19, Germany has been replaced with Russia, IoT was on top of mind back then as a potential high-value target, just as it is today, witnessing the last two cyberattacks on critical infrastructure at Colonial and JBS.
And politics still, seven years later, stands in the way of any meaningful progress.
Congress has no idea what they are supposedly overseeing. Our cybersecurity policy and defense at a national level is dispersed among 25 agencies with unclear jurisdictions and enforcement abilities, and the one thing that is clear is that no agency wants to be left out of the conversation.
Senators puzzled over how Facebook makes money is an embarrassing example of the level of incompetency institutionalized in that body.
Enemies in the East
An ultimatum from the current POTUS to the Russian head of state, led to the former KGB officer known as Vladimir Putin identifying 16 NCI sites that the U.S. would like to remain off-limits to future cyberattacks, even though Russia claims they had no hand in anything of a cyberattack nature and would never even think about such a thing.
The question, in addition to the ones about red lines and leverage and sanctions, would obviously be, “what of all the other IoT CI sites across the world and spread among our new friends from NATO, the 30 member states that just voted in favor of our new cybersecurity defense policy?”
Putin sees all NATO members now as proxies for the West, with whom Russia is clearly at war.
We met with Putin, and Putin came away stronger.
Snuffing Out Dissent
Not to put too fine a point on it, but at the same time we were meeting with Russia, China just snuffed what was operating as the only free press in Hong Kong and 500 officers arrested the top editors of Apple Daily, froze its assets and raided its newsroom, in a sharp escalation of the government’s campaign against dissent.
What will our response be when China decides to pull on one of those chains sitting inside our Federal networks following the SolarWinds attacks discovered in the first quarter?
Can you imagine revisiting this essay again in 2028?
Good questions, no answers.