Mounting cyber attacks on the economic interests of the United States are a constant reminder that, despite the billions of dollars spent by both the U.S. government and the private sector to date, our cyber defenses are lacking.
This is not to say that the U.S. government is ignoring the problem. President Obama’s Executive Order 13636, issued in February of 2013, was intended to “Improve Critical Infrastructure Cybersecurity,” and establish “a voluntary set of security standards for critical infrastructure industries…”1 The order directs the Executive Branch to “increase the volume, timeliness and quality of cyber threat information sharing, which should result in further developing a public-private partnership.” Meanwhile, different data breach notification laws have been adopted by 46 states, creating a jigsaw puzzle with different notification triggers, timing and notice content requirements. And while the government has called for the passage of a national law to standardize data breach notifications, the private sector is reluctant to do so.
For many years now, the myriad vulnerabilities affecting the U.S. in cyberspace have been discussed at congressional hearings. But hearings are usually held after something happens, or are intended to address the next budgetary cycle. With its “tyranny of the inbox” mentality, there is a growing concern that the U.S. government is unready to coordinate a response to a major interference event.
Whereas the government’s stewardship is in question, the maturity of the threat is not. We are well aware of the vulnerability of the electric grid and experience every- day interference with our communication systems and digital devices that are dependent upon the electromagnetic spectrum (EMS) in which all modern communications, military weaponry, and technologies operate, as well as the Global Positioning System (GPS) satellites. Even the undersea communication cables are vulnerable, if only because their location, entry and exit points are well known.
The U.S. still leads the world in technological innovation. But for how much longer?
The rapid pace at which cyberrelated architectures and wireless technologies are evolving must not be allowed to outpace the understanding of policymakers in Washington, or the preparedness of the nation as a whole. There is an urgent need for bipartisan thought leadership, made up of experts, policymakers and scholars who can accurately assess the necessary measures to prevent attacks that—even if not catastrophic—could inflict severe damage on our economy and even endanger our lives.
Defending our cyberspace is a national priority. Since the threats to it are synergistic, solutions should be developed accordingly, in concert with myriad sectors of the economy.
Critical vulnerabilities
Possible interference with U.S. EMS and cyberspace is fast emerging as a real threat to our national and economic security. Such events, caused by natural elements, adversaries, or simply by mistake, could disrupt a broad range of wireless connections and dependencies.
A survey of the critical vulnerabilities that now exist in cyberspace begins with the interdependency of networks and spectrum. However, the common definition of “cyber,” often ignores such interdependency. A comprehensive view must define the cyber domain to include the entire electromagnetic spectrum (EMS) and civil GPS services—not just those involving computer networks. Every device containing a microcircuit or chip—from massive computer servers and glass-cockpit airliners to cars and “smart” refrigerators and handheld receivers—is vulnerable to cyber attack.
While rapid technological advancements have increased our efficiency, they also have increased our vulnerabilities. Cyberspace and electromagnetic activities are becoming increasingly vulnerable to activities such as access denial, service disruption, interception and monitoring, infiltration, and data compromise. Such interference could directly and indirectly affect all critical infrastructure, government and military operations and information-related activities.
Cyber systems can be hacked, even if “offline” or in the “cloud” (which is merely another server). One dramatic example of this was the Stuxnet malware that infected hardened Iranian computer networks, disrupting and slowing the regime’s nuclear program. Another was the February 2013 hacking of the supposedly impenetrable Federal Reserve Emergency Communications System.2 These instances illustrate dangerous vulnerabilities to existing systems; an attack on the electrical grid, for example, could cause cascading failures throughout the country.
In addition to technical difficulties, we are also vulnerable to the dangers posed by rogue “insiders,” dormant malware, and the simple neglect of the government, as well as the private and public sectors, to adequately foot the bill for protecting physical infrastructure in remote facilities.
Last year, we witnessed a physical attack by unknown but clearly highly skilled snipers on an electric-power substation near San Jose, California—an incident, which “knocked out 17 giant transformers that funnel power to Silicon Valley.”3 The attack was made public months after it occurred, and only after details were leaked to the media. Unprotected cell towers are similarly vulnerable to physical interference,
Interference with the U.S. Global Positioning System (GPS) could paralyze or distort navigation and timing signals, and do so in ways that would endanger the lives of many Americans and devastate the country’s economy. Satellites in the GPS constellation are vulnerable to attack. China, for example, has already demonstrated its capability to wage “space war” through its 2007 shoot-down of one of its own defunct weather spacecraft with a ground-launched missile.4 If GPS satellites or the constellation’s ground control stations were disabled, military operations, financial transactions, air and ground transportation, cellular communications and numerous other areas of the economy would be disrupted or would grind to a halt altogether.
Financial markets likewise remain vulnerable to attacks and manipulation. Interference with GPS signals would affect the timing and reconciliation of trades, and monitoring systems, where they exist, are without sufficient automation or isolation to withstand future concerted attacks. The financial industry is also vulnerable to other cyber interference, such as malware, manipulation, denial of service attacks and traditional theft of money and identities.
Then there is the Internet of Things (IoT). The latent vulnerabilities inherent in cyberspace are being exacerbated by the inexorable rise of the IoT, which has dramatically expanded the scope and nature of the cyber domain. Medical devices are particularly vulnerable; pacemakers, for example, are routinely implanted with wireless capability for diagnostic purposes. In his memoir, former Vice President Dick Cheney revealed that awareness of this kind of vulnerability was behind the decision to deny remote access to his pacemaker. But despite awareness of these vulnerabilities and the spike in attacks on U.S. cyberspace, we remain vulnerable.
Both the government and the general public have responded with wargames such as the one recently conducted by the Truman National Security Project in Washington, DC. But these exercises tend to be reactive in nature; the focus of the Truman wargame was on “whether the United States was capable of passing legislation to fix the nation’s cyber vulnerabilities in the aftermath of a national crisis,” rather than on how to protect the country’s critical infrastructure.5 It seems that until a major catastrophic event occurs policymakers, the government and the public will continue to regard threats to our cyberspace and electromagnetic spectrum as force majeure; threats that fall below the threshold of political and financial liability.
Squaring the circle
Defending our cyberspace is a national priority. Since the threats to it are synergistic, solutions should be developed accordingly, in concert with myriad sectors of the economy.
Greater cybersecurity can only be achieved when the government and the private sector work together to mitigate risks by designing more resilient architectures and more secure end-user systems that are less susceptible to inter- ference. Decentralization should replace centralized services, making them less susceptible to a cascading effect.
Nevertheless, the primary responsibility for cyber defense must ultimately reside with the federal and state governments. The Department of Homeland Security (DHS) should define minimum standards and security procedures, and the Federal Bureau of Investigation (FBI) should lead federal, state, and local law enforcement in identifying culprits and their methods. Private industry, however, could take the lead on developing new tools to better defend against such threats and deter potential aggressors.
To achieve the last goal we urgently need to aggregate all data from instances of interference throughout the country. The data should be analyzed to identify patterns and the findings should be shared among participating entities. This is a prerequisite for the development of appropriate defenses and countermeasures. Without doing so, it will be impossible to determine in real time whether terrorist organizations, nation-states, and criminals are developing, testing, and intending to deploy these capabilities against us.
Redundancy of critical systems would also prevent catastrophic breakdown in case the national electric grid is attacked or otherwise interfered with. Similarly, high energy density, long-life batteries and other advanced means of electrical power generation and storage would greatly reduce the potential of a nationwide blackout that could last months and even years. Well-planned technological redundancy should be backed by good preparation and train- ing. Moreover, since our GPS system is vulnerable to space- or ground-based attack, there is a pressing need for alternative sources of timing and positioning information. (LORAN, a legacy navigation system used for decades by ships and aircraft, has been abandoned in recent years. If it had not been shut down, LORAN might be capable of serving as a reliable backup today.)
Directly approaching the states should facilitate rapid improvement of cybersecurity awareness. Along these lines, Maine and Oklahoma have recently taken action to protect their electrical grid, and active discussions are under- way in both North and South Carolina to do the same.
Private industry, for its part, plays a significant role in the day-to-day network-based operations and functions of the economy (e.g., communications, energy, medical services, accounting and finance services, equipment maintenance, and logistics functions such as shipping companies, transportation grid providers, and suppliers as a part of the global transportation system). The insurance industry in particular can and should and could play a major role in advancing solutions. The better the cyberspace security measures, the less the premium.
At the core of all of these realities is a need for greater clarity. Well-defined standards governing cyberdefense practices, whether mandated or voluntary, would greatly simplify today’s confusing muddle and spur greater action in the defense of the U.S. national security, economy and the well-being of its people.
The way ahead
Incidents of purposeful interference are not force majeure—events that are unforeseeable, unpreventable, and unmanageable. Meaningful improvements in our security, reliability, and resilience require that our government officials, elected representatives, and top business executives come together to develop a clear strategy to identify and tackle current and emerging problems.
Significant progress cannot be attained without considerable thought leadership, and without the anticipation that “unknown unknowns” can and will happen. Policymakers need to actively look for ways to adapt, recover, restore, and move on. The ability to bend rather than break under attack assumes that critical governmental and business functions will be able to rebound, and more desirably withstand such man-made or even natural disasters.
Without a change of attitude, we may win on the tactical level, but not on the strategic one. Our goal should be to drive a major change in attitude from reactive to proactive, so that new policies, architectures, and technologies are developed to enhance our resiliency and protection through coordination between the government and private sector partners. All too often, we leap vigorously—and at great expense—into tackling that which we can do successfully in the moment, with an unrealistic hope that temporary tactical successes will somehow lead to strategic victory.
To successfully defend our cyberspace, we must not take comfort in temporary tactical gains. Instead, we must better anticipate and restrict the future moves of our adversaries over the long term.
NOTES
1. Federal Register 78, no. 33, February 19, 2013, http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/ pdf/2013-03915.pdf
2. Jason Ryan, “Anonymous Hits Federal Reserve in Hack Attack,” ABC News, February 6, 2013, http://abcnews.go.com/blogs/politics/2013/02/ anonymous-hits-federal-reserve-in-hack-attack/
3. Rebecca Smith, “Assault on California Power Station Raises Alarm on Potential for Terror- ism,” Wall Street Journal, April 18, 2014, http:// online.wsj.com/news/articles/SB10001424052702 304851104579359141941621778
4. Michael Richardson, “China Plays its Outer Space Ace,” Canberra Times, January 21, 2013, http://www.canberratimes.com.au/federal-pol- itics/china-plays-its-outer-space-ace-20130120- 2d10l.html
5. “It May Take a Crisis to Pass a Comprehensive Cybersecurity Bill,” Homeland Security Newswire, May 7, 2014, http://www. homelandsecuritynewswire.com/srcybersecurity20140507-it-may-take-a-crisis-to-pass-a-comprehensive-cybersecurity-bill
* This article was originally published in The Journal of International Security Affairs 56.
** Rachel Ehrenfeld is President of the American Center for Democracy. This article is adapted from the findings of a February 2014 ACD cybersecurity roundtable hosted by the George Washington University’s Homeland Security Policy Institute. A full conference summary is available here