“As you become more efficient, you become more vulnerable.” — H. T. Hawkins
The Impact of Purposeful Interference on U.S. Cyber Interests
By Rachel Ehrenfeld, Ph.D.
Co-Sponsored and Hosted by the Homeland Security Policy Institute,George Washington University, Washington, D.C.
Wednesday, February 19, 2014
About the Conference:
“Thank you for inviting me to participate in one of the most interesting discussions ever.” — Houston T. Hawkins, Senior Fellow, Principal Associate Directorate for Global Security, Los Alamos National Laboratory
“There’s been obviously a recent deepened concern with cybersecurity. But this is something the ACD has been thinking about for a long time. It has been ahead of its time and done a terrific job identifying emerging threats and issues which we need to be thinking about sooner, rather than later, so we have a better chance of finding solutions.” — Richard Perle, former Assistant Secretary of Defense for International Security Policy, and member of the ACD Board of Directors.
“The conference was both eye-opening and sobering. The presentations were most riveting.” — Jeremy Rabkin, Professor of Law, George Mason University
“In addition to underscoring the serious impacts of intentional interference with America’s critical Earth- and space-based cyber infrastructure, conference participants identified pragmatic, innovative solutions. The American Center for Democracy handed policymakers valuable, out-of-the-box approaches for protecting the nation’s citizens from paralyzing attacks.” — William B. Scott, author of bestsellers “Space Wars,” “Counterspace,” and “The Permit”; former bureau chief, Aviation Week & Space Technology; and current ACD Fellow
“I found tremendous benefit from the opinions of so many experts from so many different fields. The conference’s ability to bring together such a diverse and talented group made the discussions more interesting and enlightening. It was like attending several conferences in one day!” — Maj. Gen. Robert Newman (USAF, Ret.)
“This is a timely and important discussion in the evolution of the cyber-physical domain.” — Robert Crane, Senior Homeland Security Advisor, National Coordination Office for the U.S. Space-Based Positioning, Navigation and Timing Policy
Table of Contents
Purpose and Scope
On February 19, 2014, the American Center for Democracy assembled a group of cyber and space, communication, defense and policy experts to discuss the United States’ vulnerabilities to purposeful interference with cyber systems and technologies essential to the functioning of our economy and society. The roundtable discussion, held at George Washington University, and hosted by Homeland Security Policy Institute director, Frank Cilluffo, was conducted under Chatham House Rules. Consequently, attributions herein are limited to those contributors who gave their permission to be named.
The focus of the meeting was not only to discuss the problems and the impact of purposeful interference in cyber and the U.S. Global Positioning System (GPS), but mostly to encourage the public and private sector partnership that together will look for new solutions to bridge the significant gaps in cybersecurity with cost-effective opportunities to enhance the security and integrity of our critical infrastructure. This includes the electric grid, communications, and financial systems.
The growing dependency on wireless services and the resulting escalation of cyberattacks has resulted in innumerable ideas about how best to enhance cybersecurity and protect against purposeful interference.
President Obama’s Executive Order 13636, is intended to “Improve Critical Infrastructure Cybersecurity,” and establish “a voluntary set of security standards for critical infrastructure industries….The Order directs the Executive Branch to increase the volume, timeliness and quality of cyber threat information sharing, which should result in further developing a public-private partnership.”
To date, different data breach notification laws have been adopted by 46 states, creating a jigsaw puzzle with different notification triggers, timing and notice content requirements. While the government calls for passing a national law to standardize data breach notifications, the private sector is reluctant. This is not surprising considering the ease with which the security of the supposedly best-protected government agencies was breached. A lone bad actor was able to steal millions of documents detailing the country’s most critical national security and business secrets.
On top of this comes a report confirming that Iran successfully penetrated the Navy Marine Corps Intranet, which presumably has the best cybersecurity systems, raising grave concerns regarding the vulnerability of our civilian infrastructure to similar attacks and questions the government’s ability to protect them. For many years now, many vulnerabilities have been discussed in congressional hearings. But hearings are usually held after something happens or are about the next budget cycle. Thus, the government’s ability to coordinate response to a significant interference event remains unclear.
We are well aware of the vulnerability of the electric grid and communication systems. Yet, instead of considering systems organization and putting in place individual systems, we continue to think about a central system. We experience everyday interference with our communication systems and devices dependent upon GPS. A survey of the web reveals a large number of radio frequency jamming devices are advertised and sold in the U.S., despite the 1934 Communications Act that strictly forbids the manufacturing, marketing and importation of jamming devices into the U.S. Apparently, the Federal Communications Commission’s enforcement efforts are not enough to curtail this problem.
We have to combine our knowledge to figure out what needs to be done to prevent attacks that even if not catastrophic could damage our economy and endanger our lives. The U.S. still leads the world in technological innovation. But for how long?
Meaningful improvements in our security, reliability, and resilience require that our government officials, elected representatives, and senior business executives come together with greater clarity and strategic vision to identify and tackle current and emerging problems. We cannot afford to consider purposeful attacks as force majeure, which are unforeseeable, unpreventable, and unmanageable. We also cannot expect meaningful progress without considerable thought leadership, bringing together multidisciplinary approaches and solutions to issues that transcend any one industry, span the globe, and increasingly impact our economic and national security.
Houston T. Hawkins, Senior Fellow, Principal Associate Directorate for Global Security, Los Alamos National Laboratory, observed that without a change of attitude we may win on the tactical level, but not on the strategic level. “An example is the Tet Offensive, which the US won by all conventional military criteria. But the Viet Cong won on the strategic level, by convincing us that we lost, that victory was impossible, and that we needed to get out of Vietnam.”
Our goal is to drive a major change in attitude from reactive to proactive, so that new policies, architectures, and technologies are developed to enhance our resiliency and protection, through coordination between the government and private sector partners. To succeed, we must, as in chess, take little comfort in temporary tactical gains. Instead, we must better anticipate and restrict the future moves of our adversaries over the long term. Too often we leap vigorously — and at great expense — into tackling that which we can do successfully in the moment, with an unrealistic hope that temporary tactical successes will somehow lead to strategic success.
Please keep these concerns and considerations in mind as you join our dialog, and hopefully become part of the thought leadership on how best to counter purposeful interference against our strategic infrastructure.
General Observations and Insights
The roundtable discussion was extraordinarily rich, addressing complicated, intricate issues, such as:
· The rapid pace at which cyber-related architectures and wireless technologies are evolving must not be allowed to present an insurmountable barrier to policymakers’ understanding and therefore affect the nation’s preparedness. Significant gains can be accomplished by breaking down complex problems into coordinated actions that reduce vulnerabilities, threats, and/or consequences.
· Purposeful interference is an emerging homeland security, national security, and economic security problem, having the ability to disrupt a broad range of wireless connections and dependencies that include the delivery of critical infrastructure services, first responder communications, air travel, and the timing signals needed to synchronize most of our nation’s computing systems and telecommunications networks.
· While the Federal Communications Commission oversees protecting the radio spectrum and minimizing intentional or unintentional sources of interference, there is no public/private partnership to coordinate purposeful interference prevention, detection, and response efforts. Immediate security gains could be made by establishing a central repository for tracking and analyzing interference events and trends. Providing law enforcement with enhanced tools to geo-locate an interference event and identify the perpetrator in real time would help to determine the nature of the attack.
· Cybersecurity needs to be thought of holistically, to include interference events that can impact the confidentiality, integrity, and availability of networks. The problems of each sector affected by cyber intrusion should be considered as it relates to others, not as discrete vulnerabilities that need to be fixed (or even can be fixed) in isolation.
· Cyber expertise remains confined to individual parts of cyber-concerned communities. This is understandable, because the requirements and duties assigned by employers to cyber professionals tend to focus on discrete, tactical, company-specific problems rather than strategic, long-term national goals.
· Cyber-smart individuals not involved in corporate or government service typically have few knowledgeable colleagues with whom to share interests and concerns.
· Despite government and private sector attempts to bring cyber experts together, they usually focus on an individual sector and not on the problems that affect others, and they do not lead to pragmatic action plans that can be executed.
· The rapid progression of the Internet of Things, and the use of wireless connections to access vital data, increases the vulnerability of all American citizens to cyber-related threats. Citizens’ lives are threatened, both physically and economically, in ways that were unthinkable a few years ago. While the federal government should lead the efforts to increase the nation’s security, it appears indifferent and undependable. Citizens should demand that governors and state legislatures, infrastructure custodians, and local public interest groups take responsibility for their constituents’ and customers’ wellbeing. This makes prudent political and business sense.
Network and Spectrum Interdependence:
· The definitions and policies governing “Cyber” must include the electromagnetic spectrum (EMS) and civil GPS services, not only those involving computer networks. Every device containing a microcircuit or chip—from massive computer servers and glass-cockpit airliners to cars and “smart” refrigerators and handheld receivers—is vulnerable to cyber attack. This distinction is not widely known and appreciated. A simple example of GPS vulnerability is a sea vessel that was successfully brought off course by a GPS spoofing device in 2013.
· With efficiencies come vulnerabilities. Cyberspace and electromagnetic activities are becoming increasingly vulnerable to disruption activities (access denial, service interruption and disruptions, communications intercept and monitoring, infiltration, and data compromise) by adversaries as well as natural events. Capabilities and intent exist, e.g. jamming and spoofing, to disrupt networks and to directly affect all critical infrastructure and government operations and information-related activities.
· Cyber systems are interdependent and can be hacked, even if “offline” or in the “cloud.” The most dramatic example of this was the success of Stuxnet in allegedly bridging the “air gap” to infect hardened Iranian computer networks, disrupting/slowing their nuclear program. An obvious example would be a cyber attack that takes down the electrical grid via cascading failures. But the attack could be also physical. A case in point is last year’s attack by unknown but clearly highly skilled agents on an electric-power substation near San Jose, California, which nearly shut off power in Silicon Valley. The attack was not initially reported to the public but was disclosed months after the fact. Cell towers are similarly vulnerable to physical interference.
· Substantial segments of the U.S. economy would be severely harmed by interference with the U.S. Global Positioning System (GPS) for vital navigation and timing information. Satellites in the GPS constellation are vulnerable to attack, and China, in particular, has already demonstrated (2007) its capability to wage “space war” by shooting down one of its own defunct weather spacecraft with a ground-launched missile. If GPS satellites or the constellation’s ground control stations were disabled, military operations, financial transactions, cell phone communications, and hundreds of other areas of the economy would be disrupted or halted entirely. In particular, this would affect computer networks, cell phones, and other devices dependent upon the GPS timing signal. This timing signal distributed by GPS is absolutely essential for modern communications, secure financial transactions, transportation and position/location determination.
· U.S. financial markets, where transactions occur in milliseconds, remain vulnerable to cyber attack and cyber manipulation, as well as interference with GPS, which affects the timing and reconciliation of trades. However, the monitoring systems, where they exist, are without sufficient automation or isolation to withstand future concerted attacks. The financial industry, in addition, is also vulnerable to other cyber interference, such as denial of service attacks and traditional theft of money and identities.
The Internet of Things (IoT):
· “Technical” vulnerabilities are exacerbated by the inexorable rise of the IoT, particularly power and computer networks’ centralized switching nodes. An alarming vulnerability is that of medical devices. Pacemakers, for example, are routinely implanted with wireless capability for diagnostic purposes. In fact, Dick Cheney’s pacemaker was installed without remote access ability for this reason.
· Another example is that of first responders after an attack or disaster – regardless of progress made since 9/11 on interoperability, this would be worthless if communications are deliberately interfered with, which would cause chaos.
Inadequate Government Responses:
· Despite being aware of — and trying to defend against — devastating cyber strikes, the pace and number of such attacks is growing. Because none has caused a truly crippling catastrophe, policymakers and average citizens mistakenly assume such threats fall below the threshold of political and financial liability. For example, the U.S. government has yet to aggregate information about the quantity and level of damage caused by the continuing wave of successful computer intrusions against civilian and military government systems, which persist despite a scheme that includes mandatory National Institute of Standards and Technology standards.
Private Sector Failings and the Need for Cooperation with Government:
· Non-technical issues also cause vulnerabilities, such as rouge “insiders,” dormant malware, and reluctance by both the private and public sectors to aggressively defend the physical infrastructure of remote and oftentimes unmanned facilities.
· The private sector remains largely unprotected from cyber attack. In addition there are deliberate, bottom-line-driven decisions by company executives to accept risks, despite obvious, increasing threats. Many corporate leaders have begun to question the return on investment of taking never-ending defense measures that appear to be easily countered by persistent adversaries. Meanwhile, the government has been unable to deter threat actors in cyberspace and as a result is failing in its primary role to protect (rather than simply warn) its citizenry.
· Currently, there is little correlation between government regulations that address cyber protection and insurance industry risk criteria, nor is such an interface being explored. There is still no congressionally- or executive branch-mandated cooperation between government and the private sector.
· Government agencies, in general, are inexcusably far behind the cyber-vulnerability curve, despite isolated, commendable efforts by some agencies.
· Regardless of the theoretical ability to harden our networks perfectly (many believe it is not possible), protecting everything would cost in the hundreds of billions of dollars and even if attainable would not be feasible. This means that public and private groups will need to determine an acceptable level of risk in light of the costs and benefits of preventive measures. There also is an increasing call for shifting our strategic focus away from hardening targets and, as we do in the physical world, applying greater emphasis on deterring and punishing threat actors. These decisions need to be made soon, given the time (five years or more) necessary for designing and deploying fundamental cyber infrastructure to accomplish our strategic goals.
A few Proposed Remedies:
· Cyber defense should be addressed as a national problem, with coordinated strategies, rather than being tackled by separate sectors. The problems are synergistic, and solutions must be developed in concert with myriad sectors of the economy. Nevertheless, the primary responsibility for cyber defense must ultimately reside with the federal and state governments.
Steven Chabinsky, former cyber advisor to the DNI and FBI Deputy Assistant Director, suggested the following:
1) DHS should define the measurements for, be the central repository for, and analyze information associated with interference events. This will help determine trends, etc.;
2) Locating the source of events: the FBI should lead the federal, state, and local law enforcement communities in identifying the technologies, methods, and reports relating to identifying the source, motivation, and resolution of interference events;
3) Recovering from events — either by detection/attribution (as mentioned in 1 & 2), or through greater Research & Development efforts focused on resilience of all of the various services that are critically vulnerable to interference events;
4) Identifying the increasing vulnerabilities of our critical infrastructure and IoT reliance upon cyber, and potential harm relating to, interference—including, but not limited to sophisticated GPS interference and unsophisticated terrestrial jamming of infrastructure processes, emergency communications, and transportation;
5) Fundamentally, we need to ensure that our cybersecurity strategies, technologies, market incentives, and international dialogue focus greater attention on the challenges of more quickly detecting and mitigating harm, while in parallel locating and penalizing bad actors
· There is an urgent need to aggregate all interference data from entities using cyber technologies in one place, analyze the data, identify patterns and then disseminate the results to the participating entities. This will allow the participating agencies to develop appropriate defenses and countermeasures. The absence of a dedicated data center that identifies the risk and analyzes the data facilitates successful interference with the nation’s strategic and civil infrastructure, and has made it all but impossible to determine whether terrorist organizations, nation states, and criminals are developing, testing, and intending to deploy these capabilities against us.
· Regarding technical “fixes”: collecting cyber attack data in one location does not suggest that the monitoring of cyber attacks throughout America’s digital infrastructure should be centralized. Nor should there necessarily be uniform cyber defense protocols for all government and private sector systems.
Redundancy and Resilience:
· We should be able to bend without breaking. There is a lack of basic redundancy in critical systems as a straightforward means of preventing catastrophic cyber attacks from causing complete breakdowns. For example, the national electric grid would be far more robust if “islands” of power generation were created. Developing and fielding small nuclear reactors at the community level was mentioned as one possible solution, capitalizing on technology developed by the U.S. Army decades ago. Similarly, high energy density, long-life batteries and other advanced means of electrical power generation and storage would greatly reduce the potential of nationwide blackouts.
· Because the PNT and GPS systems are vulnerable to space or ground-based attack, there is a pressing need to assure their resiliency of and perhaps to develop backup sources of timing and positioning information. LORAN, a navigation system used for decades by ships and aircraft, has been abandoned in the U.S. Currently, there are experiments with eLoran, used mostly in the U.K. for maritime navigation purposes, and major communications company is testing the feasibility of sending timing signals generated by national atomic clocks to cell phone networks via fiber-optic cable.
· PNT and GPS is vital to the world as a whole and is not confined to the borders of the US. Therefore, we need to address these vulnerabilities and the possible loss of the systems. Especially since an attack could in fact result from an offensive cyber or physical attack.
Application of resilience principles could be achieved by:
1) Engaging CEOs in the private sector. CEOs usually do not seek or receive advance notices of looming risks and crises that could affect their supply chains, interconnected links and interdependencies from end to end.
2) Anticipating that “unknown, unknowns” will happen. Adapt, recover, restore, and move on. The ability to bend in the winds of a disruption or disaster, rather than break, should assume that mission-essential functions of government and core business functions are liable to fail.
3) Pursuing uninterrupted availability of critical government and business functions and services, e.g. U.S. provisioning and distribution of timing and navigation services for critical infrastructure. Build resiliency, defined by robustness, reliability and flexibility, into user functions, systems architecture, and end-user equipment design.
· There is a need to reassess the capabilities of our current civil defense system. Well-planned technological redundancy, backed by good preparation and training, would ensure national resilience, defined as an ability to ride out major disruptions and then quickly restore communications, supply lines, electrical power and computer systems to a basic level of functionality.
· Directly approaching the states should facilitate rapid improvement of cyber-security awareness. Recently, Maine and Oklahoma have taken action to protect its electrical grid, and active discussions are underway in North and South Carolina.
George Mason University Law Professor Jeremy Rabkin offered the following observations:
1) The most original and promising proposals voiced at the event were to mobilize state governments and state National Guard units to prepare responses.
2) We should try to interest Pentagon planners in getting the National Guard involved in preparing for massive power outages—prepositioning vital supplies, including water and gasoline and oil, or gas-powered electric generators for emergency use.
Public and Private Sector:
· Private industry plays a significant role in the day-to-day network-based operations and functions of the economy, e.g. communications, energy, medical services, accounting and finance services, equipment maintenance, and logistics functions (shipping companies, transportation grid providers, and suppliers as a part of the global transportation system). Therefore, the private sector also plays a significant role in addressing known vulnerabilities with the security and the reliability of networks and equipment.
· Government and the private sector can work together to mitigate risk and perhaps design more resilient architectures and end-user equipment less susceptible to interference. Where it makes sense, disaggregated (non-interdependent) architectures of small independent systems could be pursued and could be less susceptible to cascading effect.
· A potential next step is for private sector to develop a risk-mitigation and an “Options for Consideration” document of best practices and techniques.
· Conversations among businesses and technology-insurance firms are in their infancy, and DHS and the Commerce Department have done commendable work in starting a dialogue on cybersecurity. Business and insurance leaders should be required to be better informed of both vulnerabilities and the availability of advanced solutions to weigh the costs of cyber defense against those of insurance premiums. Insurers must establish premium costs by assessing the level of cyber defense a client has implemented, and the potential impacts of various types of intrusions. While conducting these assessments and risk determinations is a complex process, companies must show compliance with a certain set of rules in order to receive cyber insurance. (See Appendix B for further remarks)
· Well-defined standards governing cyber-defense methodologies, whether mandated or voluntary, would greatly simplify today’s confusing muddle.
Richard Perle, Former Assistant Secretary of Defense, and member of the ACD Board of Directors, observed:
1) The way in which government officials describe the problem, far from increasing public apprehension, leads to a cavalier attitude. Why? Because they describe seemingly endless cyber attacks but no one is aware of any damage so the attacks are dismissed as meaningless.
2) We have to better understand the uses of force in cyberspace. What actions are being taken against US government entities and industry, and what are the rules of engagement for US government and industry to respond either in kind or through other punitive measures (including, for example, via trade sanctions, civil penalties, etc.)
3)We need a serious report on the estimated cost of several hypothetical attacks. It is hard to get a feel for attacks that fall short of Armageddon. Given that hackers have imposed costs in the billions (look at the cost to Target of having been hacked and identities stolen) shouldn’t we look at the costs of disrupting, say, a single power plant or a refinery or an inland waterway lock, etc.
There is an urgent need to educate public and private sector policy-makers. Richard Perle noted:
1) There is insufficient expertise in Congress to enable meaningful dialogue among representatives and their staffs and competent, outside technical experts. Consequently, elected representatives and their support personnel do not understand the full range of options for resolving critical cyber issues.
2) Technical experts would like to know there’s someone you could go to, who would understand. And how often have we seen policy makers outside of the legislative branch — or even the executive branch — frustrated by the inability of elected officials to understand the problems. This highlights the need to have some people who are sufficiently trained. A subcommittee on cyber and related issues should be established in both houses of Congress, supported by cyber-knowledgeable people.
· Bill Scott, ACD Fellow and former Aviation Week bureau chief, discussed measures for increasing public awareness of cyber vulnerabilities and how catastrophic, cascading attacks would affect citizens’ lives. He noted that employing entertainment—fictional books, television and film—is a powerful tool to shape our perception and raise our awareness, and could be leveraged to educate citizens and public officials about current and future cyber-related vulnerabilities.
3) To use futuristic scenario-based gaming exercises to encourage the development and implementation of new solutions to resist purposeful interference and protect the integrity of our civilian infrastructure.
List of Participants
• Frank Cilluffo, Director, Homeland Security Policy Institute, GWU.
• Richard Perle, Former Assistant Secretary of Defense, member of ACD Board of Directors.
• Dr. Rachel Ehrenfeld, Director of the ACD.
• Steven Chabinsky, Former cyber advisor to the DNI and FBI Deputy Assistant Director
• Houston (Terry) Hawkins, Senior Fellow, Principal Associate Directorate for Global Security, Los Alamos National Laboratory
• William B. Scott, Author of bestsellers “Space Wars,” “Counterspace,” “The Permit”; Former bureau chief, Aviation Week; and ACD Fellow.
• Robert Crane, Senior Advisor DHS, National Coordination Office for the U.S. Space-Based Positioning, Navigation and Timing Policy.
• Maj. Gen. Robert Wheeler, DoD Dep CIO (Command, Control, Communications and Computers (C4)) and Information Infrastructure Capabilities (DCIO for C4IIC).
• David Simpson, Chief, Public Safety Homeland Security Bureau, FCC.
• David A. Wollman, Deputy Director, Smart Grid and Cyber-Physical Systems Program Office, Engineering Laboratory, National Institute of Standards and Technology.
• Thomas Sporkin, Former SEC Chief of the Office of Market Intelligence, currently with BuckleySandler LLP.
• Dr. Roger Breeze, Former Associate Administrator for Special Research Programs at the U.S Department of Agriculture’s Agricultural Research Service, on biological warfare.
• Dr. Peter Pry, Executive Director of the Task Force on National and Homeland Security, a Congressional Advisory Board.
• Amb. Henry F. Cooper, Chairman of High Frontier
• Prof. Jeremy Rabkin. George Mason University School of Law.
• Jon Baselice, Legislative Assistant, office of Sen. Marco Rubio.
• Maj. Gen. Robert Newman (USAF, Ret.), Senior Vice President and Director of Strategic Partnerships, Sera Brynn Cyber Security Specialists. Former Adjutant General of Virginia, Deputy Assistant Homeland Security Advisor to Virginia Governor Mark Warner, and Vice Director for Operations, Plans, Logistics and Engineering (J3/4V) at United States Joint Forces Command.
• Mary Fisk-Bieker, OneBeacon Technology Insurance.
• Joe Budzyn, OneBeacon Technology Insurance.
• Dan Mahaffee, Director of Policy and Board Relations, Center for the Study of the Presidency and Congress (CSPC).
• Jonathan Murphy, Director of External Affairs, The Center for the Study of the Presidency and Congress.
• Ilan Weinglass, Executive Director of ACD.
• Dr. Kenneth D.M. Jensen, Associate Director of ACD.
• Brett Heimov, Government Relations Liaison at ACD, Partner at Winning Strategies.
Appendix A: Name withheld by request
I found the meeting to be extremely informative and quite eye-opening. I left the meeting knowing a lot more about the issue than when I came in that day.
Given how dependent our society has become on technological advances, I think the best and most productive way to move forward at this time is the education process for people in important positions in the government, in particular in Congress, the White House, and the legislative and executive branches at the state level. There are so many ways that cybersecurity issues directly affect other issue areas, like energy, trade, agriculture, among others, that the more members of Congress (and their staff) know not just the underlying issues with regard to cybersecurity, but the consequences of not addressing these security risks effectively.
There should be more cooperation between the government and the private sector in order to effectively address these issues. To that end, I think the optimal way to move forward would be if both Congress and the Executive Branch could join together and reach out to the interested stakeholders to ensure that the proper balance is struck between our security and other interests at play.
Appendix B: Mary Fisk-Bieker, CIC, SVP Chief Underwriting Officer, OneBeacon Technology Insurance
The meeting was very informative and worthwhile.
Clearly we need to think more holistically about attack scenarios. We tend to build threat scenarios around one vulnerability, then are surprised when an attack exploits several vulnerabilities. Actual attackers are going to blend threats together, not try one attack, then another. A strategic risk management approach is needed. While we have identified the 16 critical infrastructure industry groups, the approach should also consider:
• Developing vulnerability case scenarios for each group
• Define what “major impacts” would be in terms of severity and frequency (i.e. would society collapse if we lost power for two weeks? GPS obviously was discussed quite a bit as a single point of failure which may have a much more significant impact should it be disrupted.)
• Prioritize the major impacts from cyber-related events
• Repeat above: utilizing multiple threat scenarios/multiple critical infrastructure companies/multiple vulnerabilities–aka: thinking like the bad guys.
• Determine “fixes” to vulnerabilities with sensitivity given to a phased approach to private industry to include low cost but big impact solutions. One such example given in the session was electric transformers, which are vulnerable to damage by falling trees, and EMP blasts. Putting them in a steel shelter that doubles as a Faraday cage makes the system much more resilient as it addresses several vulnerabilities at minimal increase in cost.
• Insurance potentially can play a role as industry adopts the basic and essential risk management approach to the risks.
Surviving Cyberia: Exploring Solutions to Cyber-Threats
Click the picture above for the “Surviving Cyberia: Exploring Solutions to Cyber-Threats” presentation by Houston T. Hawkins, Senior Fellow Los Alamos National Laboratory. He gave this presentation at the meeting.