“There’s been obviously a recent deepened concern with cybersecurity. But this is something the ACD has been thinking about for a long time. It has been ahead of its time and done a terrific job identifying emerging threats and issues which we need to be thinking about sooner, rather than later, so we have a better chance of finding solutions.” – Richard Perle, former Assistant Secretary of Defense for International Security Policy, and member of the ACD Board of Directors.
“Thank you for inviting me to participate in one of the most interesting discussions ever.”—Houston T. Hawkins, Senior Fellow, Principal Associate Directorate for Global Security, Los Alamos National Laboratory
PURPOSE AND SCOPE
On February 19, 2014, the American Center for Democracy assembled a group of cyber and space, communication, defense and policy experts to discuss the United States’ vulnerabilities to purposeful interference with cyber systems and technologies essential to the functioning of our economy and society. The roundtable discussion, held at George Washington University, and hosted by Homeland Security Policy Institute director, Frank Cilluffo, was conducted under Chatham House Rules. Consequently, attributions herein are limited to those contributors who gave their permission to be named.
The focus of the meeting was not only to discuss the problems and the impact of purposeful interference in cyber and the U.S. Global Positioning System (GPS), but mostly to encourage the public and private sector partnership that together will look for new solutions to bridge the significant gaps in cybersecurity with cost-effective opportunities to enhance security to enhance the integrity of our critical infrastructure. This includes the electric grid, communications and financial systems.
The growing dependency on wireless services and the resulting escalation of cyberattacks has resulted in innumerable ideas about how best to enhance cybersecurity and protect against purposeful interference. Many call for enhanced government-private sector cooperation.
President Obama’s Executive Order 13636, is intended to “Improve Critical Infrastructure Cybersecurity,” and establish “a voluntary set of security standards for critical infrastructure industries….The Order directs the Executive Branch to increase the volume, timeliness and quality of cyber threat information sharing, which should result in further developing a public-private partnership.”
To date, different data breach notification laws have been adopted by 46 states, creating a jigsaw puzzle with different notification triggers, timing and notice content requirements. While the government calls for passing a national law to standardize data breach notifications, the private sector is reluctant. This is not surprising considering the ease with which the security of the supposedly best-protected government agencies was breached. A lone bad actor was able to steal millions of documents detailing the country’s most critical national security and business secrets.
On top of this comes a report confirming that Iran successfully penetrated the Navy Marine Corps Intranet, which presumably has the best cybersecurity systems, raising grave concerns regarding the vulnerability of our civilian infrastructure to similar attacks and questions the government’s ability to protect them. For many years now, many vulnerabilities have been discussed in congressional hearings. But hearings are usually held after something happens, or are about the next budget cycle. Thus, the government’s ability to coordinate response to a significant interference event remains unclear.
We are well aware of the vulnerability of the electric grid and communication systems. Yet, instead of considering systems organization and putting in place individual systems, we continue to think about a central system. We experience everyday interference with our communication systems and devices dependent upon GPS. A survey of the web reveals a large number of radio frequency jamming devices are advertised and sold in the U.S., despite the 1934 Communications Act that strictly forbids the manufacturing, marketing and importation of jamming devices into the U.S. Apparently, the Federal Communications Commission’s enforcement efforts are not enough to curtail this problem.
We have to combine our knowledge to figure out what needs to be done to prevent attacks that even if not catastrophic could damage our economy and endanger our lives. The U.S. still leads the world in technological innovation. But for how long?
Meaningful improvements in our security, reliability, and resilience require that our government officials, elected representatives, and senior business executives come together with greater clarity and strategic vision to identify and tackle current and emerging problems. We cannot afford to consider purposeful attacks as force majeure, which are unforeseeable, unpreventable, and unmanageable. We also cannot expect meaningful progress without considerable thought leadership, bringing together multidisciplinary approaches and solutions to issues that transcend any one industry, span the globe, and increasingly impact our economic and national security.
Houston T. Hawkins, Senior Fellow, Principal Associate Directorate for Global Security, Los Alamos National Laboratory, observed that without a change of attitude we may win on the tactical level, but not on the strategic level. “An example is the Tet Offensive, which the US won by all conventional military criteria. But the Viet Cong won on the strategic level, by convincing us that we lost, that victory was impossible, and that we needed to get out of Vietnam.”
Our goal is to drive a major change in attitude from reactive to proactive, so that new policies, architectures, and technologies are developed to enhance our resiliency and protection, through coordination between the government and private sector partners. To succeed, we must, as in chess, take little comfort in temporary tactical gains. Instead, we must better anticipate and restrict the future moves of our adversaries over the long term. Too often we leap vigorously — and at great expense — into tackling that which we can do successfully in the moment, with an unrealistic hope that temporary tactical successes will somehow lead to strategic success.
Please keep these concerns and considerations in mind as you join our dialogue, and hopefully become part of the thought leadership on how best to counter purposeful interference against our strategic infrastructure.
GENERAL OBSERVATIONS AND INSIGHTS
The roundtable discussion was extraordinarily rich, addressing complicated, intricate issues, such as:
- The rapid pace at which cyber-related architectures and wireless technologies are evolving must not be allowed to present an insurmountable barrier to policymakers’ understanding and therefore affect the nation’s preparedness. Significant gains can be accomplished by breaking down complex problems into coordinated actions that reduce vulnerabilities, threats, and/or consequences.
- Purposeful interference is an emerging homeland security, national security, and economic security problem, having the ability to disrupt a broad range of wireless connections and dependencies that include the delivery of critical infrastructure services, first responder communications, air travel, and the timing signals needed to synchronize most of our nation’s computing systems and telecommunications networks.
- While the Federal Communications Commission oversees protecting the radio spectrum and minimizing intentional or unintentional sources of interference, there is no public/private partnership to coordinate purposeful interference prevention, detection, and response efforts. Immediate security gains could be made by establishing a central repository for tracking and analyzing interference events and trends. Providing law enforcement with enhanced tools to geo-locate an interference event and identify the perpetrator in real time would help to determine the nature of the attack.
- Cybersecurity needs to be thought of holistically, to include interference events that can impact the confidentiality, integrity, and availability of networks. The problems of each sector affected by cyber intrusion should be considered as it relates to others, not as discrete vulnerabilities that need to be fixed (or even can be fixed) in isolation.
- Cyber expertise remains confined to individual parts of cyber-concerned communities. This is understandable, because the requirements and duties assigned by employers to cyber professionals tend to focus on discrete, tactical, company-specific problems rather than strategic, long-term national goals.
- Cyber-smart individuals not involved in corporate or government service typically have few knowledgeable colleagues with whom to share interests and concerns.
- Despite government and private sector attempts to bring cyber experts together, they usually focus on an individual sector and not on the problems that affect others, and they do not lead to pragmatic action plans that can be executed.
- The rapid progression of the Internet of Things, and the use of wireless connections to access vital data, increases the vulnerability of all American citizens to cyber-related threats. Citizens’ lives are threatened, both physically and economically, in ways that were unthinkable a few years ago. While the federal government should lead the efforts to increase the nation’s security, it appears indifferent and undependable. Citizens should demand that governors and state legislatures, infrastructure custodians, and local public interest groups take responsibility for their constituents’ and customers’ wellbeing. This makes prudent political and business sense.
VULNERABILITIES
Network and Spectrum Interdependence:
- The definitions and policies governing “Cyber” must include the electromagnetic spectrum (EMS) and civil GPS services, not only those involving computer networks. Every device containing a microcircuit or chip—from massive computer servers and glass-cockpit airliners to cars and “smart” refrigerators and handheld receivers—is vulnerable to cyber attack. This distinction is not widely known and appreciated. A simple example of GPS vulnerability is a sea vessel that was successfully brought off course by a GPS spoofing device in 2013.
- With efficiencies come vulnerabilities. Cyberspace and electromagnetic activities are becoming increasingly vulnerable to disruption activities (access denial, service interruption and disruptions, communications intercept and monitoring, infiltration, and data compromise) by adversaries as well as natural events. Capabilities and intent exist, e.g. jamming and spoofing, to disrupt networks and to directly affect all critical infrastructure and government operations and information-related activities.
- Cyber systems are interdependent and can be hacked, even if “offline” or in the “cloud.” The most dramatic example of this was the success of Stuxnet in allegedly bridging the “air gap” to infect hardened Iranian computer networks, disrupting/slowing their nuclear program. An obvious example would be a cyber attack that takes down the electrical grid via cascading failures. But the attack could be also physical. A case in point is last year’s attack by unknown but clearly highly skilled agents on an electric-power substation near San Jose, California, which nearly shut off power in Silicon Valley. The attack was not initially reported to the public but was disclosed months after the fact. Cell towers are similarly vulnerable to physical interference.
- Substantial segments of the U.S. economy would be severely harmed by interference with the U.S. Global Positioning System (GPS) for vital navigation and timing information. Satellites in the GPS constellation are vulnerable to attack, and China, in particular, has already demonstrated (2007) its capability to wage “space war” by shooting down one of its own defunct weather spacecraft with a ground-launched missile. If GPS satellites or the constellation’s ground control stations were disabled, military operations, financial transactions, cell phone communications, and hundreds of other areas of the economy would be disrupted or halted entirely. In particular, this would affect computer networks, cell phones, and other devices dependent upon the GPS timing signal. This timing signal distributed by GPS is absolutely essential for modern communications, secure financial transactions, transportation and position/location determination.
Financial Markets:
- U.S. financial markets, where transactions occur in milliseconds, remain vulnerable to cyber attack and cyber manipulation, as well as interference with GPS, which affects the timing and reconciliation of trades. However, the monitoring systems, where they exist, are without sufficient automation or isolation to withstand future concerted attacks. The financial industry, in addition, is also vulnerable to other cyber interference, such as denial of service attacks and traditional theft of money and identities.
The Internet of Things (IoT):
- “Technical” vulnerabilities are exacerbated by the inexorable rise of the IoT, particularly power and computer networks’ centralized switching nodes. An alarming vulnerability is that of medical devices. Pacemakers, for example, are routinely implanted with wireless capability for diagnostic purposes. In fact, Dick Cheney’s pacemaker was installed without remote access ability for this reason.
- Another example is that of first responders after an attack or disaster – regardless of progress made since 9/11 on interoperability, this would be worthless if communications are deliberately interfered with, which would cause chaos.
Inadequate Government Responses:
- Despite being aware of — and trying to defend against — devastating cyber strikes, the pace and number of such attacks is growing. Because none has caused a truly crippling catastrophe, policymakers and average citizens mistakenly assume such threats fall below the threshold of political and financial liability. For example, the U.S. government has yet to aggregate information about the quantity and level of damage caused by the continuing wave of successful computer intrusions against civilian and military government systems, which persist despite a scheme that includes mandatory National Institute of Standards and Technology standards.
Private Sector Failings and the Need for Cooperation with Government:
- Non-technical issues also cause vulnerabilities, such as rouge “insiders,” dormant malware, and reluctance by both the private and public sectors to aggressively defend the physical infrastructure of remote and oftentimes unmanned facilities.
- The private sector remains largely unprotected from cyber attack. In addition there are deliberate, bottom-line-driven decisions by company executives to accept risks, despite obvious, increasing threats. Many corporate leaders have begun to question the return on investment of taking never-ending defense measures that appear to be easily countered by persistent adversaries. Meanwhile, the government has been unable to deter threat actors in cyberspace and as a result is failing in its primary role to protect (rather than simply warn) its citizenry.
- Currently, there is little correlation between government regulations that address cyber protection and insurance industry risk criteria, nor is such an interface being explored. There is still no congressionally- or executive branch-mandated cooperation between government and the private sector.
- Government agencies, in general, are inexcusably far behind the cyber-vulnerability curve, despite isolated, commendable efforts by some agencies.
- Regardless of the theoretical ability to harden our networks perfectly (many believe it is not possible), protecting everything would cost in the hundreds of billions of dollars and even if attainable would not be feasible. This means that public and private groups will need to determine an acceptable level of risk in light of the costs and benefits of preventive measures. There also is an increasing call for shifting our strategic focus away from hardening targets and, as we do in the physical world, applying greater emphasis on deterring and punishing threat actors. These decisions need to be made soon, given the time (five years or more) necessary for designing and deploying fundamental cyber infrastructure to accomplish our strategic goals.
REMEDIES
Need for Coordinated Strategy:
- Cyber defense should be addressed as a national problem, with coordinated strategies, rather than being tackled by separate sectors. The problems are synergistic, and solutions must be developed in concert with myriad sectors of the economy. Nevertheless, the primary responsibility for cyber defense must ultimately reside with the federal and state governments. Steven Chabinsky, former cyber advisor to the DNI and FBI Deputy Assistant Director, suggested the following:
1) Detection of events: DHS should define the measurements for, be the central repository for, and analyze information associated with interference events. This will help determine trends, etc.;
2) Locating the source of events: the FBI should lead the federal, state, and local law enforcement communities in identifying the technologies, methods, and reports relating to identifying the source, motivation, and resolution of interference events;
3) Recovering from events — either by detection/attribution (as mentioned in 1 & 2), or through greater Research & Development efforts focused on resilience of all of the various services that are critically vulnerable to interference events;
4) Identifying the increasing vulnerabilities of our critical infrastructure and IoT reliance upon cyber, and potential harm relating to, interference—including, but not limited to sophisticated GPS interference and unsophisticated terrestrial jamming of infrastructure processes, emergency communications, and transportation;
5) Fundamentally, we need to ensure that our cybersecurity strategies, technologies, market incentives, and international dialogue focus greater attention on the challenges of more quickly detecting and mitigating harm, while in parallel locating and penalizing bad actors.
Approaches to Data Aggregation:
- There is an urgent need to aggregate all interference data from entities using cyber technologies in one place, analyze the data, identify patterns and then disseminate the results to the participating entities. This will allow the participating agencies to develop appropriate defenses and countermeasures. The absence of a dedicated data center that identifies the risk and analyzes the data facilitates successful interference with the nation’s strategic and civil infrastructure, and has made it all but impossible to determine whether terrorist organizations, nation states, and criminals are developing, testing, and intending to deploy these capabilities against us.
- Regarding technical “fixes”: collecting cyber attack data in one location does not suggest that the monitoring of cyber attacks throughout America’s digital infrastructure should be centralized. Nor should there necessarily be uniform cyber defense protocols for all government and private sector systems.
Redundancy and Resilience:
- We should be able to bend without breaking. There is a lack of basic redundancy in critical systems as a straightforward means of preventing catastrophic cyber attacks from causing complete breakdowns. For example, the national electric grid would be far more robust if “islands” of power generation were created. Developing and fielding small nuclear reactors at the community level was mentioned as one possible solution, capitalizing on technology developed by the U.S. Army decades ago. Similarly, high energy density, long-life batteries and other advanced means of electrical power generation and storage would greatly reduce the potential of nationwide blackouts.
- Because today’s GPS system is vulnerable to space- or ground-based attack, there is a pressing need for alternative sources of timing and positioning information. LORAN, a legacy navigation system used for decades by ships and aircraft, has been abandoned. If the system had not been shut down, LORAN might be a reliable backup for GPS. Currently, a major communications company is testing the feasibility of sending timing signals generated by national atomic clocks to cell phone networks via fiber-optic cable.
- GPS is vital to the world as a whole and is not confined to the borders of the US. This means we need to address GPS vulnerability and possible loss of the system through an international forum. This would be especially true given that an attack could in fact result from a preemptive or offensive cyber attack on our part.
Application of resilience principles could be achieved by:
1) Engaging CEOs in the private sector. CEOs usually don’t seek or receive advance notices of looming risks and crises that could affect their supply chains, interconnected links and interdependencies from end to end.
2) Anticipating that “unknown, unknowns” will happen. Adapt, recover, restore, and move on. The ability to bend in the winds of a disruption or disaster, rather than break, should assume that mission-essential functions of government and core business functions are liable to fail.
3) Pursuing uninterrupted availability of critical government and business functions and services, e.g. U.S. provisioning and distribution of timing and navigation services for critical infrastructure. Build resiliency, defined by robustness, reliability and flexibility, into user functions, systems architecture, and end-user equipment designs.
Role of Civil Defense:
- There is a need to reassess the capabilities of our current civil defense system. Well-planned technological redundancy, backed by good preparation and training, would ensure national resilience, defined as an ability to ride out major disruptions and then quickly restore communications, supply lines, electrical power and computer systems to a basic level of functionality.
- Directly approaching the states should facilitate rapid improvement of cyber-security awareness. Recently, Maine and Oklahoma have taken action to protect its electrical grid, and active discussions are underway in North and South Carolina.
George Mason University Law Professor Jeremy Rabkin offered the following observations:
1) The most original and promising proposals voiced at the event were to mobilize state governments and state National Guard units to prepare responses.
2) We should try to interest Pentagon planners in getting the National Guard involved in preparing for massive power outages—prepositioning vital supplies, including water and gasoline and oil, or gas-powered electric generators for emergency use.
Roles of the Public and Private Sector:
- Private industry plays a significant role in the day-to-day network-based operations and functions of the economy, e.g. communications, energy, medical services, accounting and finance services, equipment maintenance, and logistics functions (shipping companies, transportation grid providers, and suppliers as a part of the global transportation system). Therefore, the private sector also plays a significant role in addressing known vulnerabilities with the security and the reliability of networks and equipment.
- Government and the private sector can work together to mitigate risk and perhaps design more resilient architectures and end-user equipment less susceptible to interference. Where it makes sense, disaggregated (non-interdependent) architectures of small independent systems could be pursued and could be less susceptible to cascading effect.
- A potential next step is for private sector to develop a risk-mitigation and an “Options for Consideration” document of best practices and techniques.
- Conversations among businesses and technology-insurance firms are in their infancy, and DHS and the Commerce Department have done commendable work in starting a dialogue on cybersecurity. Business and insurance leaders should be required to be better informed of both vulnerabilities and the availability of advanced solutions to weigh the costs of cyber defense against those of insurance premiums. Insurers must establish premium costs by assessing the level of cyber defense a client has implemented, and the potential impacts of various types of intrusions. While conducting these assessments and risk determinations is a complex process, companies must show compliance with a certain set of rules in order to receive cyber insurance. (See Appendix B for further remarks)
- Well-defined standards governing cyber-defense methodologies, whether mandated or voluntary, would greatly simplify today’s confusing muddle.
* The complete report of this event is available here. It was co-Sponsored and hosted by the Homeland Security Policy Institute, George Washington University, Washington, D.C., Wednesday, February 19, 2014