Read Cyber War: The Next Threat to National Security and What to Do About It Online
Authors: Richard A. Clarke,Robert K. Knake
Tags: #General, #Computers, #Technology & Engineering, #Political Science, #Security, #United States, #Political Freedom & Security, #Cyberterrorism, #Political Process, #Law Enforcement, #International Security, #Information warfare, #Military Science, #Terrorism, #Prevention
The second prong of a Defensive Triad is a secure power grid. The simplest way to think about this idea is to ask, as some have, why the hell is the power grid connected to cyberspace at all, anyway? Without electricity, most other things we rely on do not work, or at least not for long. The easiest thing a nation-state cyber attacker could do today to have a major impact on the U.S. would be to shut down sections of the Eastern or Western Interconnects, the two big grids that cover the U.S. and Canada. (Texas has its own, third, grid). Backup power systems are limited in duration and notorious for not coming on when needed (as happened at my house last night when a lightning storm hit the rural power net, creating a localized blackout. My automatic starting generator sat there like an oversized door stop). Could those three North American power-sharing systems, composed of hundreds of generation and transmission companies, be secured?
Yes, but not without additional federal regulation. That regulation would be focused on disconnecting the control network for the power generation and distribution companies from the Internet and then making access to those networks require authentication. It would really not be all that expensive, but try telling that to the power companies. When asked what assets of theirs were critical and should be covered by cyber security regulations, the industry replied that 95 percent of their assets should be left unregulated with regard to cyber security. One cyber security expert who works with the major cyber security auditing firms said he asked each audit firm that had worked with power companies if they had been able in their audits to get to the power grid controls from the Internet. All six firms said they had. How long did it take them? None had taken longer than an hour. That hour was spent hacking into the company’s public website, then from there into the company’s intranet, then through “the bridge”
they all have to their control systems. Some audits cut the time by hacking into the Internet-based phones (voice over Internet protocol, or VOIP, phones) that were sitting in the control rooms. These phones are by definition connected to the Internet; that’s how they connect to the telephone network. If they are in the control room, they are also probably connected to the network that runs the power system. Good thinking, huh? Oh, it gets better. In some places the commands to electrical grid components are sent in the clear (that is, unencrypted) via radio, including microwave. Just sit nearby, transmit on the same frequency with more energy in your signal than the power company is using, and you are giving the commands (if you know what the command software looks like).
The Federal Energy Regulatory Commission (FERC) promises that in 2010 it really will start penalizing power companies that do not have secure cyber systems. What they have not said is how the Commission will know who is in violation, since the FERC doesn’t have the staff to regularly inspect. The U.S. Department of Energy, however, has hired two cyber security experts to determine if the $3.4 billion in Smart Grid grants are going to new programs that are adequately secured. Smart Grid is the Obama Administration’s idea to make the power grid even more integrated and digitized. Power companies can ask for some of that money by submitting proposals to the Energy Department. When they do, the two experts will read the proposals to see if there is a section somewhere that says “cyber security.” The Energy Department refuses to say who the two experts are or what they will be looking for in the “cyber security” section of the grant proposal. There are no publicly available standards. One idea for a standard might be that the taxpayers don’t give any of the $3.4 billion in Smart Grid money to companies that haven’t secured their current systems. Don’t expect the Energy Department to use that standard anytime soon, because that would mean taking advantage of this unique federal giveaway program to incentiv
ize people to make things more secure. That smacks of regulation, which, of course, is just like socialism, which is un-American. So, we will soon have a more digital Smart Grid, which will also be a Less Secure Grid. How could we make the U.S. national electrical system a Smart
and
Secure Grid?
The first step in that direction would be issuing and enforcing serious regulations to require electric companies to make it next to impossible to obtain unauthorized access to the control network for the power grid. That would mean no pathway at all from the Internet to the control system. In addition, the same kind of deep-packet inspection boxes I proposed placing on the Internet backbone could be placed on the points where the control systems link to the power companies’ intranets. Then, just to make things even harder for an attacking cyber warrior, we could require that the actual control signals sent to generators, transformers, and other key components be both encrypted and authenticated. Encrypting the signals would mean that even if you could hack your way in and try to give an instruction to a generator, you would not have the secret code to do so. Authenticating the commands would mean that through a proof of identity procedure, or electronic “handshake,” the generator or transformer would know for sure that the command signal it was getting was coming from the right place. Because some parts of the grid might still be taken over by a nation-state hacker, certain key sections should have a backup communication system for sending command and control signals so that they could restore service.
Many people dismiss the significance of an attack on the power grid. As one senior U.S. government official said to me, “Power blackouts take place all the time. After a few hours, the lights come back.” Maybe not. The power comes back after a few hours when what has caused it to fail is a lightning storm. If the failure is the result of intentional activity, it will likely be a much longer blackout. In what is known as the “Repeated Smackdown Scenario,” cyber
attacks take down the power grid, and keep it down for months.
If the attacks destroy generators, as in the Aurora tests, replacing them can take up to six months, because each must be custom built. Having an attack take place in many locations simultaneously, and then happen again when the grid comes back up, could cripple the economy by halting the distribution of food and other consumer goods, shutting down factories, and forcing the closure of financial markets.
Do we really need improved regulation? Should we force power companies to spend more to secure their networks? Is the need real? Let’s ask the head of U.S. Cyber Command, General Keith Alexander, the man whose cyber warriors would attack other nations’ electric grids. Knowing what he knows he can do to others, does the General think we need to do more to protect our own power grid? That’s essentially what he was asked in a congressional hearing in 2009. He replied, “So the power companies are going to have to go out and change the configuration of their networks…. [T]o upgrade their networks to make sure they are secure is a jump in cost for them…. And now you’re going to have to work through their regulatory committees to get the rate increases so that they can actually secure their networks…. [H]ow does government, because we’re interested in perhaps having reliable power, how do we ensure that that happens as a critical infrastructure?” It was a little rambling, but General Alexander seemed to be saying that power companies need to reconfigure so we can have secure, reliable electricity, that this may mean they have to spend more, and that the regulatory organizations will have to help make that happen. He’s right.
The third prong of the Defensive Triad is Defense itself, as in the Department of Defense. There is little chance that a nation-state would stage a major cyber attack against the U.S. without trying to cripple DoD in the process. Why? While a nation-state actor might try to cripple our country and our will by destroying
private-sector systems like the power grid, pipelines, transportation, or banking, it is hard to imagine such actions coming as a bolt from the blue. Cyber attacks would only likely come in a period of heightened tensions between the U.S. and the attacker nation. In such an atmosphere, the attacker would probably already fear the possibility of conventional, or kinetic, action by the U.S. military. Moreover, if an opponent were going to hit us with a large cyber attack, they would have to assume that we might respond kinetically. A cyber attack on the U.S. military would likely concentrate on DoD’s networks.
For simplicity, let’s say that there are basically three DoD networks. The first, NIPRNET, is the unclassified intranet. Systems on that network use the dot-mil addresses. The NIPRNET connects to the public Internet at sixteen nodes. While it is unclassified data that moves on NIPRNET, unclassified does not mean unimportant. Most logistical information, like supplying Army units with food, is on the NIPRNET. Most U.S. military units cannot sustain themselves for long without support from private-sector companies, and most of that communication goes through the NIPRNET.
The second DoD network is called SIPRNET and is used to pass secret-level classified information. Many military orders are transmitted over the SIPRNET. There is supposed to be an “air gap” between the unclassified and secret-level networks. Users of the classified network download things from the Internet and upload them to the SIPRNET, thus sometimes passing malware along unknowingly. Pentagon information security specialists call this problem the “sneakernet threat.”
In November 2008, a Russian-origin piece of spyware began looking around cyberspace for dot-mil addresses, the unclassified NIPRNET. Once the spyware hacked its way into NIPRNET computers, it began looking for thumb drives and downloaded itself onto them. Then the “sneakernet effect” kicked in. Some of
those thumb drives were then inserted by their users into classified computers on the SIPRNET. So much for the air gap. Because the secret network is not supposed to be connected to the Internet, it is not supposed to get viruses or worms. Therefore, most of the computers on the network had no antivirus protection, no desktop firewalls or similar security software. In short, computers on DoD’s most important network had less protection than you probably have on your home computer.
Within hours, the spyware had infected thousands of secret-level U.S. military computers in Afghanistan, Iraq, Qatar, and elsewhere in the Central Command. Within a few more hours, the highest-ranking U.S. military officer, Admiral Mike Mullen, the Chairman of the Joint Chiefs of Staff, was realizing how vulnerable his military really was. According to a high-ranking Pentagon source, Mullen screamed, “You mean to tell me that I can’t rely on our operational network?” at the network specialists briefing him. The network experts on the Joint Staff acknowledged the Admiral’s conclusion. They did not seem surprised; hadn’t he known that already? Horrified at a huge weakness that Majors and Captains seemed to take for granted, but which had been kept from him, Mullen looked around for a senior officer. “Where’s the J-3?” he demanded, looking for the Director of Operations. “Does he know this?”
Shortly thereafter, Mullen and his boss, Secretary of Defense Robert Gates, were explaining their discovery to President Bush. The SIPRNET was probably compromised. The netcentric advantage the U.S. military thought it enjoyed might just prove to be its Achilles’ heel. Perhaps Mullen should not have been surprised. There are over 100,000 SIPRNET terminals around the world. If you can get time alone with one terminal for a few minutes, you can upload malware or run a covert connection to the Internet. One friend of mine described a SIPRNET terminal in the Balkans that a Russian “peacekeeper” could easily get to without being observed.
Just as in World War II, when the Allies needed only one German Enigma code machine in order to break the Nazis’ encryption, so, too, if one SIPRNET terminal is compromised, can malware be inserted that could affect the entire network. Several experts who worked on SIPRNET security-related issues confirmed to me the scary conclusion. As one said, “You got to assume that it’s not going to work when we need it.” He explained that if, in a crisis, that command and control network were brought down by an enemy, or, worse, if the enemy issued bogus commands, “the U.S. military would be severely disadvantaged.” That’s putting it mildly.
The third major DoD network is the Top Secret/Sensitive Compartmented Information (TS/SCI) network called JWICS. This more limited network is designed to pass along intelligence information to the military. Its terminals are in special highly secured rooms known as Secret Compartmentalized Information Facilities, or SCIFs. People also refer to those rooms as “the vault.” Access to these terminals is more restricted because of their location, but the information flowing on the network still has to go across fiber-optic cables and through routers and servers, just as with any other network. Routers can be attacked to cut communications. The hardware used in computers, servers, routers, and switches can all be compromised at the point of manufacture or later on. Therefore, we cannot assume that even this network is reliable.
Under the CNCI plan, DoD is embarked on an extensive program to upgrade security on all three kinds of networks. Some of what is being done is classified, much of it is expensive, and some of it will take a long time. A real possibility is the use of high-bandwidth lasers to carry communications to and from satellites. Assuming the satellites were secure from hacking, such a system would reduce the vulnerabilities associated with fiber-optic cable and routers strung out around the world. There are, however, a few important design concepts using currently available technology that
should be included in the DoD upgrade program quickly, and they are not budget busters: