Widespread blackouts sweep across the country, traffic signals go haywire, global financial markets freeze, the Pentagon’s data network collapses.
These calamities and much worse are exactly what could happen in the event of a large-scale “attack” on computer networks in the United States, or so the experts say. The problem will start small, say, bringing down an electrical grid within minutes. However, what may have seemed like an isolated incident could create scores of network outages across the country’s critical infrastructure. To many in the American military, federal agencies and high-tech companies, the threat from America’s fiercest adversaries is ominous. Their target isn’t necessarily military, but rather the networks owned and maintained by private companies with household names like Consolidated Edison, Citigroup, Exxon and Google. And to many of these gatekeepers, it’s not a matter of if, but when — unless something is done now to shore up security of these networks.
“There’s a perfect storm coming,” said David Chronister, a self-described “ethical hacker” and founder of Parameter Security, a consulting company. “Companies think they are secure because they are compliant with standards, but they really don’t know enough. There’s a false sense of security.”
The pace at which hackers and other intruders are inventing ways of breaking into private networks, including critical U.S. infrastructure, is far outpacing the ability to protect them, said Chronister. At the same time, people routinely underestimate the damage a region would sustain if its electrical network, perhaps even its water supply, were to go down for an extended period. The impact, Chronister said, could be devastating.
Yet effective protection from cyber-threats requires unprecedented cooperation between the public and private sectors. Unfortunately the two sides are not even close.
To the private sector, the federal government is falling dramatically short of meeting its cyber-security expectations. According to the Government Accountability Office’s Critical Infrastructure Protection report, fewer than one-third of private-sector respondents said they felt the federal government was meeting their expectations for “timely and actionable” information and alerts related to cyber-threats. And roughly four out of five private-sector respondents indicated that they felt the mechanisms for sharing information between the public and private sectors were inadequate.
The report also showed that federal agencies weren’t meeting private industry’s expectations for assisting with security tests, offering training opportunities or providing necessary security clearances. These companies reported a lack of a “single centralized government cyber-information source.” These shortcomings, the report concluded, hinder the private sector’s ability to thwart cyber-attacks.
But federal agencies say the private sector shares responsibility for shortcomings in the partnership. Public agencies would like the private sector to be more willing to share proprietary information with federal agencies — something it’s currently reluctant to do — the report states. Restrictions within the private sector on the kind of information it can share make it difficult to provide individualized treatment to any single business sector.
Jeffrey Carr, a cyber-security expert and author of Inside Cyber Warfare, said the private network operators, most notably the nation’s largest utility companies, should be blamed for addressing security delays, not the public sector. Most of the nation’s energy companies, for example, have been very adversarial toward federal security efforts from the start. “Private industry has been dragging its feet, finding ways to be excluded,” he said.
The threat of cyber-attacks has been steadily increasing for several years, while it has become much clearer that the United States is unprepared to protect itself against such attacks. Estimates vary as to the exact cost of cyber-crime, but in a 2009 speech, President Barack Obama put the 2007-2008 combined total at $8 billion.
The sources of cyber attacks take many forms, from individual unauthorized hackers accessing private networks, criminal groups seeking monetary gain, to individuals or terrorist organizations attempting to break into critical data networks to threaten national security, perhaps even cripple the economy. It is this last category that poses the greatest national threat.
So-called botnets are a particularly dangerous security threat because they can remain nearly invisible while siphoning data to a new destination. These intrusions focus on stealing intellectual property, rather than taking down networks. Perhaps the most malicious form of cyber-attack seen so far is the denial of service, which is when hackers send repeated requests to a network to overload and shut it down.
Reports of cyber-attacks over the past few years illustrate the seriousness of the problem and its potentially devastating impact on private industry and public safety. While more than 100 countries can launch cyber-attacks, China is considered the greatest threat to the United States, and relations between the two countries have become fraught with hostility and suspicions over cyber-security. According to Chronister, Russia is considered an increasing threat as well.
In March 2008, according the Critical Infrastructure Protection report, the Department of Defense and other federal agencies and contractors reported that their computer networks were targets of intrusion, and the attacks appeared to have originated in China.
In 2009, North Korea was suspected of an attack that started July Fourth weekend and took down the Web servers of the U.S. Treasury, Secret Service and Federal Trade Commission, among others. (South Korean government Web servers were hit at roughly the same time.)
And in 2010, it came to light that more than 30 private companies, many of them in Silicon Valley, had experienced intrusions of their data networks. Of those companies, Google said it had been the victim of a “highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.”
But perhaps the most dramatic example of a cyber-attack came last summer when a malicious computer worm found its way into an Iranian nuclear plant after infecting thousands of computer systems worldwide. The incident, caused by a malicious software program called Stuxnet, made it glaringly obvious how vulnerable the world’s critical computer networks really are, and perhaps more importantly, just how difficult it can be to find the source of malicious programs. The exact origin of the Stuxnet worm has never been discovered, but its ferocity — along with its surreptitiousness — sent shock waves through the federal agencies charged with preventing such attacks and showed the private industry just how little is known about securing the nation’s infrastructure.
New Approach, New Controversy
The most recent approach to protecting U.S. infrastructure from cyber-attacks came in the form of a new program from the National Security Agency (NSA). Called Perfect Citizen, the program is intended to monitor threats to the country’s infrastructure, including electrical networks, nuclear power plants and transportation systems, and to trigger an alarm in the event of an impending intrusion.
The system would work by analyzing the vectors where cyber-attacks could occur, typically the points at which a private network connects to the Internet.
But when news of the program leaked last July in The Wall Street Journal, not everyone viewed Perfect Citizen as an asset. Instead, privacy watchdogs and consumer groups viewed the program as providing the nation’s leading eavesdropper with another opportunity to invade individuals’ privacy.
The NSA, long known for its eavesdropping activities, responded to the report by denying that Perfect Citizen involves any monitoring activity or places sensors on networks, as the story asserted. Rather, the NSA countered that the program is simply a way for the agency to assess a network’s vulnerabilities.
Carr argues that people misunderstand Perfect Citizen’s goal. The program, he said, is providing long-overdue, much-needed security on critical infrastructure. “I consider it more or less a housekeeping issue, not widespread surveillance,” he said. “This is a program to test the vulnerabilities of a network. Private industry has been dragging its heels for years on this, and it’s something that has to be done.”
But Satnam Narang, a threat analyst at the security firm M86, said the controversy over Perfect Citizen misses the point. Federal monitoring networks can only go so far, he said. The most important thing federal agencies can do is educate the private sector about the kinds of existing threats and the form they take. “What companies really lack is training and education about threats,” Narang said. “They need to know what to look for.”
Perfect Citizen builds on an effort started by the U.S. Department of Homeland Security in 2006, then updated in 2009, to address cyber-attacks. Called the National Infrastructure
Protection Plan (NIPP), the idea was to provide a framework for a national coordinated approach to address all threats to U.S. infrastructure. NIPP set up public and private councils in each business segment, such as the financial industry or health care. These public and private councils then work together to deal with cyber-security issues related to their industry.
That same year, the Department of Homeland Security opened the National Cybersecurity and Communications Integration Center, a centralized organization to coordinate how public agencies handle cyber-security threats. The center has gathered various federal projects under one roof while attempting to improve communication between the private sector and public networks that encompass the nation’s infrastructure.
But calling it an infrastructure implies more continuity in this mega-network of information and services than actually exists. For those attempting to manage and secure data networks, this is far from the case. For the most part, utilities today remain regional; there’s certainly no such thing as a national electric grid.
The situation is made even more challenging because some of the equipment has been around longer than the Internet. Connecting an assortment of systems built in the 1970s into a single network, or adding a security layer, can be difficult. “In some cases, they’re afraid to patch some networks because they think they’ll cause a power outage,” Carr said.
Bruce Schneier, a cyber-security consultant, says it’s a flawed assumption that the Internet can actually be managed. “The Internet is the largest communications system mankind has ever created, and it works because it is distributed. There is no central authority. No nation is in charge,” Schneier blogged shortly after the National Security Agency’s Perfect Citizen cyber-detection program was revealed. “Plugging all the holes isn’t possible.”
Laurie J. Flynn is a California native who has spent much of her career as a newspaper reporter writing about the exploits of Silicon Valley executives for The New York Times. Her work has also appeared in the San Jose Mercury News, Real Simple, the San Francisco Chronicle and other regional and national publications.