Last week, Secretary of Defense Leon Panetta warned the country is at risk of a “cyber-Pearl Harbor.”
In a speech at the Intrepid Sea, Air and Space Museum in New York, the secretary said a large-scale cyber attack on the U.S. is increasingly likely and could cripple the nation’s government, transportation systems, power grid and financial networks.
Director of GW’s Homeland Security Policy Institute Frank Cilluffo talked to George Washington Today about the possibility of a cyber attack, what form it could come in, possible perpetrators and what can be done to safeguard against it.
Q: Leon Panetta issued a pretty alarming warning about the country’s vulnerability. How likely is it that the U.S. will be victim to a large-scale cyber attack?
A: In fact, the U.S. is already under attack in the cyber domain. While not as visible as a kinetic attack, there have been a number of cyber incidents that should have served as a wake-up call for the country. The most prevalent type of activity is computer network exploitation (CNE), or cyber espionage. In addition to the theft of more traditional political, military and economic secrets, there has been a major spike in the theft of intellectual property, technology, trade secrets, etc., in the hands of the private sector and even the identities of individuals.
Moreover, CNE activities include the cyber equivalent of intelligence preparation of the battlefield, or the mapping and probing of our critical infrastructures. In other words, CNE lays the groundwork for attack. Indeed, the line between attack and exploit is very thin, turning only on the matter of intent.
However, while there are myriad significant reasons to be concerned, the sky is not falling—in part, because there is a tendency to conflate all types of cyber attacks when discussing U.S. cyber vulnerability. For instance, the hacking of a website is more akin to graffiti in cyberspace and is very different in terms of consequences and implications from a probe of a supervisory control and data acquisition (SCADA) system conducted by a foreign intelligence and security service (critical infrastructures such as power plants rely on SCADA systems to function smoothly). Yet, there is a tendency to lump all of these disparate things together in public discourse about “cyber attacks” and U.S. readiness/vulnerability. Not all attacks and techniques are the same, nor are the threat actors and their intentions.
Q: Officials cited China, Russia and Iran as adversaries that could be behind such an attack. Do we have a best guess of where or who such an attack could come from?
A: All of the above. As a matter of fact, a number of countries are increasingly integrating CNE and CNA (computer network attack) capabilities into their warfighting and military planning and doctrine. If we were to rack and stack actors in terms of their sophistication of cyber capabilities, China and Russia would top the list. Both of these countries have already been active in this space, and have engaged in theft of intellectual property on a grand scale. Iran too has been investing heavily, including standing up a relatively new cyber army. The good news is that Iran is not yet as capable as Russia or China. The bad news is what they may lack in capability they more than make up for in intent. In addition, Iran has demonstrated a ready willingness to supplement its own capabilities, both cyber and kinetic, by drawing on proxy forces such as Hezbollah. And an arms bazaar of cyber weapons and even hackers themselves can be bought or rented in cyberspace.
Notwithstanding these realities, attribution remains a real challenge in the cyber domain. Technologies and techniques to discern the perpetrator(s) in real-time, at the time of breach, are advancing steadily but identifying the attacker(s) in a given scenario is still a significant undertaking in a domain that is made for plausible deniability. Smoking keyboards can be hard to find.
Q: What form is a cyber attack most likely to come in? Mr. Panetta mentioned derailing trains and contaminating the water supply, for example.
A: Considered from the perspective of potential catastrophic damage, the most worrying type of attack is one that successfully combines cyber and kinetic means. However, CNE is happening already. We have seen the theft of intellectual property on a massive scale, and we have identified foreign probes of critical U.S. infrastructure. According to open-source reporting, actors who may wish to do us harm are conducting reconnaissance and surveillance of these crucial U.S. facilities and sectors. This is particularly concerning in light of the interdependencies that exist between and among sectors. For example, if the power/energy sector is knocked out, every other endeavor that depends on it (and what doesn’t?) will be similarly paralyzed. In this sense, electric power and energy are perhaps the most critical of our so-called critical infrastructures.
Q: Have there been major cyber attacks to date that have disastrous consequences in the U.S. or elsewhere in the world?
A: There have certainly been some major cyber attacks that have caused significant consequences for their targets. Consider Russia’s 2007 cyber attack upon Estonia, which hit the Estonian government and financial institutions hard. Russia has clearly integrated a cyber component into its planning for, and execution of, warfighting. Russia’s 2008 conflict with Georgia is one example. This could be prelude to other instances, such as the current conflict between China and Japan over a group of islands in the East China Sea, during which Japanese government and other websites have already been hacked. Or the 2009 cyber attacks on Twitter and other social media by the government of Iran during the Green Movement; thus isolating their citizens from the rest of the world and in effect cutting off the oxygen and life of the movement.
We have also witnessed cyber attacks on U.S. banks, foreign oil and gas companies, and of course the media have reported widely on Stuxnet and its detrimental effect upon Iran’s nuclear program (which is an indisputably positive outcome, in my view). In short, we’ve seen what can be done, and we know what key architectures, etc., are vulnerable to cyber attack. Then again, critical infrastructure has always been high on the priority target list in warfighting. The difference is that now the bombing, or its equivalent, can be done remotely.
Q: Mr. Panetta is calling for new legislation that would step up security at facilities where an attack could have the largest negative consequences. How critical is this legislation to preventing a large-scale attack?
A: Legislation in this area is absolutely critical, as I’ve suggested to Congress multiple times in recent testimonies before the Senate and House of Representatives. Lawmakers must demonstrate the will and leadership to make the tough decisions needed in this sphere.
That said, we must take care to strike just the right balance of carrots and sticks, and of measures that ensure both privacy and security, in our approach. For example, permitting through law the indemnification of liability for those entities (especially critical industries, the majority of which are owned and operated by the private sector in this country) that do what has been asked of them, would avoid costly litigations and encourage the adoption of best cybersecurity practices all at once.
Q: Outside of legislation, what steps can be taken to safeguard against an attack?
A: A number of important steps can be taken outside of legislation. First and foremost, while cybersecurity is essential, we must acknowledge that we will never be able to firewall our way out of the challenge and must clearly articulate a cyber deterrence strategy in order to dissuade, deter and compel adversaries from acting in ways inimical to U.S. interests in the cyber domain. Any cyber deterrence strategy must include a more transparent conversation about offensive cyber warfare. I was pleased to note that Secretary Panetta is beginning to lay down some important markers along these lines.
In addition, we could pursue the following three important, but non-legislative, measures: effective information sharing by building on a pilot program initially restricted to companies that form a part of the nation’s defense industrial base; definition and implementation of cybersecurity standards and best practices in a manner that is self-initiated/self-executed by industry itself; and a third-party enforcement mechanism for same that would encourage industry-wide adoption and robust outcomes.
There is no reason for further delay on any of the above. For too long, we have simply been short on verbs and long on nouns. To continue that way is to proceed at our peril.