The Register Citizen (Torrington, CT)
Confronting our cyber reality for the future
Some European train stations post signs that read “Beware: one train can hide another.” Watch out — another train may be behind the one you have your eye on.
Our current array of concerns is far more than we want. But now comes confirmation of a dangerous hidden train behind them all — a huge cyber penetration.
The attack on and through SolarWinds is part of an ongoing Russian spy campaign. It achieved “backdoor” access, undetected for months, into major companies, government agencies, the electric grid and nuclear weapons development laboratories. We still don’t have the full damage assessment.
Penetrated government agencies include the Departments of Energy, Defense, Homeland Security, Treasury and the Federal Energy Regulatory Commission.
We don’t need hysterical Henny Pennys declaring the sky is falling. But it would be foolhardy to ignore the damage done and the extent of our vulnerability. Intrusions have included our intelligence agencies and the military. Hackers have compromised state and local governments, hospitals, banks and information technology companies. Cyber is a weapon.
Fortunately the U.S. electricity grid grew with different designs in separate pieces and phases. Its diversity makes a nationwide attack difficult. But attacks could have regional effects on critical substations that could take out the flow of natural gas to New York and New England, the supply of water to Los Angeles or electricity to Northern Virginia and Washington, D.C., and shut down airports — threatening national security and lives and bring us to our knees as much as a missile attack on a major city.
With offense dominating the cyber game, how do we build defenses more demonstrably effective than what we have today? Carefully, from the top down and bottom up. At the federal level, we need leadership and priority attention to cyber threats. But Connecticut can do a lot at the state and municipal levels and with private businesses.
Governors need to take charge immediately during a cyber attack to manage previously rehearsed defenses, establish credibility, counter rumors, lead response and marshal recovery resources. Communications have to be prepared ahead of time and be ready for dissemination.
We have assets. Connecticut’s system of annual review of cyber threats to critical infrastructure is used as a model by some countries in Europe and the Black Sea area. We have a strategy and an action plan, both created in partnership with Connecticut business and ready for updating and deployment. We have a governor well versed in crisis management who recognized the importance of cybersecurity in his welcome address to the 2021 General Assembly.
The Connecticut State Police has a cyber investigations unit and offers its expertise to municipalities.
Connecticut’s emergency management capacity has experience in familiar threats such as hurricanes and ice storms. It has conducted virtual exercises simulating a cyber attack. That process needs to advance to rehearsed management of unprecedented challenges predicated by a cyber attack on utilities and government services. How would we manage two weeks or months without electricity and consequently, drinking water? We need answers for unpleasant questions such as how to run hospitals, feed people and manage martial law in a cyber crisis.
Some take comfort in turning to “cyber hygiene” to reduce threats — steps such as deploying the latest defensive software, conforming to security standards, anti-phishing campaigns, training and establishing “air gaps” to separate systems and networks from the internet. All good ideas. But the stark truth is that if a human can create and put something on a computer or the internet, a human can compromise it. No network or computer is completely secure.
We rely more extensively on technology and are exposed to single points of failure that need to be replaced with redundant capabilities.
Andy Bochman of the Idaho National Laboratories discusses a “consequence-driven, cyber-informed engineering methodology” (CCE). He asks what would you do if you wanted to ruin your company (or town or state agency)? What priorities — crown jewels — could stop delivery of electricity or destroy natural gas compressors, or could kill thousands of people? Digital pathways to those processes must be eliminated or reduced and monitored to the greatest extent possible. Real protection requires human eyeballs, not merely digital systems.
We can improve Connecticut security, including government but also giving business a competitive edge. We can lead regional efforts and work with the federal government.
The most frequent question I receive during cybersecurity presentations is, “Are we safe?”
We are not. But Russia’s recent breach — broad, deep and audacious — underscores that the question is vital. It’s time to take cybersecurity seriously. There are real dangers behind the ones in front of us.
Hackers have compromised state and local governments, hospitals, banks and information technology companies. Cyber is a weapon.