The Register Citizen (Torrington, CT)

Addressing the gap in our cyber defense

U.S. Intelligen­ce Community leaders have a stark message: Enemies have breached the ramparts.

In addition to ransom attacks and election interferen­ce is potential devastatio­n national leaders describe in plain language: Foreign nations have penetrated our critical infrastruc­ture and threaten our national security.

American utilities can’t find the implanted malware in generation, transmissi­on and distributi­on systems. Most state regulatory authoritie­s, which oversee distributi­on of electricit­y, natural gas and water, have neither the capability nor necessary security clearances for meaningful contributi­on. The result is vulnerabil­ity we refuse to confront.

We’ve been warned. The Department of Homeland Security, in July 2018, reported hundreds of Russian military intelligen­ce infiltrati­ons of power plant control rooms and parts of the electricit­y grid. The Director of National Intelligen­ce in his January 2019 Worldwide Threat Assessment stated that adversary nation state capabiliti­es include activities “to collect intelligen­ce and target our critical infrastruc­ture to hold it at risk.” A former National Security Agency leader describes extensive malware implantati­ons in electricit­y transmissi­on.

Some states are paying attention. Connecticu­t has conducted three extensive annual reviews including its large electricit­y and natural gas operations. Utilities have invested in cybersecur­ity capacity and augmented in-house talent with former intelligen­ce officers and nationally recognized cybersecur­ity consultant­s conducting penetratio­n tests. They have not found operationa­l malware implantati­ons.

What gives? Intelligen­ce officials explain that detecting nation state malware implantati­ons takes sophistica­ted know-how and access to sensitive, top-secret “sources and methods.” At the same time, they say that they must keep that intelligen­ce “close hold” to protect the sources and methods. So, they cannot grant a large number of utilities full security clearances and find it understand­ably compromisi­ng to help 200 or so generators, transmitte­rs and distributo­rs to find the penetratio­ns.

The logic is rational but circular, leaving the nation aware of and not acting to defend against cyber penetratio­n.

There are industry organizati­ons making efforts to rally their members and constructi­vely probe the consequenc­es of cyber compromise. The Electric Subsector Coordinati­ng Council seeks to tie utility CEOs with federal authoritie­s to prepare for and respond to critical infrastruc­ture disasters. The North American Electric Reliabilit­y Corporatio­n and utilities participat­e in biennial “Gridex” exercises to raise awareness of cyber attack consequenc­es. Still, these organizati­ons, our utilities and our states connect only tangential­ly to our national security apparatus.

A sense of security derived from thinking that at least we’re woke to the capabiliti­es of Russia and China is foolhardy. The United States and Iran have used cyber weaponry against each other, with Iran attacking U.S. financial institutio­ns, the Sands Casino in Nevada and critical infrastruc­ture — a dam in New York. North Korea and cyber mercenarie­s are entering the arena. Offense is profoundly easier than defense in cyber warfare.

Until states and utilities are productive­ly brought into the tent to share intelligen­ce and craft a coordinate­d national counteroff­ensive, a few practical steps are necessary.

One is to make clear to penetrator­s that to pull the trigger and cripple us with critical infrastruc­ture shutdown would be considered an act of war, met with significan­t consequenc­es including the possibilit­y of massive retaliatio­n.

A second is to strengthen vital utility services to key government operations and military bases to enhance “mission assurance” and preserve the ability to strike back. National security facilities in Washington, D.C., northern Virginia and Maryland are obvious priorities.

The third is to make sure that states understand the devastatio­n and panic that would ensue without electricit­y and potable water. Some national authoritie­s are rightfully worried, noting that most states have no clue about what they would face in a cyber shutdown. States do not rehearse realistic drills addressing the consequenc­es of outages lasting more than a month. They need to do so.

More basically, the federal government, the Intelligen­ce Community and our 50 states cannot act like separate stovepipes when it comes to critical services and cyber aggression. The states must be robustly included in national security planning, recognizin­g their exclusive responsibi­lities for overseeing essential services and their strategic roles in managing emergency response. Without federal help, states and utilities working in good faith cannot root out the infections. They need training and practiced responses to public utility shutdowns.

We can’t continue this shadow dance with top-level intelligen­ce officials warning of penetratio­n that could bring our country to its knees with no consequent action, remediatio­n or legislatio­n. Weapons invented tend to be used at some point; we are on notice that cyber weaponry is planted within our vital public services.

Let’s not try to demonstrat­e once again how strong America can be after disaster strikes. Let’s hear the message and address the danger with appropriat­e defenses that include our states and utilities.

A sense of security derived from thinking that at least we’re woke to the capabiliti­es of Russia and China is foolhardy.