The reality of modern times is that nations are in a constant state of cyber engagement – either for espionage, influence, or disruption purposes. While there is a tacit acknowledgement that cyber espionage for political and military purposes is is fair game, some actions such as the disruption of critical infrastructure, including transportation, energy, and financial institutions, would be an escalation likely reserved for moments of open conflict.
The Cipher Brief’s Levi Maxey spoke with Todd Rosenblum, the former Acting Assistant Secretary of Defense for Homeland Defense and Americas’ Security Affairs at the Pentagon and current Senior Executive for National Security Programs and Strategy at IBM, about why protecting critical infrastructure networks are so highly prioritized and what it would mean if adversary states or non-state actors were to conduct disruptive cyber attacks against them.
The Cipher Brief: What does the U.S. consider critical infrastructure and why? Does this include the critical infrastructure of allies that could have cascading impacts against the United States?
Todd Rosenblum: The U.S. government has a formal definition for critical infrastructure and key resources, and subdivides them into a host of sub-groupings called sectors. Essentially, the definition boils down to a means to capture all of the nation’s major capabilities vital to the running of our economy, operations, and safety. Different federal agencies have lead responsibility for working with private sector owners and operators to harden systems within sectors.
There have been 16 sectors captured in the national formula that define the nation’s critical assets. The nation’s election infrastructure was added in January 2017 by former Homeland Security Secretary Jeh Johnson, making it the 17th sector. The original 16 sectors are somewhat broad categories and imply co-dependencies between and among them. The sectors range from energy, transportation, financial institutions, communications, information technology, critical manufacturing, healthcare, the defense industrial base, water, waste management services to emergency services, food and agriculture, government facilities, dams, nuclear reactors, and commercial facilities.
The challenge is that our definition of critical infrastructure essentially captures everything. Being so broad, it is too hard in practice to make informed, prioritized choices. In other words, we have so many priorities that we really have no priorities.
Allied critical infrastructure is not formally captured in the U.S. government definition of critical infrastructure. This is an important gap. We have, for example, co-dependencies with Mexico and Canada for energy, transportation, emergency response, and communications. Related but different, is the integrity of our globalized supply chain that if compromised, would undermine critical infrastructure operations. We have other tools that acknowledge and reduce this vulnerability, such as the Committee on Foreign Investment in the United States, which is intended to ensure the U.S. does not sell ownership of key resources to foreign entities that could be hostile to the nation.
TCB: Can you explain the relationship between information technology and industrial control systems? How can a cyber attack create physical effects? Does this mean there must always be analog cutout off points to avoid cascade failure of U.S. critical infrastructure?
Rosenblum: Industrial control systems (ICS) is a general term that encompasses several types of control systems and associated instrumentation used in industrial production technology. Information technology is a core conduit for managing industrial control systems on site and remotely.
The majority of industrial control systems are vulnerable to digital disruption. In 2015, two cybersecurity researchers remotely disabled a Jeep Cherokee’s transmission and brakes, and while the vehicle was in reverse, took control over the steering wheel. Also in 2015, persons in Russia successfully gained control of Ukraine’s national energy grid, compromising system information systems of three energy distribution companies and temporarily disrupting electricity supply to consumers. The 2010 disruption of uranium enrichment operations at Iran’s Nantanz uranium enrichment facility reportedly was caused by software injects that caused centrifuges to spin erratically and break. Persons in Iran were responsible for injecting malware into Saudi Aramco’s network in 2012, disrupting operations and destroying vital operational files. These are dangerous precedents and not the only ones.
The best hardening of industrial control systems is by “air gapping,” or isolating them from the internet, large enterprise networks, and bluetooth transmissions. Some of the nation’s most sensitive critical infrastructure is making great strides in isolating itself from digital compromise. But the more we adopt the Internet of Things, rely on enterprise-wide networks, and utilize bluetooth transmissions, the more likely most industrial control systems will become vulnerable.
TCB: Attacks on critical infrastructure require knowledge of how each system is assembled. What can we assume the intention of states conducting reconnaissance on U.S. critical infrastructure networks, such as, for example, the back offices of a nuclear facility contractor?
Rosenblum: We cannot assume anything good. Some of this probing is for industrial espionage and traditional intelligence gathering. Some of it is for what the U.S. military calls operational preparation of the battlefield environment. Regardless of the intent, the reconnaissance is robust and making national critical infrastructure more vulnerable to digital and insider threat vectors.
We make ourselves even more vulnerable by putting on the worldwide web a tremendous amount of schematic information about infrastructure design and operations. Publishing this information seems benign and in the public interest, but also is critical intelligence for adversaries.
Similar to the nation’s unwieldy definition of critical infrastructure and key resources, we need to better articulate the impact of compromises by state actors. The U.S. intelligence community and law enforcement agencies already have some focus on identifying and countering this threat, and a recent Executive Order instructs the intelligence community to do more sector specific vulnerability analysis is helpful, but there needs to be greater emphasis here. Our intelligence apparatus remains uncomfortable assessing threats inside the U.S., and we need to modernize our thinking from separating threats between overseas and those inside the homeland, just as we have done for counterterrorism.
TCB: What could the psychological impact of manipulating data, rather than disrupting systems, be if deployed against critical infrastructure?
Rosenblum: Manipulating data, also known as spoofing, is a major threat to confidence in what we see on our screens. Losing confidence in what our screens tell us can be crippling to our psychological and actual dependency on digital information. It is, in many ways, more significant than the impact of one off physical events triggered by digital means.
Just imagine the disruption to our national psyche if large numbers of Americans suddenly find their GPS systems giving out wrong directions or drone operators flying their platforms into buildings because their screens tell them they are in open space when they are not, or air traffic controllers and U.S. military operators not being sure their network-centric formations are accurate. What if financial transactions at banks and Wall Street are made intentionally false? There is reporting this week that investigators in the Navy are looking at possible digital compromise as one reason why two Seventh Fleet destroyers had two separate tragic collisions at sea in the Pacific in two months. The scenarios of disruption are only constrained by our lack of imagination.
Integrity of screens is assumed. Losing that integrity is profound. Fortunately, we are probably no more dependent on our screens than most other developed nations. Chinese reliance on screens is just as large as ours. Russia and Iran less so. North Korea least of all.
TCB: Would a major cyber attack on U.S. critical infrastructure by a foreign adversary be considered an act of war? Does this mean that attacks on Iranian nuclear facilities, Ukrainian power grids, or Saudi oil and gas should be seen as acts of war?
Rosenblum: This question comes up regularly, but I think we spend too much time asking ourselves if this one type of activity should be viewed as an act of war vice other types of grey zone events. Our deterrence and response planning needs to be assessed in a broader and situational context, and not just through the lens of whether the delivery vehicle is digital.
The term an “act of war” has legal and policy ramifications, especially for the U.S. military. A presidential declaration that the homeland is under attack triggers uniformed military command responsibility, even though it is far more likely that the president would turn to other arms of national power to respond to digitally-enabled kinetic outcome in the homeland. The intelligence community, to include the National Security Agency, FBI, and Departments of Treasury, Homeland Security and State, as well as the private sector, will be more vital than most military arms in this scenario.
For example, North Korea’s threat in 2014 to blow up domestic movie theaters if they played a movie critical of the Pyongyang regime, mobilized the whole-of-government. The president brought the private sector into the crisis management inner circle, imposed economic sanctions on North Korea, mobilized diplomacy, and may have authorized secret actions by the intelligence community, operating under its Title 50 authorities.
This is a different way to look at the world than considering what we would do in response to a ballistic missile or another physical strike originating outside U.S. soil. Our response platforms will not come from ground-based missile interceptors at Fort Greely, Alaska, but probably from various domestic office buildings.
Defining hostile acts against the homeland are always going to be context specific, and how we should respond to them needs to be the same, regardless of what you call it.
TCB: Why haven’t we seen major attacks against U.S. power grids? Is it a lack of intention or a lack of capability, or perhaps even mutual vulnerability in the case of more sophisticated adversaries such as China and Russia?
Rosenblum: It’s largely a matter of intent. I believe we are vulnerable. I also believe we are mutually vulnerable.
We should not have high confidence in our ability to gain permanent, airtight protection of the power grid ecosystem from digital intrusion, to include intrusions that impact system operations. There are broad, significant efforts to reduce internet touch points for the most crucial operational control elements of sensitive critical infrastructure, and threat vulnerabilities often are closed upon discovery. But vulnerabilities are regularly discovered years after software is rolled out. Vulnerabilities are constantly being made anew each time a new layer of software is integrated into an existing network. At present, there is no way around this for enterprise-level systems.
As noted earlier, persons in Russia attacked the Ukrainian power grid, and persons in Iran crippled operations at Saudi Aramco for days. Yet in both cases, the systems were off line for days or weeks, not months. There is considerable debate about whether digitally-enabled disruptions at major operations plants would cause long-term or just short-term outages. This may be one reason why state actors are loathe to risk escalation since the actual impact might be relatively small and all sides are vulnerable to response.
TCB: Can we expect non-state actors, such as terrorists to eventually be resourced and technically capable of conducting disruptive attacks against critical infrastructure?
Rosenblum: Absolutely. A central tenant of our counterterrorism policy is to deny safe havens. It is not realistic to think we and our allies will be able to deny digital safe havens to terrorists and organized crime. It is one thing to deny physical space, but it is another to deny virtual space. The challenge is compounded by end-to-end encryption that can, and does, leave law enforcement and intelligence professionals in the dark.
The space exists for terrorists, organized crime, state, and non-state actors to build expertise, sell and trade information about software exploits. So we should assume terrorists could acquire the capability to at least temporarily impact critical infrastructure operations.
TCB: The Trump Administration’s cybersecurity Executive Order emphasizes securing the nation’s critical infrastructure. What does this mean in practical terms?
Rosenblum: Issuance of this Executive Order is a good thing and a welcome development. Governments, like all other large enterprises, need to constantly refresh their priorities, especially since their overall size and capacity is finite.
This Executive Order is a signal to the U.S. national security community that securing the nation’s critical infrastructure is moving up the priority ladder – meaning some other things will need to move down. It will inform national, agency, and mission specific priority frameworks. The Pentagon and intelligence community take strategic guidance quite seriously. This guidance infuses budget decisions, manpower and system use priorities. The intelligence community, for example, will likely shift more resources to collecting on, detecting, and understanding threats to the nation’s critical infrastructure. Outreach and partnership efforts with the private sector who own and operate 90 percent of the nation’s critical infrastructure will become more important to senior leaders. The next Secretary for Homeland Security will be expected to improve cyber workforce hiring and the operational capacity of the National Cyber and Communications Integration Center. The center is the federal government’s primary body for protecting the .gov network and working with the .com private sector.