The Cyber Horror Picture Show: Doing the Time Warp Yet Again

By Thomas Donahue

Thomas Donahue retired from CIA after 32 years of service. He served as the Chief Editor of the President’s Daily Brief and other CIA daily production during the second term of the Clinton administration, and he spent the last 18 years of his career focused on cyber threats as a manager and senior analyst in what is now known as the Center for Cyber Intelligence. He served four years at the White House during the Bush and Obama administrations, most recently as the senior director for cyber operations for the National Security Council staff. During his last two years, he was the research director at the DNI's Cyber Threat Intelligence Integration Center. He has a Ph.D. in electrical engineering from MIT.

I remember doing the Time Warp
Drinking those moments when
The blackness would hit me
And the void would be calling

Let’s do the Time Warp again
Let’s do the Time Warp again

  • Rocky Horror Picture Show, 1975

Cyberspace is akin to the haunted mansion of a gothic horror movie.  Disconcerting bumps in the night, passing shadows, flickering lights, and screams from afar that jolt the senses.  For more than 20 years, experts have argued about whether something worse lurks in the basement of this gothic mansion that could have an impact beyond the annoyance, disruption, and financial loss of most cyber attacks to date.  An expert with The Cipher Brief, noting recent U.S. Government warnings of Russian botnets hosted on hundreds of thousands of routers, drew parallels between cyber threats and the Cuban Missile Crisis.  How scared should we be?

The most recent sanctions imposed by the U.S. Treasury against Russia suggest the current Administration is most concerned by threats to the electric power grid and the telecommunications backbone (notably undersea cables).  A year ago, the President met with electric power industry leaders about this cyber threat.

Could an adversary hold even this core type of infrastructure at risk with a potential impact comparable to the threat posed by Soviet missiles in Cuba?  A cyber attack with effects comparable to the annihilation of major cities and many millions of people seems to be a “stretch goal,” but might adversaries still attack infrastructure selectively, perhaps as retaliation for U.S. cyber activities, to signal discontent regarding other U.S. policies, or create short-term military advantages against U.S. forces deployed overseas by cutting off communications?  Would U.S. decision making be hampered by a demonstrated adversary cyber capability during a time of crisis?

The policy discussion about cyber threats to critical infrastructure go back to the studies leading up to Presidential Decision Directive 63, signed in May 1998.  Many discussions since then, however, typically have dismissed the possibility of a strategically significant attack on critical infrastructure short of major armed conflict with a nuclear-armed adversary, at which point cyber is arguably the least of our concerns.  Industry considers such a non-nuclear strategic event to be unlikely (see the late 2017 Cipher Brief interview with the head of Southern Company, Thomas Fanning), either because it is too hard, the impact of a less than comprehensive attack would be of little consequence, mitigation and recovery could counter many of the effects of disruption, or most adversaries (e.g., criminals) would lack the motivation for an attack that does not have a financial gain.

Certainly the impact of any cyber attack would need to measure up to what industry routinely deals with because of equipment failures and physical sabotage.  Consider the Metcalf incident, involving an attack on both power and telecommunications or major storms and earthquakes such as the December 2006 earthquake near Taiwan that cut many undersea cables in the region.  Or consider the cable cuts noted in Russian media that occurred about a dozen times on the West Coast during a year spanning 2014-2015.

Cyber attacks offer a number of advantages over natural events.  The attacker chooses the time and place of the event and has the option to repeat as necessary.  Cyber scales better than physical attacks, and a short interval of disruption may be sufficient if synchronized with other key events.  Under specialized circumstances, cyber also has the potential to create physical damage to equipment not readily replaced (e.g., transformers and generators), as demonstrated by the U.S. Government in 2007.

On the other hand, cyber methods must be tailored to specific targets, and access—once gained—must be maintained across all the necessary targets until the specified attack time despite the constantly changing environment.  Russia is playing a numbers gain with relatively noisy entry attempts followed by stealthy infestation and lateral movement.  Can they maintain useful access for the long haul?  Do they understand the targets well enough to create enduring effects?  When will they have enough targets in hand to be useful?  Do they have other plans to supplement the cyber effort with physical sabotage?  How extensively has Russia prepared for attacks against undersea cables?

Most cyber effects are reversible, and well-prepared organizations can quickly rebuild disrupted databases and networks.  For the unprepared, however, the loss of data and networks can directly or indirectly disrupt business processes for days, weeks, or even months.  Not-Petya in 2017 caused Maersk shipping volume to decline 20 percent until thousands of servers and workstations could be replaced and forced Merck Pharmaceutical to shut down some production lines.

Adversaries are not concerned with theoretical arguments about the efficacy of cyber operations.  The Russians in particular, according to U.S. Government reports, have been actively seeking access to the networks that control U.S. power grids since at least 2014 (see Havex/BlackEnergy events) and conducted limited attacks on Ukraine in late 2015 and 2016.  As noted in prior Cipher Brief columns, these events appeared to be tests of capabilities rather than full-scale attacks.  More recently, the U.S. Government reported further efforts to penetrate U.S. power systems.  Cipher Brief experts have described these efforts as a broad preparation for being in position to attack the “disproportionately vulnerable” critical infrastructure of the United States.  As a further indication of the broad nature of cyber attacks on the United States, another cyber actor, as yet unattributed, has experimented with attacks on safety systems used by the oil and gas industry to prevent physical damage, first in Saudi Arabia, but more recently in the United States.

We do not know the full extent of this effort or the scale of Russian success within U.S. networks.  Most of the activities directed at the United States have been just probing and intelligence gathering, but the cyber security industry has reported at least a few activities that gained useful access to industrial control system networks.  Have we largely defeated this effort, or is Russia slowly but surely over a period of years building a foot hold in the power grid or in the oil and gas system that provides energy to the grid?  Who else besides Russia has a similar effort under way to penetrate U.S. critical infrastructure?

What would we do if somebody went beyond probing and preparation and started to disrupt critical infrastructure, even if just at a small scale to signal displeasure with U.S. policies?  What would be an appropriate, proportional response?  What is our policy, depending on the certainty of attribution?  Would we just clean up and move on, or would we eventually retaliate?  Could we run systems manually for extensive periods of time as the Ukrainians had to do?

Cyber Command’s latest vision statement argues that we must “defend forward” as close to the adversary as possible to get ahead of the adversary.  Will the perception of an aggressive U.S. policy, growing foreign cyber capabilities, past cyber attacks by other countries without cost to the attackers, and increasing connectivity and concentration of assets create an inexorable dynamic leading to a new cyber norm of unrestrained back and forth attacks against the critical infrastructure that underpins economic prosperity?

Will a slow degradation of national prosperity using incremental attacks on infrastructure become a new strategy for nation states (big and small) that lack other options, whether in a military context or even a trade context?  This is the rumbling noise down in the basement.  It’s coming up the stairs …

With a bit of a mind flip
You’re into the time slip
And nothing can ever be the same
You’re spaced out on sensation
Like you’re under sedation

Let’s do the Time Warp again
Let’s do the Time Warp again

  • Rocky Horror Picture Show, 1975

Related Articles

Search

Close