Not a day goes by that Americans don't wake to the news of a new cyber intrusion affecting private sector or government networks, whether major cyber hacks at Target or Equifax, sloppy data breaches like those Verizon experienced, or nation-state-sponsored efforts like the WannaCry virus. Companies and institutions are pouring more time, attention and resources into computer network security, because the networks are so critical. But why lock the front door when you leave the windows wide open? Bad actors can launch attacks and gain access to critical information through other routes too.
As seen with the widely reported interference in democratic elections, attacks can be launched cheaply and relatively easily by criminals, nation-states, terrorists, disgruntled employees, or even good people with sloppy habits who accidentally expose critical data. As a former Secretary of the Air Force, I can tell you that Air Force networks are attacked—and these attacks are repelled—thousands of times per week.
This is why, in addition to network security, the Air Force is focusing more resources on operational security. The private sector should follow suit.
Operational security means protecting assets that depend on lines of code in software to conduct missions, whatever those missions might be. This could involve anything from protecting advanced fighter aircraft to the HVAC systems on a base where critical operations take place. It could include the MRI machine in a hospital entrusted with sensitive patient data. Our critical infrastructure—the electrical grid and transportation systems, for example—can be equally vulnerable from an operational perspective, if network security is the sole focus.
The solution is to broaden the national cybersecurity approach to include "endpoint security" for vital operational systems. Stated another way, we need to wrap firewalls around certain vital machines to ensure that an intrusion in one area will not allow for a more extensive penetration to the broader network.
Consider a fictional scenario in which a U.S. nuclear facility is breached. A terrorist group launches a “cyber-physical attack” by unleashing a virus that penetrates sensors that monitor cooling. The malware is introduced when an infected flash drive is inserted into a network laptop during maintenance to adjust, for example, process sequences. The laptop is presumed to be safe because it's not connected to the internet—it is "air gapped." The virus targets specific endpoints that manage fail-safe functions such as temperature maximums. The virus tells temperature sensors to stop working. At the same time, it tells other mini computers to escalate heat-generating functions. The result could be catastrophic overheating and, ultimately, a meltdown.
Such an attack, and many others we haven't thought of yet, are preventable when control systems are more deeply protected. Each device and sensor comprising the network can and should be shielded from malware that gets through the figurative front door.
Here's the bottom line: we need a holistic approach to cybersecurity going forward, including network and endpoint security. Focusing on one but not the other could result in crippling losses in today's machine-to-machine marketplace.
The government and the private sector need to keep working to lock the front door, and start doing a better job of bolting the windows.
