On March 15, the New York Times reported that Russia had hacked power plants in the United States.^[1] The newspaper also reported that Jon Wellinghoff, former chairman of the Federal Energy Regulatory Commission, said that while the security of United States’ critical infrastructure systems had improved in recent years, such systems are still vulnerable to hacking attacks. “We never anticipated that our critical infrastructure control systems would be facing advanced levels of malware,” Mr. Wellinghoff explained.

Since its inception, the Center for the Study of Terrorism at the Foreign Policy Research Institute has prioritized the importance of systematic and rational investments in security, made in response to disruptive threats including those in cyberspace.

The United States Computer Emergency Readiness Team (US-CERT), the arm of the Department of Homeland Security charged with identification of cyber threats to national security, has issued Alert TA18-074A, entitled “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors.”^[2] The alert describes many attacks by Russian entities on a wide range of systems that operate and support the United States’ electric, oil, gas, and related energy systems, as well as other critical systems. This report follows other recent accounts of Russian cyber intrusions into voter registration systems, communication systems, and of course, thousands of attempts every hour to penetrate U.S. military systems.

Despite the hundreds of reports of cyber threats to U.S. critical infrastructure in the years since September 11, most of which have characterized each incident as a “wakeup call,” both the government and the private sector have continued a long tradition of responding by figuratively rolling over and going back to sleep. The Foreign Policy Research Institute has alerted policymakers to these threats and advised about responses over the years, both in our published research and in private briefings, but the threat still pervades American society. Since 2003, the Terrorism Center at FPRI has been on the cutting edge of these issues. What follows is a brief overview of the Center’s research on this critical topic, and a review of its central policy prescription.

In 2003, Dr. Stephen Gale and I published, “From MAD (Mutual Assured Destruction) to MUD (Multilateral Unconstrained Disruption): Dealing with the New Terrorism,”^[3] which discussed threats to our societal commons, and recommended Department of Homeland Security implementation of a “Security Impact Statement” (discussed later in this article) process analogous to those used to create Environmental Impact Statements. From 2003 to the present, no such process has been used.

Again in 2003, we addressed threats to the power grid in the wake of the August Northeast Blackout. We wrote,

We have been writing and speaking about the potential vulnerabilities of the US electric grid (perhaps the prototypical commons) since shortly after the events of September 11^th. As with most threat analysis in our post-9/11 world, we have been dismissed as alarmist Jeremiahs. Representatives of the electric industry (including those in the recently deregulated generation, distribution, and independent system operations businesses) have repeatedly assured us that a scenario based on terrorist actions leading to a collapse of the grid could not possibly occur because (a) the industry had already taken the necessary steps to secure its systems; and (b) that those actions insured that faults would be isolated and repaired quickly, efficiently, and without any risks to the supply of electricity.^[4]

The use of cyber weapons such as the Stuxnet worm deployed against Iran’s nuclear infrastructure and variants of that code since discovered in many computer systems worldwide should have served notice that destruction of hardware systems by cyber intrusion is not only possible, but a near certainty. Disruptions of electric power systems in Ukraine and Georgia that have been attributed to Russian actors should likewise have been adequate red flags to U.S. grid operators and regulators, alike. It appears that they were not.

On September 11, 2003, Professor Gale and I warned of the need to respond to external threats in a concrete fashion. “The United States must defend the integrity of our political, social, and economic systems. But this will never be done successfully if the heart of our domestic response is merely an easy continuity with our pre-September 11th habits and policies.”^[5]

In 2014, FPRI warned that, “the Internet, and the hardware and software on which it depends, is both the most complex technological system ever constructed, and the most vulnerable. … Even the US nuclear weapons arsenal is not invulnerable, as noted in a January 2013 report from the Defense Science Board.”^[6] In June 2014, the New York Times reported that “Energetic Bear,” a Russian hacking group, was targeting oil and gas companies globally using sophisticated software tools.^[7]

The latest (March 2018) alert from US-CERT stated, “DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks. After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).” US-CERT details the many methods being used by multiple Russian threat-actors (both private and government sponsored) including the use of spear-phishing emails (some from compromised legitimate accounts), watering-hole domains, credential gathering, open-source and network reconnaissance, host-based exploitation, and targeting industrial control system (ICS) infrastructure.

If you, personally, do not understand what is meant by each of these terms, and you are responsible for, or depend upon computer systems operations in business or government, you should be greatly alarmed. Your lack of familiarity means either that you have failed in your responsibilities or that those who work with and for you have failed in theirs. It means that your systems are more vulnerable than those operated by others who continue to invest in keeping current with the rapidly evolving cyber threat environment and in responding to it. In short, it means that you and your organization have not invested sufficiently in security.

We have long been told that one reason for a lack of effective cyber security is that the cost outweighs the expected benefit. We have no doubt that for some personal computing devices (i.e., your own laptop computer) and small businesses (e.g., a local beauty salon, restaurant, or plumbing service) this may be true. When it comes to our national infrastructure, however, the problem that we identified in “From MAD to MUD” persists: investment in protecting our societal commons, especially when such systems are owned and operated by for-profit private corporations, cannot be judged solely from the profits and loss perspective of each corporation. Investment decisions must include the value of the private sector systems to the greater society in the calculus. Flawed private value calculations are precisely the missing elements contributing to the country’s current insecure predicament. They represent the “snooze button” pressed each time a wakeup call comes in.

Over the past 15 years, the federal government has attempted to influence private sector investments in cyber security, but has not mandated even a minimal level of vigilance. It has produced “framework” documents developed by the National Institute of Standards and Technology (NIST),^[8] has coordinated information by creating the Cyber Threat Intelligence Integration Center (CTIIC),^[9] and has shared some information about threats through the DHS Information Sharing Environment (DHS ISE). Perhaps the most significant “sharing,” however, was the leak of many National Security Agency hacking tools stolen and published by a group known only as the “Shadow Brokers” which led to increasingly effective attacks by Russia and North Korea, among others. These attacks using the “EternalBlue” NSA code crippled infrastructure systems in Ukraine, the United Kingdom’s National Health System, Danish shipping company AP Moller-Maersk, law firm DLA Piper, drug company Merck (which estimated that the attack cost the company over $310 million), and thousands of others.^[10]

FPRI’s past attention to, and suggested responses to threats against our nation’s infrastructure, including its power grid, have been viewed as mere Jeremiads, to be tolerated, and then ignored.

This time, however, is different; both because cyber threats to the very core of our nation’s institutions are so imminent, and because even the meager responses of past administrations seem Herculean in comparison to the apparent disinterest of the present one in either shoring up our defenses, or in taking actions to respond directly to the threats. As we put it in 2003, “The real targets of the type of terrorism that we face today are the derivative values of these assets: the systems of production and government, the means of economic exchange, and the vitality of and confidence in our social organizations and institutions.” The genius of Garrett Hardin’s Tragedy of the Commons^[11] was that Hardin analogized from the central strategic dilemma of the Cold War to the strategic stance necessary to address environmental degradation. FPRI called for using such insights to address the security threats posed by modern terrorism, and, by extension, to what is now termed “hybrid warfare”—the incremental use of aggression to reshape the status quo without provoking kinetic retaliation.

To understand and to implement the analysis required to properly allocate resources to security, we proposed an analog to the Environmental Impact Statement required under Sec. 102 of the National Environmental Policy Act, (Public Law 91-190, 1970).

As we recommended in 2003:

The Security Impact Statement (SIS) should, at a minimum, provide a description and assessment of:

            i           The impacts on security of both the proposed action and the failure to act;

            ii          Any adverse security effects that would be avoided should the proposal be implemented, as well as those that are unavoidable;

            iii         Alternatives to the proposed action, the expected criteria for decision making, and analysis of why the proposed action is preferred under those criteria;

            iv         The costs of the proposed action (including the expected costs to the nation as a whole) of a successful attack, and an estimate of the net present value of the investment required to take the proposed action; and

            v          An estimate of the expenditures involved in implementing the proposed action.

Using the SIS process as its organizational and operational methodology, the DHS will be able to provide both the leadership and coordination necessary for the protection of our “commons” in a manner that is fully consistent with both the core values of our democracy and the prerogatives of ownership in a market economy. More important, the SIS process may permit the Department to act for the common good without resorting to outright federal management of critical infrastructure assets, the likely result in the aftermath of a true catastrophe.

When the Center for the Study of Terrorism at FPRI first addressed the issue of security approaches, managing both critical infrastructure systems and personal systems through computers connected to the internet was viewed as both cutting-edge and a luxury. Businesses were just beginning to connect command and control systems and front and back office business systems to the network, and the Internet of Things was not yet a coined term. Our work with supervisory control and data acquisition (SCADA) systems convinced us that such infrastructure was a likely target for adversaries wishing to disrupt the United States, and we detailed the threats we perceived. At the same time, the Department of Homeland Security, by most accounts the largest bureaucracy in history, was newly-constituted, and it was unrealistic to think that this conglomerate agency could both organize itself and develop entirely new ways to evaluate the myriad security issues it was tasked to manage.

We hope, however, that after more than 15 years’ experience, the Department of Homeland Security will try to address the serious question of the methods and metrics that should guide our nation to properly provide for the security of our power grid, transportation and communications networks, financial market systems, and other societal “commons.” We urge our government officials and corporate officers to finally respond to that “wake up call” and to give that metaphorical snooze button a rest.

---

^[1] https://www.nytimes.com/2018/03/15/us/politics/russia-cyberattacks.html

^[2] https://www.us-cert.gov/ncas/alerts/TA18-074A

^[3] https://www.fpri.org/article/2003/02/from-mad-mutual-assured-destruction-to-mud-multilateral-unconstrained-disruption-dealing-with-the-new-terrorism/

^[4] https://www.fpri.org/article/2003/08/the-blackout-and-the-question-of-homeland-security/

^[5] https://www.fpri.org/article/2003/09/september-11-2003-why-america-is-still-asleep/

^[6] https://www.fpri.org/article/2014/05/cybersecurity-a-national-security-crisis-in-microcosm/

^[7] https://www.nytimes.com/2014/07/01/technology/energy-sector-faces-attacks-from-hackers-in-russia.html

^[8] https://www.nist.gov/cyberframework

^[9] https://www.fpri.org/article/2015/02/a-new-cyber-agency-is-born/

^[10] https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe

^[11] “The Tragedy of the Commons,” Garrett Hardin, Science, 162 (1968), pp. 1243-48, https://www.constitution.org/cmt/tragcomm.htm.