President Obama issued Executive Order 13636, in February 2013, directing agencies and departments of the federal government to take the necessary steps in order to protect US critical infrastructure. This EO was a response to the increasing concerns over cyber intrusions and attacks on cyber resources within the United States.
Turning this EO into a coherent interagency policy is problematic at best. The U.S. would like to protect its classified information and also the intellectual property of US industry, but the questions are twofold - how far should the government go, and what are the government's responsibilities? Mandiant published a report on the extensive activities by the Chinese People’s Liberation Army Unit 61398. It's not clear that the activities of this unit are singularly PLA derived. If the PLA steals trade secrets from a US defense contractor and delivers it to a Chinese company that then uses it for commercial advantage, what do we call that act? Cybercrime? Espionage? Or an act of cyber war? Distinguishing which one will influence the response.
What is the role of cyber deterrence? How does the U.S. persuade cyber agents against cyber-attacks? The theory of deterrence states that you prevent an adversary from taking action by conveying the idea that the retaliation will be too costly to bear. Key to this lies in the ability to communicate the threat of a response and having the capability to carry out the threat of response.
U.S. nuclear policy during the Cold War was pretty straight forward. There was only one major threat, the USSR, and the consequences of a Soviet attack on the US or its allies was understood to mean mutually assured destruction (MAD). In the 21st century, how can we deter both nation states and non-state actors?
We can certainly draw on experiences with naval and airpower for ideas, but the characteristics of the new domain calls for new theories. We need to know what role the state will play as the importance of the domain continues to grow.
Presidential Policy Directive 20 (PDD 20) was recently signed and although classified, according to sources, allows the US military to begin developing offensive targeting capabilities with new authorities. According to a recent Scientific American article, the U.S. military is preparing for a future war waged with computers. In this future world, technologies are much more vulnerable because of the interconnectivity that continues to grow. Some examples include networked bank accounts, streetlights and power grids, real-time transit data that can locate vehicle and rider position, and systems that can move medical records in one hospital to doctors across town. Technology invites cyber attack, with particularly grim ramifications for major metropolitan areas.
The Scientific American article reported the existence of a 48 sqft model developed and run by the SANS institute as a training aid for the DoD (and others) that allows attack and defense scenarios to be played out by computer. This model allows the scenarios to capture the possible kinetic effects produced by such an attack. It also allows for tactics to be developed for mitigation of such effects. The training model, called “CyberCity” can simulate transportation networks, hospitals, banks, and other NII entities. It’s modeled after a small US town of approximately 15000 and has databanks representative in size and detail of such a population. The rest of the NII infrastructure is said to be typical of what would see in such a city and so is a good training venue for cyber offensive and defensive scenarios.
What might the effect of a loss of power look like? Hurricane Katrina occurred in August 2005 and was one of the worst U.S. natural disasters in recent times. It created a multistate event that resulted in a blackout that lasted for weeks in some areas. In a 2008 report titled, “Report of the Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack,” the Katrina scenario is used to extrapolate what could occur in a larger nation based event that would destroy much of the power grid in the US. While the scenario envisioned is concerned with a large EMP event, the description is one of the loss of electric generation capability. It documents the potential far reaching and disastrous effects of a loss of the electric grid to the general population. Chapter 2 of the report details the effects on the energy grid.
Listen to the Experts (Optional Talk)
An optional video (14:54) was produced by CBS and can be viewed below or alternatively, can be viewed on YouTube.
It is recommended for viewing to supplement the reading.
This Cyber War episode on “60 Minutes” was originally broadcast on March 4, 2012. The US electric grid system is dependent on large central generators that could be severely damaged by a small number of attackers. The transmission lines often may span hundreds of miles. Their vulnerability is exacerbated by the fact that the lines are now being used to move power between regions to support the needs of new competitive markets for power generation.
An additional 5 minute story from 2009 shows what can happen when an electric generator is manipulated via the web. The Aurora Project proved that network control to a generator is very dangerous. It showed how a 27-Ton, 1 megawatt type power generator can be destroyed by simply hacking into it from a common laptop. Imagine getting access to all of the generators in the U.S. and then simply pushing the enter key on your keyboard.
Some skilled hacking by an evil programmer or an Al-Qaeda professional could accomplish this. A few malignant hackers on the power grid could result a lot of the US economy will dying.
What will we do without electricity for 4 months or maybe up to a year?
All advanced societies on the planet depend on infrastructure, and the more advanced the nation, the higher that dependency — and the higher the consequences of compromise of that dependency.
In developing this course, I was reminded of some of the lessons I learned after analyzing physical infrastructure as networks.
It's not hard to envision the infrastructure network in a prominent country. Such a network is critical to a nation's international trade. Such networks are built for efficiency, and not robustness and resiliency. Such efficiency affects the network two main ways — when it works as designed and when it fails. The nodes in the network above are connected with an almost minimum number of links in order to avoid redundancy. If this network is hit by a random failure, more times than not the result isn't catastrophic. There are numerous places the network can fail with just localized effects.
Unfortunately, the design focus on efficiency might be used against us in an attack. Efficient networks can often handle random failures, but they are vulnerable to targeted attacks on nodes that control the connectivity. The network above is both highly efficient and highly vulnerable. You only need to disable a few nodes for the network to dissolve into disconnected single components halting the flow through the system. This means that geographically targeted attacks can be successful by targeting only a few nodes or a few links. If the plan is to disable the above network, which nodes would you select?
Our systems of the future have to be designed with the conflicting constraints of efficiency and resilience. Resilience requires redundancy and is in conflict with efficiency. Redundancy will provide failover pathways in a network so others are available to continue the flow should one fail. Now, we often must sit and wait until the network is repaired.
Redundancy as a Design Constraint
The secret to resiliency is alternative paths though the network - called "dual homing" in communications networks. This becomes a design question of where to put the alternative paths. Network analysis can be used to determine our easy points of failure. Other factors, such as geography, can assist in determining the most easily attacked nodes and links. We can't plan for all possible attacks but we can build some alternate pathways into the systems so they are more robust. They should degrade gradually after an attack and not fall apart after a few well targeted attacks.
We live in a world of increasing interconnectedness and interdependent networks. In the future, we have to build this infrastructure in new ways that focus not only on efficiency, but also on robustness, and the ability to bounce back from an attack or catastrophic failure.