Brief: Assessing the State of Cyber Threats for SHTF Scenarios 🔒

In testimony before a joint hearing of the Emergency Preparedness, Response, and Communication Subcommittee, cybersecurity experts from government agencies and the private sector expressed concerns and made recommendations regarding the future of US cybersecurity.

Here are our findings:

[wcm_nonmember]

---

This content is for subscribers only. To continue reading, please log in or subscribe here.

[/wcm_nonmember]

[wcm_restrict plan =”fo-osint”]

Government Accountability

• Cybersecurity continues to be the “lowest core capability” in government security.
• A high state of readiness is continually required in order to defend against a cyber attack, however, the attackers get to choose when they are ready to attack.
• Four years after recommendations following a cyber exercise, there’s still widespread confusion in government about chain of command and information sharing in the event of a cyber attack.
• Congress passed a law in 2014 requiring the Obama administration to finalize the National Cyber Incident Response Plan.  To date, it has not been finalized.
• Ranking members of this hearing’s subcommittee questioned the administration’s seriousness about cybersecurity.
• Information sharing to the state, local, and private sectors is an obstacle when the government information is classified, severely limiting the dissemination of threat intelligence.
• Underfunded budgets, misconfigured networks, and poorly staffed cybersecurity teams will continue to hamper efforts in local, state, and federal cybersecurity.
• Most states do not have a cyber disruption plan.

 

• Ransomware attacks, which encrypt host computers until a ransom is paid, are a popular threat vector, however, they’ve not had a strategic impact.  While most cases in the US have involved individuals, there are several higher profile cases involving hospitals and school systems.
• Industrial control systems represent the greatest risk to cyber attack.  Those control systems include ventilation, lighting, train control, and other automated processes that could be disrupted.
• Because 75% of cyber attacks from the first victim spread to the second victim within 24 hours, the potential for viruses and other self-replicating attacks to spread very quickly to other control systems is substantial.
• Additionally, because of the number of contractors who have access to industrial control systems, the risk of insider attack is also substantial.
• Power outages, loss of water services, disruptions to the internet and communications, and disruptions to the transportation of goods, services, and people are potential direct effects of attacks on infrastructure targets.  Second- and third-order effects could be much more complicated; like civil unrest, increase in criminality, and failure of government and the rule of law.

 

Analyst Comment: In previous EXSUMs, I wanted to get across that cyber attacks are our greatest vulnerability. I recommended that we should be preparing for a grid-down environment because that’s the extent of the threat, especially against our cyber rivals in Russia, China, and elsewhere.  The likelihood of a grid-down event isn’t zero, however, in most circumstances it’s not a high-likelihood event.  But in a conflict with a near-peer adversary, we should expect systems disruption in the US.

The scalability of cyber attacks is partly what makes us so vulnerable.  In conventional warfare, we can see our adversary: a tank or soldier at the opposing end of the battlefield.  If there are 100 enemy soldiers there, then I can expect to encounter a maximum of 100 fighters.  If we’re facing 100 enemy soldiers, and their reinforcements are on the march but three hours away, then we have a fairly stable operating environment for the next three hours.

But the problem in the cyber domain is that it’s exponentially more complex.  In the cyber domain, not only are reinforcements immediately available, but they’re also scalable.  There may be, let’s say for example, 100 enemy cyber soldiers right now, but their ability to quickly create 10,000 virtual soldiers through the use of botnets and self-replicating viruses makes defending against them so difficult.  And when we consider the number of targets that exist in US critical infrastructure, we’re talking about a very large battlefield.  Further, because the government and military have limited resources with which to defend this expansive battlefield, we’re playing at an extreme disadvantage.  US cybersecurity must maintain a high state of readiness in order to defend against a cyber attack, however, the attackers get to choose when they’re ready to carry out the attack.

We should not have the expectation that the US Government or military will be able to defend against a sustained effort from a determined adversary.  In the past roughly six months, we’ve witnessed three cyber attacks in particular, each of which was likely carried out by Russia.  The first occurred in December 2015 when part of Ukraine’s power grid went down.  Redundant systems were also targeted in that attack.  And then in April of this year, Russia was likely behind the cyber attack that crashed Sweden’s air traffic control systems — an attack which lasted for five days.  And then in May, the German Bundestag computers were down for days due to cyber sabotage; again, likely carried out by Russia. US cybersecurity may not ever catch up to the global threat, and certainly not at their current rate of growth.  That means that we should be prepared to feel the effects at home of US foreign policy abroad.

[/wcm_restrict]