The following are relevant excerpts from a recently-published analysis regarding the state of critical U.S. infrastructure as it pertains to its vulnerability to cyber attack. The analysis is by Lt. Col. Michael Myers, U.S. Air Force, deputy director and instructor at the Joint Command Control & Info Ops School at the Joint Forces Staff College.
— “According to the director of Intelligence in a 2015 report to Congress, major nations have bolstered their cyber operations against private industry for a number of reasons. Some of these nations are specifically developing or improving remote access to the CI in the United States.”
— “Expanding on my colleague’s earlier op-ed, even with great strides in cybersecurity bolstering efforts by the whole of government, industry and the private sector, the entire United States CI (critical infrastructure) is unprepared for a major cyber-event and remains at a high risk from the exploitation and mission failures that could result, and it is time to create solutions.”
— “DHS defined 16 unique CI sectors, including water/dams, transportation, finance, telecommunications and energy/electrical.”
— “There are numerous cyber intrusion examples against various CI that have played out worldwide. In 2007, Estonia was hit with a barrage of botnets, script-kiddies and sophisticated hackers all focused on connected opportunities including media outlets, communication companies and banks.
“For the first time, a country was completely internet-blocked and isolated from the connected world without an adversary stepping foot on their land.
“In early 2010, the second example also focused efforts toward a country, but targeted a specific capability that the country was developing. The weapon wielded was called STUXNET, a sophisticated assembly of computer code leveraging multiple zero-day exploits — vulnerabilities referring to a hole in software that is unknown to the vendor — and other vulnerabilities embedded in the target system.”
— “STUXNET was designed to inflict physical damage toward certain systems and equipment…”
— “…[I]n 2011, a small dam in the middle of New York along with some major financial institutions were subject to cyber attacks linked to the Iranian government.”
— “The dilemma is as wide as it is deep. The majority of the nation’s CI is privately owned and operated. This leaves assessment, oversight and compliance enforcement a challenge for the federal government.”
— “…[Cyber] insurance can be one aspect of a CI industry’s plan to mitigate risk, but it is not the silver bullet.”
— “…[I]f one of these systems were targeted with a STUXNET-like attack and it caused physical destruction of major components, it could be cost-prohibitive as well as a lengthy time to receive it out of the supply chain.
“Therefore, if the government could procure, stage and store these key components, it would significantly reduce the impact to the public during a cyber catastrophe.”
— “[Solving the CI dilemma] will take a whole of nation approach.” [source]
Analysis: The one policy that would likely give our enemies pause and cause them to think twice and even three times before attacking our infrastructure is the Obama administration’s decision in 2012 to consider cyber attacks an act of war worthy of an overwhelmingly military response. We shouldn’t rely on deterrence alone, of course, which is the colonel’s point, but in order to be effective in guarding our national CI, government and the private sector will have to work together, especially on the financing — the biggest stumbling block.