October 19, 2017

America’s infrastructure less secure now than 15 years ago says researcher at ABA breakfast

A team of cybersecurity researchers at MIT say that America’s core industries, including oil and gas, water, electricity, finance and communications, known as “critical infrastructure,” are significantly at risk from cyberattacks. 

Joel Brenner, author and former inspector general of the National Security Agency, addresses a breakfast program sponsored by the ABA Standing Committee on Law and National Security.

Mostly privately owned and in place before cybersecurity was a concern, these vital systems are essentially defenseless, they say, urging immediate action and a long-term plan.

The researchers recently issued a report on the topic, “Keeping America Safe: Toward More Secure Networks for Critical Sectors,” and its primary author, Joel Brenner, detailed their findings at an Oct. 18 breakfast sponsored by the ABA Standing Committee on Law and National Security.

Brenner, a former inspector general of the National Security Agency and head of U.S. counterintelligence in the Office of the Director of National Intelligence, and currently a senior research fellow at the MIT Center for International Studies, said there are numerous examples of recent cyberattacks on critical infrastructure worldwide, such as the:

  • 2012 attack on the Saudi Arabian oil company Aramco;
  • 2013 attack on banking systems in Seoul, South Korea;
  • 2016 attack on Ukraine’s electric grid; and
  • 2017 attack on the British National Health Service.

Each of these attacks demonstrates the growing ability and determination of foreign security services and criminal organizations to cause massive disruption and chaos in the critical infrastructure targets of electricity, finance, communications and oil-and-natural gas sectors, he said.

According to Brenner, the main challenges in protecting the nation’s critical infrastructure are not technical – they are legal, commercial and political. 

Since 1990, American presidential leadership on infrastructure security has been chiefly rhetorical, Brenner said. System operators and policy proposals have focused on inadequate short-term fixes and tactical improvements.

The digital systems that control critical infrastructure in the United States and most other countries are easily penetrated and architecturally weak, and we have known this for a long time, Brenner said.

President Donald Trump’s recent executive order that strengthens cybersecurity on a federal level clearly intends to change that, but the proof will be in the follow-through, Brenner said.

Historically, much effort has been devoted to developing better security standards, but most standards are merely advisory. Key federal departments – homeland security, defense and energy – have devoted significant effort to improving infrastructure security. But these efforts have not altered the strategic balance, Brenner said, and as a result, “our critical infrastructure is less secure now than it was 15 years ago.”

The underlying problem is that the owners and operators of critical infrastructure have aggressively aggregated data and linked functions without regard to long-term risk. They also have retrofitted industrial operating technology with digitized controls exposed to the internet.

The control for a railroad switch, for example, or a power generation plant, used to be locked up. They’re now reachable and potentially controllable electronically from anywhere on earth.

The efficiencies such linkage created for managing distributed technologies were immediate and obvious, Brenner said. The vulnerabilities were also immediate, but they weren’t obvious to people who weren’t computer geeks – or they were deniable. “They’re now obvious to everybody, and they’re no longer deniable,” he added.

Brenner said he and others at MIT began asking what a substantially more secure network environment for critical infrastructure would look like.  

The first recommendation is that key operating controls be isolated from public networks.

Second, our government should support a market for simpler, safer control technology. “Why? Because complexity is the enemy of security,” Brenner said.

Third, he said that four factors drive behavior in a market economy: market opportunity, tax policy, liability and regulation. As a nation, we have failed to employ tax policy as a security driver. The MIT report recommends tax incentives to encourage the accelerated retirement of legacy systems.

“I also note that our current liability regime is radically misaligned with security,” Brenner said. “I can’t think of any other area of our collective commercial life in which one can introduce unsafe or unsuitable goods with no liability for the economic consequences.”

Brenner compared the current state of critical infrastructure security to the debates about motor vehicle safety in the mid-1960s. In April 1966, the Seventh Circuit, in the case, Evans v. General Motors, held that GM was not liable for the fatal consequences of a side-impact collision involving its “X” frame chassis, which provided no protection against side-impact collisions. As the dissent described the holding, “The opinion of the court decides that General Motors’ duty was, as it concedes, to design its automobile to be reasonably fit for the purpose for which it is made, and free from hidden defects; [but] that notwithstanding General Motors’ foreseeability of possible broadside collisions, the ‘intended purpose’ of the automobile does not include its participation in such collisions. …”

Later that year, Congress passed the Highway Safety Act and the National Traffic and Motor Vehicle Safety Act, which changed the vehicle market and drastically reduced traffic fatalities. Instead of expecting drivers to modify their behavior, the act sought to change the safety environment by imposing duties on manufacturers and to alter the interaction between driver and vehicle.

“It seems to me we’re at a similar juncture, or should be,” Brenner said. “Trying to improve behavior is worth the trouble, up to a point. Yet any regime that places security wholly in the hands of users is destined to fail, because when security butts heads with convenience, convenience wins every time.”

Our entire world is dependent on reliable and reasonably secure software, and the lack of it makes it increasingly difficult to protect the nation’s vital functions, he said.