The United States’ ability to detect the source of cyber attacks on critical infrastructure has vastly improved in the last decade, but when it comes to preventing those attacks, we have a long way to go.
That was the consensus of a panel convened on July 27 by veteran journalist Ted Koppel at Fordham’s Lincoln Center campus.
“Lights Out: The Critical Infrastructure of the Power Grid,” was the final panel of the second day of the 2016 International Conference on Cyber Security (ICCS). In addition to Koppel, it featured Keith Alexander, former director of the National Security Agency, and Steve Hill, political counsellor for the United Kingdom’s Mission the United Nations.
Koppel, who delved into the issue in Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath (Crown, 2015), lamented that in the aftermath of 9/11, the country spent close to $3 trillion and started two wars, with the goal of defeating terrorism. But even after the 2003 Northeast blackout, which showed how much damage a major blackout could cause, and blackouts in the Ukraine and Estonia in 2007, which demonstrated how they could be caused by hackers, it’s barely a topic of conversation.
“There are 3,200 companies in this country, and the largest, biggest and wealthiest have extraordinary defensive capabilities. They are immune to cyber attack though. Quite the contrary. The problem is that all of these 3,200 companies are linked,” he said, noting that a successful attack on the weakest could allow a hacker to infiltrate larger systems.
“You can take out an entire grid, with hundreds of companies, affecting tens of millions of people over a period potentially of weeks or even months.”
At the moment, the best defense against attacks on the infrastructure such as the power grid is the ability to identify the perpetrator, and Alexander said the good news is that the United States improved it’s attribution capabilities by an order of ten times between 2006 to 2014.
“Now, the issue is, it wasn’t at network speed attribution. We can attribute who the offensive player is, but it takes time, and sometimes it can take weeks or a month,” he said.
Concerns about privacy and profits have made power companies resistant to working with the government, and Koppel pointed out that none that were invited to the conference chose to attend.
Alexander illustrated the conundrum by polling the audience, a mix of representatives from the private sector, academia and law enforcement, on whether it is the government’s responsibility to protect privately owned computer networks, the way it would defend against a missile attack, or whether companies should defend themselves. After some consternation, several members piped up that it should be both, a notion that Alexander seconded.
“If you believe it’s both, and that government and industry have to work together for defense, where industry has to reach a certain standard, and government has to have the ability to respond, you also say that they have to share information at network speed.
“We’re not discussing that, but that’s the issue that’s on the table. We have to go further, and the government and industry have to work together.”