Yogi Berra told us it’s like déjà vu all over again–and cyber stalkers let out a huge yawn at yesterday’s House Armed Services Committee hearing on cyber operations. This torturous exercise in reviewing technology security and public safety challenges associated with critical infrastructure was studded with the clichés and platitudes that set our nation up for a massive kinetic cyber attack.
We heard from the usual cast of characters–including Michael Chertoff, the former secretary of Homeland Security who now heads a security consulting firm; and retired Gen. Keith Alexander, now CEO of IronNet Cyber Security, who told the Congressman what everybody in America already knows. America’s critical infrastructure is wide open to abuse.
“As far as the private sector is concerned, you’ve got widely distributed ownership and control of infrastructure and uneven capabilities and knowledge about how to defend that infrastructure,” said Michael Chertoff. Within that infrastructure are countless systems that human lives depend on. Each is a potential target.
Rep. Jim Banks, R-Ind., recounted a ransomware attack that hit a hospital in his home state. With their computer system down and patient care hanging in the balance, the hospital had no recourse but to pay. The witnesses noted that healthcare facilities represent an attractive and vulnerable target, while also commenting on the increasing prevalence of IoT medical devices as an attack vector.
Not content to riff on threats from individual criminals and syndicates, the folks got hot under the collar about the bigger threat from state-affiliated entities.
“Much of the nation’s critical infrastructure is privately owned,” Banks said. “The effects of a state actor using cyberattacks on the public health system or other critical infrastructure would be disastrous given the systemic vulnerabilities.”
At the end of March, a cyberattack disabled the electronic communication systems of several utility and natural gas providers. The attack halted a third-party transaction platform that pipelines and utilities rely on for live pricing models. Energy services were disrupted. While the country’s power grid might be a little more resilient, this is nonetheless foreboding.
“There’s not going to be a single step,” Chertoff said. “It’s about raising the level of cyber hygiene for the owners or operators of the critical infrastructure.”
Next up, the group talked about that old chestnut–information sharing. They encouraged more avenues for communicating threats and attacks while mitigating the reservations companies may have about disclosure.
“Some of the things we can do to make [defending infrastructure] a little bit easier are continuing to promote information sharing,” Chertoff said. “Particularly having it be automated, having the ability to use common language to describe threats, and I would argue also making clearances more widely available to the private sector so that there can be greater in-depth sharing of information.”
Alexander double down, flagging the bumps in the road.
“There are still several things that I think limit that sharing,” said Alexander. “One of them is liability protection and the concerns of liability. For small and mid-sized companies: how do we incentivize them to actually have good cyber and the ability to share real-time information?”
Alexander pointed to the Cybersecurity Information Sharing Act as empowering companies with the authority to share. Chertoff looked to another area, counterterrorism, for sample legislation that could provide a good framework. He said the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act assuaged private sector fear of backlash.
“The SAFETY Act really incentivized the private sector to invest in tools that could be used to counter terrorism because there was a liability protection that came with it,” Chertoff said. “Extending that to cyber would be a very easy, straightforward thing that would begin to create some incentives for the private sector.”
To be fair to the witnesses, they have the opportunity to play Cassandra before Troy. Legislators need to get to action before it’s too late. Back to Yogi for the dismount–it’s tough to make predictions, especially about the future, or maybe it’s not so tough…?