The Department of Homeland Security’s (DHS) rare public alert last week about a large-scale Russian cyber campaign targeting U.S. infrastructure raised a piercing alarm about vulnerabilities in the nation’s power grid, and underscored what officials have meant when talking about the need for a whole-of-government and whole-of-nation approach to cyber defense. Protecting against a major attack, managing the damage once one hits, and responding to an attack are beyond the reach of any one agency or sector, they argue; the job requires concerted efforts from the public and private sectors.
For the Department of Defense (DoD), that involves more than a conventional military response, although a response that involves bombs isn’t off the table, either.
The DHS alert, issued with the FBI and DHS’s U.S. Computer Emergency Readiness Team (US-CERT), detailed a widespread effort aimed at U.S. infrastructure carried out during the same time other Russian groups were hacking into the Democratic National Committee and other organizations, and promoting social and political conflict via social media. The incursions into the power grid were part of a campaign targeting U.S. government entities along with the energy, water, and aviation sectors, and critical manufacturing industries including nuclear power plants, DHS said.
“The fact that the DHS and the FBI have attributed attempts to attack and compromise critical U.S. infrastructure to Russia is unprecedented and extraordinary,” said Amit Yoran, CEO of cybersecurity company Tenable and the founding director of US-CERT. From my time at US-CERT, “I have never seen anything like this. It’s a wake-up call for the industry and a reminder that we are still not doing the basics well and that our defense needs to constantly evolve and adapt.”
Russia has demonstrated the ability to attack power grids before. In 2015, a then-unprecedented power-grid cyberattack caused a blackout for more than 200,000 people in Ukraine. The attack was blamed on Russia, which was at the time carrying out an undeclared war on Ukraine. In investigating the cyberattacks in the United States, investigators found that Russian operators had gained enough access to the industrial control infrastructure to either sabotage or turn off power grids. “All that’s missing is some political motivation,” Eric Chien, a security technology director at Symantec, told the New York Times.
Actually, taking out power or disrupting air travel would be an extreme step because of likely retaliation–such as the further sanctions against Russia that accompanied the alert–which would be factored into any political motivation. For one thing, Russia isn’t the only country that can take out a power grid. A top-secret U.S. operation, called Nitro Zeus, had gained the ability to take out Iran’s power grids, command-and-control systems such as air defenses, and other facilities before a nuclear agreement in 2015 eased tensions. It was described as a plan for a full-scale cyber war.
Domestically, any whole-of-nation defense would involve various levels of government along with industry. In its alert, for example, DHS drew on Symantec’s “Dragonfly 2.0” report from October, which detailed the latest round of attacks by a group Symantec dubbed Dragonfly on the energy sector, tracing them back to late 2015. DHS also used Lockheed-Martin’s Cyber Kill Chain model to analyze the attacks.
Government’s role would be fairly comprehensive. A joint paper by DHS and DoD discusses a coordinated effort to protect against and respond to a major attack while staying within the overall church-state framework of domestic jurisdiction. “Neither the private sector nor the U.S. Government alone possess sufficient capability or capacity to address the risks to the Nation’s most critical assets,” the paper’s authors write. “Only through concerted, cooperative efforts can we be adequately prepared for a worst-case scenario.”
Agencies’ role in response would be in line with their current responsibilities. DHS, for instance, would handle the primary responsibilities domestically, finding the source of the attack, analyzing its methods and assisting in recovery. DoD would assist civil authorities, if called on by DHS, the Defense secretary, or the president, just as it responds to natural disasters like hurricanes. Both agencies are working with other agencies and the private sector on preparations.
DoD officials have debated the possibility of when a cyberattack might cross the line into an act of all-out war, but without reaching any clear-cut conditions. In the event of a truly catastrophic attack, the military would be ready to pull out all stops. “Should a significant cyber incident be the result of an adversary attack, DoD is prepared to execute appropriate military options at the President’s direction,” the paper states.