by Stephen Bryen
It is virtually certain now that the critical infrastructure of the United States will, in whole or in part, crash in the next few years, if not sooner. What is the critical infrastructure and how does any of this matter to you?
There are different ways that critical infrastructure can be understood. The Department of Homeland Security breaks it down into “sectors” that include the information technology sector, energy sector, communications, health care and public health, commercial facilities and transportation systems. To this we can add government and military operation and law enforcement as sectors of prime importance if any of the “sectors” collapses.
Consider the following simplistic scenario. A number of nuclear and conventional power plants stop functioning, creating a grid crisis that cascades, leaving major cities without electrical power. Some facilities, those with natural gas generators, may function; but most services will shut down, factories will close, and law enforcement which certainly will include National Guard deployments will be under pressure to prevent lawlessness and panic. Gas stations will not be able to pump gas, so after a few days most cars won’t run. Traffic signals will be out. Trains won’t run and planes won’t fly. Some radio may stay operating, but as people’s phone batteries run down, communications will be more difficult. Even worse, food stores will run out of supplies and can only operate in daylight hours and without cash registers, lighting or refrigeration. Government services will also stop and government employees won’t be able to go to work or be paid. Services like Medicare and Social Security will be suspended. Financial services will halt; the stock market will be suspended and for all intents and purposes crashed. No one will get a paycheck and the value of the dollar will plummet. Inflation will soar, just as it did in the Weimar Republic.
Why would a crisis like this happen? There is a natural causes scenario, where an overloaded and badly managed power grid just disintegrates taking with it all the services described above and a lot more we have left out. There are different points of view as to whether a natural causes scenario will happen, or even if a natural causes scenario could be recognized.
The emerging scenario is a successful cyber attack that brings down the power grid. This type of attack could happen so swiftly and cause so much physical damage that understanding what happened and figuring out how to bring the grid back on line is a non-trivial problem.
Our government is focused on attacks on the critical infrastructure from China, or Russia or Iran. A real attack is a form of war, and one would expect that a state actor would not sponsor such an attack unless there was a parallel conflict, or at least a series of events leading up to a military confrontation.
But are these expectations realistic? The recent Sony attack, which many are still trying to understand, may have been caused by a collaboration between North Korea and Iran. North Korea had a score to settle with Sony Pictures because of a film with an unfriendly portrayal of the North Korean dictator. As North Korea and Iran are closely collaborating on nuclear weapons and missiles, it makes sense to think that if the North Korean dictator asked for Iran’s help to attack Sony, that could have been easily arranged. While North Korea’s capabilities in cyber are suspect, Iran is well advanced thanks to help the Iranians have gotten from Western European companies anxious to cash in. Companies such as Siemens have also transferred critical SCADA technology to Iran, so the Iranians have all the tools they need to attack power grids, refineries, manufacturing centers and transport systems.
As a matter of fact, because it is difficult to pinpoint who is behind a cyber attacks on the critical infrastructure, it is mostly guesswork to assign blame. For example, if Russia actually attacked the American power grid (perhaps because President Putin was tired of hearing lectures from the Obama administration) can we be sure it was the Russians and not some other state or non-state actor? In today’s crazy world, non-state actors often are employed by governments (including our own) to hack someone’s network or system; and we also know that many intelligence agencies collaborate so that what might be illegal in one jurisdiction can be done in a place where taking such an action is not against the law.
An equally big problem is how one can respond to a cyber attack on the critical infrastructure. Supposing there is some reasonable certainty about the source of attack, how does one respond? Attack the other state’s critical infrastructure –tit for tat? It is not clear we yet have the capability to do that. The Russians, who inherited the systems built in the old Soviet Union, always kept their power systems, communications networks and government systems secret. Moreover, many of the systems the Russians have are built with seperate government and military hook ups and are redundant; furthermore a good many of them are buried underground.
This leaves the US in the unenviable position of needing to take some other kind of action to respond to a critical infrastructure attack. Whether we can truly take a military risk is an open question. Military escalation with a well-armed nuclear power is very risky, as the famous Cuban Missile Crisis illustrates.
In short, the problem is assymetric and difficult. While the Pentagon has put in place Plan X to be able to respond to cyber attacks, no one knows whether Plan X is much more than smoke and mirrors.
A key question is if you have limited options to respond to a successful attack on the critical infrastructure, can you find a way to protect the critical infrastructure from attack or at least mitigate damages should such an attack occur.
When Russia got the atomic bomb and the Cold War was in full swing, we had Civil Defense. Some readers may remember being taught to duck under a desk at school, or line up in areas thought to be more resistant to bomb blasts. Many Americans built and equipped and stocked bomb shelters. Some folks went so far as to buy cabins deep in the countryside in order to survive.
A Civil Defense program invites the notion that the threat is great enough to warrant taking defensive measures.
We have not done that to protect the critical infrastructure. Despite a lot of exhortatory legislation supposedly pushing the idea of protecting the critical infrastructure, doing that has mostly been left to the private sector owners of major critical infrastructure elements. It is not that they have not tried to put some security around their systems. But individual companies cannot compete against dedicated, well funded foreign government assaults. While the US government could try and fill the gap, the record to date on providing real help is spotty. A lead agency, the FBI, has created something called InfraGuard, a public private partnership, but everytime a business or infrastrcture player asks for help, they get blank stares and an unwillingness to share intelligence or practical solutions. The same holds true for the Defense Department, the NSA, the Department of Homeland Security –not really helpful.
Part of the problem is institutional. Some of these agencies are poorly equipped to provide solutions when most of the time they are trying to break into someone elses network. Some of it is a lack of leadership: lots of talk and not much else. And some of it is because of the dependency that has developed on commercial computer products and technology, most of which is ill suited to security.
The result of these multiple conundrums is that the United States is ill prepared to deal with any threat to our critical infrastructure, has no clear way to respond to attacks, and has no solutions that really help defend what we have. Are we to wait until the mostly inevitable happens and we are without light and power, fuel, food and medical support? Do we really want to risk urban riots, disease and upheaval?
The answer should be self evident.
Thus the question is, what should we do. It makes no sense to continue to “study” the problem: we need to solve the problem.
I have proposed a kind of Manhattan Project for Critical Infrastructure Security. The idea is to create a large team of the best experts available, with suitable policy leadership and substantial funding on the order (for starters) of $2 billion. The goal: build secure America-only computer network systems for the critical infrastructure from the ground up. There are some problems that will be very challenging, for example how to use computer hardware that is manufactured in China and in other places where malware and Trojans can be built in at the point of manufacture. There are other problems, how to manage authentication and encryption so that no part of any critical infrastructure network lacks encryption. This means very strong encryption that needs to be available to American critical ifnrastructure elements and that is constantly tested against external threat. But all these problems can be solved if there is a real will to do it.
I used the funding number of $2 billion because that is what the Manhattan Project to develop the atomic bomb cost originally (in 1945 dollars). Today $2 billion is a drop in the bucket and may not be enough. But it is, as they say, a good start.
The Manhattan Project should be run by the best and the brightest and not by any government agency. Government can have a seat on the board, but not management of the Project. The program must be authorized by Congress; must be non-partisan, open only to US citizens with security clearances, and run in secret. Critical infrastructure organizations and entities need to be vetted and made ready to accept and support a classified program. Administratively this is a big project, but just as the original Manhattan Project ultimately employed tens of thousands of people, so too would this project involve thousands organized entirely on a need to know basis.
If we wait much longer we will be sitting in the dark or worse.