Infrastructure Attacks Are Increasing, and So Is The Threat

The U.S. government recently issued two significant security alerts about Russian cyber hacking of U.S. critical infrastructure. Combined with what we already know, they describe a cyber threat to our critical infrastructure, particularly our power grid, more serious than a nuclear threat. House Energy and Water Appropriations Subcommittee Chairman Mike Simpson (R-Idaho) called cybersecurity attacks "our biggest threat." I agree. Inexplicably, in a “news” culture driven by sensation, overblown hype, fear, and partisan agendas, the severity of this threat has been almost completely ignored. Why?

The first alert, issued in March 2018 by the Department of Homeland Security and the FBI, confirms renewed Russian attacks on our critical infrastructure that began as early as 2011. This alert also references Symantec’s October 2017 “Dragonfly” report discussing Russian cyber attacks on the European and North American energy sectors. The Dragonfly report warns that these cyber attacks “could provide attackers with the means to severely disrupt affected operations” of those critical energy sectors.

The second alert, issued in April 2018 jointly by the U.S. and U.K. governments, marks the first time the U.S. and U.K. governments have jointly warned about malicious cyber activities of another government. It provides information on the worldwide cyber exploitation of network infrastructure devices such as routers, switches, firewalls, and Network-based Intrusion Detection System (NIDS) devices by Russian state-sponsored cyber actors. They are warning primarily of router hacking, whether in businesses, homes, or other settings.

Before discussing the alerts in detail, it is important to distinguish them from the unsupported allegations of Russian hacking of Democratic National Committee emails. No less than The Nation, one of the most liberal opinion magazines around, has acknowledged that “A New Report Raises Big Questions About Last Year’s DNC Hack.” To this day, “the intelligence agencies that released this assessment have failed to provide the American people with any actual evidence substantiating their claims about how the DNC material was obtained or by whom.” That is, there’s no proof the Russians hacked the DNC. In fact, that article makes a good argument, supported by expert analysis, that it was an insider leak.

The Nation, surely no fan of President Trump, is not alone in this observation. The New York Times reported the same lack of evidence:

Despite all the media coverage taking the veracity of the ICA assessment for granted, even now we have only the uncorroborated assertion of intelligence officials to go on. Indeed, this was noticed by The New York Times’s Scott Shane, who wrote the day the report appeared: “What is missing from the public report is…hard evidence to back up the agencies’ claims that the Russian government engineered the election attack…. Instead, the message from the agencies essentially amounts to ‘trust us.’”

With this necessary distinction in mind, let us return to the cyber attack alerts documenting attacks on our nation’s critical infrastructure.

The significance of these threats is being seriously underplayed, as shown by the alerts themselves. First, a careful reading of the threat alerts shows that their information is based on what they’ve detected after the intrusion has occurred. There is no indication of any active attacks being discovered and mitigated. It’s as if we are being warned about an open barn door after the horses have been stolen, and the advice is to go check our own barns. At this point we don’t know if all the horses are still inside or not.

While some might say that this happens with all cyber attacks by definition, that’s not true. With enough information, almost any attack can be interrupted, or ideally, prevented. Based on what’s being publicly released, we are not actively interrupting these cyber attacks – we are only discovering them after the fact. That’s disturbing.

Secondly, they are being presented merely as attacks on mundane network devices – for example, routers. The desired reaction seems to be, how bad can this be? It’s not like they’re hacking a nuclear plant’s control room. It’s a router, for crying out loud. There’s one in my living room right now.

Except, as we read further into the alert, there are subtle clues about the significance of the router hacking. It is elementary that all of an organization’s network traffic runs through its router(s). And as the alert acknowledges, “control the router, control the traffic.” Given the attackers’ known tactics of harvesting credentials and using them to mimic authorized accounts to penetrate and control critical systems, being able to observe and control all network traffic – including, say, passwords and other login credentials -- is huge. And of course, there are indications of hacking a nuclear facility.

Apparently, despite the fact that hostile actors are inside our critical infrastructure controls, we shouldn't “freak out.” One article attempts to calm us down by comparing our electrical grid to Ukraine’s, which is widely believed to have been shut down at least twice by Russian hackers. The reasons we are not supposed to be concerned are that: (1) the U.S. electric grid is more complex than Ukraine’s; (2) six hours of outages as experienced by Ukraine is “not enough to qualify as a full-blown crisis”; and (3) we don’t know how the Ukraine hackers’ system knowledge equates to the U.S. hackers’ system knowledge.

I don’t know about you, but that doesn’t really do it for me. These are weak reasons, driven by lack of logic and lack of knowledge. The article acknowledges that an attack on our electrical grid could have “serious international consequences, potentially causing armed conflict.” With the stakes that high, shouldn’t our threat assessment be based on more than supposition, speculation, and faulty logic?

One article misleadingly states that the attackers have only “attempted to access the energy grid and other industries primarily to spy and collect information.” That’s not the extent of it, and it fails to take into account what we know about other incidents. For example, in August 2017 cyber attackers reportedly came close to blowing up a petrochemical plant in Saudi Arabia. The explosion didn’t happen only because the attackers made a mistake in their code.

The New York Times reported on the attack.

In August [2017], a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyberassault. The attack was not designed to simply destroy data or shut down the plant, investigators believe. It was meant to sabotage the firm’s operations and trigger an explosion.

The attack was a dangerous escalation in international cyberwarfare, as faceless enemies demonstrated both the drive and the ability to inflict serious physical damage. And United States government officials, their allies and cybersecurity researchers worry that the culprits could replicate it in other countries, since thousands of industrial plants all over the world rely on the same American engineered computer systems that were compromised.

There’s the worry. We know that criminals are constantly testing, refining, and re-testing their tactics. Trial runs are an established means of preparing for a crime. Surely we can’t be ignoring this common knowledge in assessing these cyber attacks.

So it does little good to tell us these intrusions aren’t worrisome because the attackers have yet to exhibit a particular capability. It’s dangerous to assess a threat based only on demonstrated capabilities, especially when we know they are continuously getting better. It’s like telling us in an active shooter situation, “Don’t worry, they’ve only fired handgun rounds.” Yes, but what do they have? What are their capabilities? And can you tell us that before we find out the hard way?

We must treat these cyber attacks as the grave threat that they are. As Chief Law Enforcement Officer of my jurisdiction, I have sworn my dedication to protecting its residents and upholding the law. My office regularly reports on arrests, charges, drugs and contraband seized, known threats, and the like. I do this in the interests of making my community, family, loved ones, and friends safer. We deserve the same respect and information about the cyber attacks being perpetrated against our critical infrastructure, particularly our energy grid.