Monday, November 16, 2009

Seeking a Balanced Perspective: How Cyber Risks to Grid are and are not MAD

As you may suspect by now, Jack and I are not fans of alarmist language. You won't hear us using terms like "Cyber Pearl Harbor" or "Cyber 9/11" unless our purpose is to debunk them, as Jack did quite thoroughly on his former blog, Suitable Security, here. We find that hysteria is not a particularly promising state of mind to be in when one is attempting to make the world better, safer and more secure. And that's the lead-in to this second post re: the recent 60 Minutes feature on ominous trouble in Cyberland.

Oh, one more thing before the post really starts -- I should explain the kitten. This kitten is here to help you relax. OK? Let's begin.

MAD, or Mutually Assured Destruction, is a Cold War-era term which neatly describes why nuclear deterrence works and has so far kept our planet from being reduced to a glowing ember from a massive thermonuclear exchange. You are still relaxed I see ... that's good.

Last week we posted a link to, and a couple comments on, an alarming 60 Minutes episode on cyber security risks to critical US infrastructure. It described how vulnerable the US is to computer hackers and used examples from DOD, the financial sector and the electrical grid. An additional level of disturbing detail was provided by former Director of National Intelligence (DNI) Mike McConnell, who said he's certain that foreign code is resident on national grid systems. Our own anecdotal experience with critical systems in other industries corroborates this. In hacker lingo: we are "owned."

Still relaxed? You should be, because there's ample evidence, in the 60 Minutes material and elsewhere, that even as we are heavily targeted, we also have substantial penetration of our potential adversaries' systems. Hence, the resemblance to MAD. I'm making this comparison preemptively before some journalist or K Street analyst does, because I think it's worth laying a few of the cards on the table and thinking about this in a non-alarmist fashion. Here's a short list of attributes to compare and contrast:

Nuclear characteristics:
  • Once underway, nuclear war is for keeps: you're either launching nukes or you're not
  • Though some once believed in it, "limited nuclear war" is generally considered unlikely
  • While we work to make missile defense a reality, our best defense against nuclear attack has been a good offense (see: deterrence)
  • Damage from nuclear exchanges is usually believed to be catastrophic
  • With missiles and bombers heading our way, it's fairly easy to discern the origin of attack, and hence, the attacker
  • There are currently 9 countries listed as nuclear nations. Others seek to join this group, but it's expensive, complicated and time consuming, not to mention dangerous and sometimes destabilizing
Grid Cyber characteristics:
  • Probes and attacks are happening all the time by multiple parties and damage of various degrees is being absorbed by all involved
  • All cyber war is, by definition, limited
  • Our best defenses are multi-layered, resilient and constantly evolving
  • Damage is infinitely variable in severity and often hard to detect
  • Often cannot identify attack origin or attacker
  • Any country, organization or individual with access to the Internet can be an attacker
So the Cyber wars are already well underway and yet you are still able to read this post on your computer or smart phone. This is because given the degree of inter-dependency of the global economy, most industrialized nations have little desire to wreak massive cyber havoc on their neighbors, who, while they compete in many domains, are also full time partners. Though you'll sometimes hear speculation to this effect, especially as it concerns the Smart Grid as a "hackers' paradise", it's unlikely (though possible) that catastrophic harm can befall the diverse US national grid from cyber attack alone. But that doesn't mean major localized or regional damage couldn't be wrought.

Take aways:
  • Unlike with nukes, where deterrence between nuclear nations has worked so far, no one is fully deterred from experimenting with and sometimes wielding cyber weapons against our grid or other critical US infrastructure systems. Most nations do, however, seem deterred from launching massive cyber attacks on us and others ... and life and commerce go on
  • International crime gangs and other non-state bad actors abide by completely different rule sets from those described above. Deterrence means much less to them, so we've got to continue to bring our cyber security "A game" to the Smart Grid build out as well as to the rest of our critical national infrastructure
  • Understanding and accepting that all sides "own" other systems conjures up the alternative title to the Cold War classic "Dr. Strangelove," which was "How I Learned to Stop Worrying and Love the Bomb." I'm not suggesting you begin loving cyber risks to the grid or Smart Grid; just want you to worry a little less if the 60 Minutes piece has rendered you sleepless or immobile. Clearly we’ve got work to do, but as NASA and the NY Times said today, we’re not going to die tomorrow or the day after tomorrow
  • For a somewhat more detailed, balanced examination of cyber risks to the grid, see University of Minnesota's Dr. Massoud Amin's short paper "Electricity Infrastructure Security", PDF downloadable here.
So, if you've made it this far, I've got a question for you: did the kitten help?

No comments: