Joel Brenner, a senior research fellow at CIS, gave a presentation on protecting America’s critical infrastructure from cyber attacks to InfraGard, a partnership between the FBI and the private sector dedicated to sharing information to prevent hostile attacks against the United States.
Hynes Convention Center – Boston, Mass.
March 23, 2017
As Prepared for Delivery
The critical networks keep America’s lights on, our communications humming, and the banks open for business are vulnerable to attack, and we’ve known it for a long time. The electric grid, oil-and-gas systems, railway switches, and financial and communication networks have all been penetrated and could be disabled by foreign hackers. I don’t have to explain that to an InfraGuard audience. You know it. But what have we done about it?
In the United States, Presidential Directives to address infrastructure risk have emerged from the White House echo chamber like clockwork for more than twenty-five years. In 1990, President George H.W. Bush announced to the country what intelligence officials, but not many others, already understood: “Telecommunications and information processing systems are highly susceptible to interception, unauthorized electronic access, and related forms of technical exploitation . . .
In 1990, the Internet’s weaknesses didn’t seem to have wide consequences. The Internet wasn’t designed for security, it was used exclusively by a trusted community. Until 1992, it was against the law to use it for commercial purposes. After 1992, we took this same porous network and turned it into the backbone of international finance, personal finance, controls on critical infrastructure, virtually all our communications including military command and control, and much else besides. Everything businesses do runs on it or is exposed to it. Government affairs in all advanced nations runs on it. Air traffic control and railroad switches run on it. The AC in this building runs on it.
Which is to say, information technology and operating technology have converged.
1998, President Clinton warned of the insecurities created by cyber-based systems. In 1998 he directed that “no later than five years from today the United States shall have achieved and shall maintain the ability to protect the nation’s critical infrastructures from intentional acts that would significantly diminish” our security. Five years later would have been 2003.
In 2003, as President Bush recognized that this goal had not been met. In 2013 – fifteen years after President Clinton had said the country’s critical infrastructure should be secure from malicious disruption by 2003 – President Obama acknowledged that “[t]he cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”
This is an appalling history of ineffectual leadership. Since 1990 we have spent billions of dollars on cybersecurity but have become less safe. This is not a reflection on the many smart people working hard at cybersecurity every day and night. Many of them are really good at it. Some of them probably in this room. But with few exceptions they’re laboring to put Band-Aids on a system that relegates security to the end-points, and whose end-points are designed for convenience and seamless integration, not security. Sure, we’ve become better at cybersecurity – much better – but the offense has become much better too. Which is automating faster, offense or defense? Probably offense. And offense is cheaper than defense.
This is why we are walking backward on cybersecurity and playing what I fear, in the long run, is a losing game. Meanwhile, we are relentlessly connecting geographically dispersed operating equipment to everything else. This has brought undoubted efficiencies to electricity generation and other industries, but it has also created strategic risk to the United States. Decisions to expose critical operations to this risk have repeatedly been made with insufficient regard for the risk thus imposed on the enterprise, let alone the risk imposed across the entire economy.
Contrary to popular belief, our vulnerabilities are not entirely technological, and there will be no technological panacea for them. Poor business management, lack of clear responsibility within organizations, and bad user behavior would continue to create significant risk even if all the technical issues could suddenly be fixed. Hardware and software vendors also face no liability for insecure products. (Can you think of any other socio-economic area where that’s true?) Because of all these factors, we are seeing a steady shift of risk from theft of personal information, to theft of corporate IP, to actual disabling attacks. These attacks will become more common and more serious, and we’d better anticipate them.
The question our nation faces is therefore this: Are we condemned to remain in this unstable and insecure state in which the best we can do is to repeat urgent but futile warnings from high places and, at the operational level, merely to refine our tactics in a losing game of Whac-A-Mole?
To find an answer, several MIT colleagues and I gathered experts from industry, government, and academia, to imagine what a more secure network environment would look like in 5 to 7 years, and to consider how to get there. Participants came from key industries in the United States, Canada, Japan, and Europe. We began this effort long before a new executive order was in the works, but we now know that that order will focus almost exclusively on federal systems. Lord knows, federal systems need the attention, but the country does not work without its critical infrastructure, and about 80% of critical infrastructure is privately owned. These sectors are still getting short shrift. So our report will complement the forthcoming executive order very well and, we hope, may influence its implementation.
We focused on four critical sectors: electricity, communications, finance, and oil-and-gas. (By “we” I mean MIT’s Internet Policy Research Initiative and MIT’s Center for International Studies.) We make eight major findings leading us to define the eight most strategic challenges we face – all of them difficult. We then make recommendations for dealing with the eight challenges, and under each recommendation we define a series of technical and policy research problems that should be the focus of federal and private cybersecurity research. This is where they money should be spent, on these challenges.
The report will be published next week, probably on Tuesday, and I hope you’ll read it. My colleagues won’t let me detail the results in advance of publication, but I can give you the first public preview of what’s in it.
Our most basic conclusion is that key elements of critical networks cannot be made reasonably secure unless they are isolated from public networks. This is not what corporate leaders want to hear, but it’s the unvarnished truth. Don’t misunderstand: We are not proposing a return to 1980s technology. But digital networks need not be public networks. And I didn’t say we should isolate all critical infrastructure networks. I said “key elements of” those networks. Defining those elements, and defining acceptable degrees of isolation, will take more directive leadership on cybersecurity than we have yet seen from any President. It will also take close cooperation with the private sector and significant incentives to do it. But the task is urgent. We must explore the feasibility, expense, and timeline for achieving this goal.
Another area we stress is the need to quantify the change in risk posture created by particular security investments. You know the common refrain: “We don’t know how to quantify the return on security investment.” I remain skeptical that we can devise a meaningful absolute scale of network security, but I do think we can persuasively calculate the benefit of changes from one security state to another. Doing so will require a concerted effort to achieve a common standard.
The challenges are not merely technical. They also require a re-evaluation of the laws, regulations, and policies that govern behavior on our networks.
For example, critical infrastructure operators are clamoring for more secure hardware and software but can’t buy them. They’re not available. The cheap multi-use hardware and software that flood our markets are rife with vulnerabilities and unsuitable for critical infrastructure. This is a supply chain challenge that looks technical but isn’t. It’s commercial. Suppliers find it profitable to market cheap, general purpose hardware and software for multiple uses, regardless of differing security tolerations in different uses. The software in these products is highly complex (and therefore vulnerable) for uses that are often simple. The chip in a control that opens and closes a valve might contain 2 million lines of code. That’s nuts. Finding malware among 2 million lines of code is extremely difficult. Complexity is the enemy of security. We know how to make simpler stuff, but no one will do it unless assured of a market. If the departments of defense, homeland security, and energy would support a market for more secure versions of commercial products, the demand would be there. (I emphasize “secure versions of commercial products.” Recommending entirely new technology for critical sectors would be a total non-starter.)
Dare I suggest that this kind of market support could involve our allies too?
Liability and tax laws also need attention. We have no binding standards for the manufacture and use of insecure hardware and software, even for critical infrastructure. A private accreditation bureau, the “UL,” certifies that the cord on your toaster is safe, but there is no comparable body to certify that the controls being sold to a pipeline operator are safe and suitable for that use. Insurance carriers should support this effort. It was they, after all, who created the model. “UL” began as the Underwriters’ Laboratory.
Congress should also consider more favorable tax treatment of qualified cybersecurity investment in critical infrastructure and, potentially, throughout the economy.
Sure, we have compliance and regulatory regimes and non-binding standards – lots of them, too many of them – but they’re complex, expensive, and above all, poorly correlated with risk. Federal and state authorities should examine existing regulations to simplify and re-tool them to drive effective cybersecurity investment and better align compliance with security. And we need a single common standard.
Here’s an example of a challenge that’s both technical and not. Critical infrastructure operators should be able to quickly identify and respond to cyber risk arising from cross-sector linkages as well as from their own networks. That’s technical. But these cross-sector linkages are poorly understood, and our failure-simulation efforts tend to be sector-specific, which is delusional. Fixing this is not a technical challenge. It entails a trusted mechanism for crunching proprietary data from multiple sources. Our report makes suggestions on how to do that, and we at MIT are planning a pilot effort to try it out.
OK, that’s a sample. For the full monte, you should check out the report here next Tuesday. You’ll find interesting recommendations about the position of the cyber coordinator within the Executive Office of the President, about training and education, and about deterrence.
Time permitting, let me say a bit about deterrence. If the Russians or the Chinese could take down parts of our grid or our financial system – and I think they could – why haven’t they done it? There are several reasons. First, they’d fear we’d do the same to them, probably better. Second, any major dent they’d put in our economy would put an even bigger dent in their economy. Third, they could not possibly be confident that we would respond only in kind or that escalation could be readily controlled. To that extent, one could say that deterrence is already working.
At other and lower levels, however, deterrence is not working and may never work. Can North Korea be deterred this way? No one can say so with confidence. And transnational terrorist organizations, whose skill level constantly increases, cannot be deterred this way. No one doubts that ISIS or al-Qaeda would cause us every harm in their power. Nor can we say that transnational criminal organizations can’t get into the game. Reports of extortion against Brazilian electric networks have been around for years. Anyone who thinks it can’t happen here is just whistlin’ Dixie, as they used to say where I come from. It’s therefore reasonable to say that deterrence is working among our peer states insofar as critical infrastructure is concerned, but not otherwise. We cannot count only on deterrence to protect our critical networks.
These problems are hard, and the hardest problems are political, not technological. We know how to solve identity management, but we haven’t done it because solving it would increase the surveillance powers of the state, and we don’t want to do it. That dilemma could eventually lead us to further fracturing of the Internet in which people can choose security over anonymity if they want it, and companies can impose that choice as the price for accessing their systems. Similarly, we know how to solve the weakness of our DNS system and border gateway protocols, but we haven’t done it because nobody wants to spend the money. That’s a question of incentives, and right now, the incentives are misaligned. I hope you’ll notice that we give a lot more attention to aligning incentives than we give to regulation.
Our national predicament cannot be undone overnight, and it cannot be undone at all if we don’t get our noses out of the important but tactical difficulties of operating our networks and think big about it. But it can be undone if business leaders and government officials alike will candidly face the long-term challenges that our report details. The insecurity of our critical systems is a national disgrace, but the pathway to higher ground has been charted. Let’s follow it.