Sec. Baker was referring to the relative state of readiness and resilience of the computer equipment protecting America's energy distribution networks and industrial control systems. Presently a senior counsel at the Washington, D.C. law firm of Steptoe & Johnson, LLP, he introduced his firm's report on our present status. "I thought I would start with some obvious things," he began. "Security sucks."
Last year, the pervasiveness of the Stuxnet worm demonstrated that it's possible to break, Baker said, the industrial control systems after penetrating the Windows networks that connect to them. "Not only can you, it's a great idea if you're thinking about attacking another country," he told the RSA Security conference in San Francisco last week, with only a hint of sarcasm. "It's a wonderful weapon, if you're into weapons. It's very effective at bringing down industrial control systems, upon which civilian life depends. There's none of the taboos around this weapon that you have around nuclear weapons. And it's easy to develop if you've got the makings of a cyber-weapons industry. It's asymmetric - you can go up against the toughest guys in the world and cause some real pain in ways that they may not be able to cause you."
A Fence Around a Hole
Baker notes that the authority for government agencies today, such as the Commerce Dept.'s NIST, to contribute to the management of Internet security is somewhat repurposed from their original mandate. But partly because these agencies are now perceived as protectors of all things digital, he said, those responsible for direct management and operation of industrial control systems are not focused on digital network security. Remarked Baker during an RSA panel on smart grid protection, "They've got an equally important nightmare that they have to live with every day, which is that the power will go out and they won't be able to deliver it. All of their security features are designed around that."
While these operators are focused on maintaining the nominal status of the power infrastructure, they tend to trust one another, like soldiers locked in combat against the common enemy of rust and corrosion. And as trusted co-combatants, they share everything with one another - including passwords. So when a power system does fail, and experts are sent down from Canada to manage the issue (gee, I wonder whom Baker was referring to), someone leaves them a note with the passwords so they can get into the system.
Because of incidents like this, Baker says, the security of power systems today is actually worse now than in the past several decades. "This is not exactly the security that you and I grew up with."
Defending her agency's role in protecting the grid, however smart or dumb it may be, was Donna Dodson, NIST's Deputy Chief Cybersecurity Advisor. "The goal of standards is to provide the fundamental tools and technologies that you can use in support of information assurance, to really help protect the smart grid," she told the panel. "We've been working very closely with DHS, the Dept. of Energy, with the entire smart grid community, so that public/private partnership has come together with our smart grid efforts... to begin to understand, from the very top level of understanding risk and risk management, down to the technical details of what standards are available. NIST has pulled that community together."
Dodson said this community is comprised of standards development organizations and academic leaders, brought together by agencies with the goal of identifying gaps and deficiencies in current standards. As part of a partnership with DHS and private organizations, NIST is supporting a National Initiative for Cyber-Education. Later this spring, it will be hosting a workshop on smart grid security, followed by another on cyber-physical systems.
The Legislative Foundation
But the authority for these agencies to take decisive action, even after these more concrete standards have been ironed out, may only be established through new legislation. That process has made molasses seem slippery. As House Homeland Security Committee general counsel Kevin Gronberg described it, "The activity on the Hill, depending on whom you ask, is fast and furious or slow and monotonous.
"Cyber security - and especially securing the smart grid - has been recognized as an increasing need for legislation in Washington... Because there have been previous attempts at passing cybersecurity legislation, they have been thwarted, so to speak, by multiple jurisdictions." Gronberg then reminded attendees of the simplified version of how a bill is passed, as presented by the old Saturday morning kids' show from the 1970s, "Schoolhouse Rock."
"With the underlying nature of cybersecurity being what it is, as everyone knows, it permeates almost every element of our economy. And as such, there are so many different committees on Capitol Hill that feel they have jurisdiction over the issue - whether it's Financial Services or National Defense or Homeland Security," he explained. "With the Republicans regaining the majority in the House in 2010, Speaker of the House [John] Boehner commissioned a task force report on what should be included in the cybersecurity bill."
That report was released last October, with the hope of each committee being able to create a bill that addresses its respective jurisdiction. Those bills would then be combined into a version that could then be reconciled with a Senate counterpart bill. The resulting bill, called the PRECISE ACT (PDF available here) and which passed Gronberg's committee on February 1, would enable interagency sharing of standards and information in the event of a national cybersecurity event, as NIST's Dodson has called for.
The bill also includes measures enabling agencies, under DHS supervision, to acquire databases that happen to include personally identifiable information from services that host critical government infrastructure, so long as that data remains protected. So far, the ACLU has responded with guarded skepticism, but has not raised any alarms. The Union has stated its tentative approval of cybersecurity measures being managed by DHS, instead of the NSA which is also an intelligence service.
"As of now, the cybersecurity mission is poorly defined in legislation," said Gronberg. "It has been more of a function of executive order and public expectation. I think the Department [of Homeland Security] has filled that role admirably, but we'd like to clarify those roles, especially the cross-jurisdictional aspect of the team sport that is cybersecurity."
Stock image by Shutterstock.
Failure By Design?
As the Atlantic Council think tank's Jason J. Healey asked attendees, why should so much effort and legislation be expended on protecting a system that's fundamentally flawed in the first place?
"If we make these kinds of decisions, could an attack on [the smart grid] and a failure make us pre-industrial?" asked Healey, who directs the Council's Cyber Statecraft Initiative. Having met with members of Carnegie Mellon University's Software Engineering Institute, he asked them - perhaps not in jest - "Let's design a perfectly bad system. Could we design a system so atrocious that, if it got knocked over, we'd be pre-industrial? What would that look like? Well, first, you'd have to be fully dependent on the system. In case there was a failure, it would have to cascade both directly and indirectly into the other sectors. And our perfectly bad system would have to be not just silicon, or something we could just reboot... it would need to be made of real stuff, concrete and steel that hard-brakes... that might take months to get a replacement part to fix."
To help maintain the system's poor reliability and vulnerability, Healey went on, everyone should be made completely aware of the problem, without any real interest in solving it. Potential adversaries who have created back doors in the past - perhaps the distant past - should be encouraged to return by building up their egos in news reports, and should find those back doors left wide open for them. Then the system must be made a political priority. "We'll worry about security later. We'll just get it out there, and then once we know if it's working, we'll have security. And then we're gonna take this system and we'll connect it to the Internet!"
Later, in response to a question, Healey suggested that if America truly cared about the operational integrity of the private sector in the event of a national cybersecurity emergency, agencies would bend over backwards to make certain that private network administrators and security engineers have all the tools and information they need. Legislating that NSA should monitor this part of the network on behalf of the private sector, he said, was "somewhat of a failure of imagination."
Stewart Baker disagreed, pointing out that malicious agents use information being broadcast from agencies to their own advantage. For instance, they watch public service announcements to see which malware they put in the wild has been blown. When they see no such announcements, said Baker, "they know they've got a winner." So protecting the status of these investigations, and not being completely transparent with private industry, gives NSA, DHS, and other departments and agencies the advantage of not leaking easily discernible intelligence to their enemies.
"It is not absolutely necessary that NSA do all of this monitoring," Baker added. "The fact is, these are the operational guys - these are guys who live this daily, and anybody who's in this room and who's in this business understands that there's all the difference in the world between sitting in the C-suite and being down, actually dealing with the code, and fighting these guys on a daily, hourly basis. This is a matter of minutes and hours, if you want to keep your systems from getting compromised in ways that we can't undo. The only really operational fighters in the federal government are at NSA... I have a lot of sympathy for their desire to get out and do something."