RSAC 2019: Policy Makers Ponder How to Best Defend Leaky U.S. Infrastructure

There’s been no shortage of concern about the ability of decades-old Operational Technology (OT) environments – including industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems, switches, sensors, valves and manufacturing technologies – to withstand cyber attack. As these systems connect to Industrial IoT (IIoT) systems, the fear is that hackers will exploit new potential entry points to attack these once-seemingly impregnable infrastructures.

“Our adversaries are getting faster,” said Christopher Krebs, the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). “It’s an active space and only going to get more active.”  Krebs spoke at RSAC 2019 on Tuesday, to a large crowd.

Indeed, many attackers will be drawn by the existence of aging OT systems, dating back to a pre-cyber risk era. Security experts say these are vulnerable to malware and other cyber threats and in urgent need of upgrading. But this is a proverbial work in progress for industrial environments that have existed for more than 20 years with little to no security strategy.

For most of that time, their very lack of internet connectivity provided a built-in buffer against attacks. That’s no longer true as tens of billions of IIoT devices come online as part of their infrastructures.

It’s also helped to revive a Washington national security debate that took on urgency in 2012, when then Sec. of Defense Leon Panetta, warned that the United States was vulnerable to foreign attacks against its power grid, transportation system, financial networks and government.

Despite a few minor incidents since then, however, the worst-case scenarios have failed to materialize. One of the most high-profile incidents occurred in 2013 when the U.S. Department of Justice indicted 12 people, charging them with a failed attempt to release water from behind the Bowman dam in Rye, New York. In 2017, the FBI warned that the nation’s nuclear, energy, aviation, water and critical manufacturing industries were being targeted along with government entities.

Despite the absence of anything remotely approaching the “digital Pearl Harbor” Panetta warned about, the digitization of these key industries continues to stir worry among the chattering classes tasked with thinking about these scenarios. How the country responds to the growing threats will impact its diplomatic, military and economic power is a hot topic of debate at this year’s RSA Conference this week in San Francisco.

“I think that we’ve made a lot of progress,” over the years, said Chris Painter, who led the United States’ cyber security diplomatic efforts when he was appointed as the State Department’s coordinator for cyber issues by then-Secretary Hillary Clinton in 2011. “When my office was created, I was the first cyber diplomat. Now there many (doing that job) around the world and that’s good. This is not just a technical issue but also a policy issue…This traditionally was not a partisan issue, though Russia has changed that, obviously.”

Still, U.S. vulnerability to attack remains a hot-button issue in policy circles. In their January testimony before the Senate Select Committee on Intelligence, CIA Director Gina Haspel, Director of National Intelligence Dan Coats, and FBI Director Christopher Wray told Senators that the U.S. is more vulnerable to attacks against critical infrastructure by rival nations with the capability to shut down U.S. infrastructure, including power and energy companies, as occurred in Ukraine in 2015.

Meanwhile, the White House has loosened the rules on the use of digital weapons to defend the U.S.. Its release last year of the National Cyber Strategy authorized offensive cyber operations against adversaries, saying the U.S. was ready to use "all instruments of national power" to "impose consequences" on malicious cyber actors.

That stance came in for criticism at RSAC 2019 where Painter appeared on a panel discussing whether the U.S. was getting it right.

Painter said that while the sharper emphasis on deterring bad actors was a positive, the U.S. has failed to impose follow-up steps to impose consequences for bad behavior. At the same time, argued on behalf of a more nuanced approach to a complicated problem.

“When John Bolton rolled out (the document), he engaged in cyber rattling,” Painter said. “Cyber tools do have a role but they should not be [part of] a haphazard approach.”

Carrots and Sticks

Protecting U.S. assets from attack also depends on engaging other countries and winning agreement governing acceptable cyber behavior. But some speakers here bemoaned the lack of progress agreeing to global norms, let along reaching consensus over defining what actually constitutes malicious cyber behavior.

“What we see right now in the international arena is not a lot of agreement on what cyber activity is,” said Mieke Eoyang, the VP for National Security at Third Way, a public policy group. “What you see is the victimized country saying, `This is malicious activity’ and the other country saying, `We’re fine with this activity and we’re not going to turn the person over.’

The upshot, she said, is a pastiche where private sector companies are increasingly left in an awkward position to fend for themselves. That’s not a position many CEOs relish. In recent months, that’s even led some legislators to suggest companies ought to be able to “hack back” against foreign attackers. It’s not an idea that went over well with the RSA crowd which criticized it as a cyber version of vigilante justice that would be ineffective.

 “We should not hack back. That would create chaos,” said Kiersten Todt, the president of Liberty Group Ventures, a risk and crisis management firm. “Government absolutely has to step up…and create more active defense among sectors…but cyber weapons are just that; they’re weapons. You can’t make it up as we go along.”

“Hack backs create more problems than they solve,” Painter agreed, adding that while government needs cyber tools to deter aggressors, “we should also be building alliances.”