While the United States has conducted three Nuclear Posture Reviews this decade “to determine what the role of nuclear weapons in U.S. security strategy should be,” there have been no similar assessments for other high-end threats, including cyber warfare. There also appears to be no effort to integrate U.S. policies on high-end threats, including nuclear and cyber, under a single policy umbrella. Finally, the promotion of global awareness for the serious threat posed by offensive cyber weapons proliferation does not appear to be high on the U.S. public diplomacy agenda.
Three years ago, the world faced a very different cyber threat landscape which was far more forgiving to such U.S. policy missteps. It was a world before Stuxnet, DigiNotar, Night Dragon, and Shady RAT. A world in which states were the only actors perceived capable of conducting major cyber attacks against critical infrastructure. A world in which national security experts failed to grasp the full potential of industrial control systems cyber attacks.
But, as noted industrial control systems cyber security expert Joe Weiss points out, the cyber threat landscape has radically shifted since the days of Titan Rain, “We must recognize that we live in a new world. We have undergone a huge conceptual change in last eighteen months. There are now metasploits for industrial control systems available on the Internet. You no longer need to be a nation-state to carry out a major critical infrastructure cyber attack. The U.S. and other states need to come together to promote cyber security or the world is going to be in serious trouble.”
If the U.S. is serious about confronting the cyber security threat, Weiss believes that the first step is for U.S. policymakers to recognize the existential threat posed by industrial control system cyber (or blended physical and cyber) attacks: “I believe that U.S. policymakers do not fully understand the control system issues. In the IT world, the worst thing that a hacker can do is to shut down a network or steal information. In the industrial control systems world, they can take control and bring about physical destruction of critical infrastructure, including electric, water, oil, gas, chemical, and nuclear infrastructure.” For this reason, Weiss argues that the U.S must treat the weaponization and proliferation of industrial control system cyber attacks as a high-end threat.
Even in the absence of new legislation, Weiss believes that U.S. policymakers could pressure the US Department of Homeland Security and Department of Energy to increase regulations related to industrial control system cyber security. They also could mandate new federal cyber security policy and procedures and training and awareness programs for critical infrastructure providers.
In the meantime, Weiss concludes that the risk posed by an offensive cyber attack against the nation’s critical infrastructure is growing: “There have already been more than 10 nuclear plant cyber incidents. While not all were malicious, these incidents demonstrate that cyber can affect the availability of key components at such plants, such as a water pump required to cool the reactor,” says Weiss. “The problem is that we can’t even tell if incidents such as these are malicious because we don’t have adequate cyber forensics let alone adequate preventative measures.”
To illustrate this point, Weiss shares a story relayed by an expert at a recent conference: “There was a presentation on a recent cyber incident at steel mill in Brazil that compromised control system networks. Unfortunately, experts still can’t identify the initiation point or when the code was inserted.”
He also warns “there are some very significant issues that happened at Fukishima, including loss of off-site power, which a directed cyber attack may be able to replicate. And, there is little chance to be able to find a sophisticated cyber attack against control systems until it’s too late.”
Ultimately, Weiss is not only concerned by the failings of the U.S. Government. He also lacks confidence in international bodies, including IAEA, charged with propagating standards to ensure the safety and security of critical infrastructure: “I have personally reviewed the IAEA cyber specifications. The document is not very strong when it comes to cyber security for control systems.”
For Weiss, states and international organizations simply are not doing enough when it comes to industrial control systems cyber security. Until the world’s political elites recognize that industrial control systems cyber security represents a shared security issue, there may be little hope for change. This leads Weiss and others to worry that their worst fears could be realized: a non-state actor successfully launching a major attack on the critical infrastructure of a state.
If such a scenario unfolded, “the impact would be beyond belief.” Aside from the resultant physical damage to critical infrastructure and loss of life, such a scenario would challenge one of the core principles - the monopoly on violence - that states claim dominion over in the international system. For this reason, malicious hackers may pose a much more dangerous threat to the international political order than other non-state actors, such as terrorists or pirates.
Eddie Walsh is a non-resident WSD-Handa Fellow at Pacific Forum CSIS. He blogs at The Asia-Pacific Reporting Blog and can be reached at asiapacificreporting@gmail.com or via LinkedIn.
a global affairs media network
Rethinking Cyber Anarchy
November 15, 2011
While the United States has conducted three Nuclear Posture Reviews this decade “to determine what the role of nuclear weapons in U.S. security strategy should be,” there have been no similar assessments for other high-end threats, including cyber warfare. There also appears to be no effort to integrate U.S. policies on high-end threats, including nuclear and cyber, under a single policy umbrella. Finally, the promotion of global awareness for the serious threat posed by offensive cyber weapons proliferation does not appear to be high on the U.S. public diplomacy agenda.
Three years ago, the world faced a very different cyber threat landscape which was far more forgiving to such U.S. policy missteps. It was a world before Stuxnet, DigiNotar, Night Dragon, and Shady RAT. A world in which states were the only actors perceived capable of conducting major cyber attacks against critical infrastructure. A world in which national security experts failed to grasp the full potential of industrial control systems cyber attacks.
But, as noted industrial control systems cyber security expert Joe Weiss points out, the cyber threat landscape has radically shifted since the days of Titan Rain, “We must recognize that we live in a new world. We have undergone a huge conceptual change in last eighteen months. There are now metasploits for industrial control systems available on the Internet. You no longer need to be a nation-state to carry out a major critical infrastructure cyber attack. The U.S. and other states need to come together to promote cyber security or the world is going to be in serious trouble.”
If the U.S. is serious about confronting the cyber security threat, Weiss believes that the first step is for U.S. policymakers to recognize the existential threat posed by industrial control system cyber (or blended physical and cyber) attacks: “I believe that U.S. policymakers do not fully understand the control system issues. In the IT world, the worst thing that a hacker can do is to shut down a network or steal information. In the industrial control systems world, they can take control and bring about physical destruction of critical infrastructure, including electric, water, oil, gas, chemical, and nuclear infrastructure.” For this reason, Weiss argues that the U.S must treat the weaponization and proliferation of industrial control system cyber attacks as a high-end threat.
Even in the absence of new legislation, Weiss believes that U.S. policymakers could pressure the US Department of Homeland Security and Department of Energy to increase regulations related to industrial control system cyber security. They also could mandate new federal cyber security policy and procedures and training and awareness programs for critical infrastructure providers.
In the meantime, Weiss concludes that the risk posed by an offensive cyber attack against the nation’s critical infrastructure is growing: “There have already been more than 10 nuclear plant cyber incidents. While not all were malicious, these incidents demonstrate that cyber can affect the availability of key components at such plants, such as a water pump required to cool the reactor,” says Weiss. “The problem is that we can’t even tell if incidents such as these are malicious because we don’t have adequate cyber forensics let alone adequate preventative measures.”
To illustrate this point, Weiss shares a story relayed by an expert at a recent conference: “There was a presentation on a recent cyber incident at steel mill in Brazil that compromised control system networks. Unfortunately, experts still can’t identify the initiation point or when the code was inserted.”
He also warns “there are some very significant issues that happened at Fukishima, including loss of off-site power, which a directed cyber attack may be able to replicate. And, there is little chance to be able to find a sophisticated cyber attack against control systems until it’s too late.”
Ultimately, Weiss is not only concerned by the failings of the U.S. Government. He also lacks confidence in international bodies, including IAEA, charged with propagating standards to ensure the safety and security of critical infrastructure: “I have personally reviewed the IAEA cyber specifications. The document is not very strong when it comes to cyber security for control systems.”
For Weiss, states and international organizations simply are not doing enough when it comes to industrial control systems cyber security. Until the world’s political elites recognize that industrial control systems cyber security represents a shared security issue, there may be little hope for change. This leads Weiss and others to worry that their worst fears could be realized: a non-state actor successfully launching a major attack on the critical infrastructure of a state.
If such a scenario unfolded, “the impact would be beyond belief.” Aside from the resultant physical damage to critical infrastructure and loss of life, such a scenario would challenge one of the core principles - the monopoly on violence - that states claim dominion over in the international system. For this reason, malicious hackers may pose a much more dangerous threat to the international political order than other non-state actors, such as terrorists or pirates.
Eddie Walsh is a non-resident WSD-Handa Fellow at Pacific Forum CSIS. He blogs at The Asia-Pacific Reporting Blog and can be reached at asiapacificreporting@gmail.com or via LinkedIn.