During the Cold War, there was the threat of nuclear attack. In the Internet Age, there is the threat of cyberattack.
Cheyenne Mountain and the North America Aerospace Defense Command once were targeted by the Soviets, and by extension Colorado Springs was considered a “collateral damage” casualty. The continued importance of NORAD was demonstrated just last month when it detected an orbiting vehicle shortly after the North Korea missile launch.
Today, critical national defense assets in the area remain strategic targets. The method of attack, however, will be through cyberspace. And a cyberattack on critical infrastructure would render Colorado Springs a casualty.
Defense Secretary Leon Panetta recently stated that the nation is facing the risk of a “cyber-Pearl Harbor”, and further called this time our “pre-9/11 moment.” He cited attacks on U.S. banking, but also referenced compromised control systems affecting power, water and chemical facilities. “An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” Panetta said. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals” and shut down “the power grid.”
The cyber arms race is well-documented. Russia, China, Iran and others are establishing cyber commands. Chinese military journals and strategists describe their plans: “the global information grid and global command and control systems are fundamental to the American defense system, including global positioning satellites.”
Over the past year, national leaders have been using unusually foreboding rhetoric. FBI Director Robert Mueller testified to Congress that cybersecurity would replace terrorism as the nation’s top security threat. He stated: “There are only two types of companies: Those that have been hacked, and those that will be.” Meanwhile, Gen. Keith Alexander, National Security Agency director, called the grave loss of America’s secrets in state-supported industrial espionage campaigns “the greatest transfer of wealth in history.”
On the Pearl Harbor anniversary, U.S. Sens. Joe Lieberman and Susan Collins wrote an op-ed for the New York Times titled “At Dawn We Sleep.” Citing multiple attacks on critical infrastructure, they warned that “the day on which those cyberweapons strike will be another ‘date which will live in infamy,’ because we knew it was coming and didn’t come together to stop it.”
A recent example of the potential destructiveness is the 2012 attack on oil giant Saudi Aramco. It suffered a virus attack against 30,000 computer systems that destroyed 85 percent of the hardware! Recently, the Saudi Interior Ministry declared the incident a strategic attack on the country, targeting its vital economic pulse — oil.
These are the known attacks. According to the Wall Street Journal, bankrupt Nortel Networks was breached and remained compromised for nearly 10 years! A similar attack by a foreign adversary, Shady RAT, was reported by McAfee as “a five-year targeted operation by one specific actor.” Victims included the United Nations and International Olympic Committee, as well as defense contractors. Many compromises remained undetected for years, enabling hackers the opportunity to become destructive at any point.
The perception that the federal government or the military will defend us from a cyberattack targeting privately owned critical infrastructure is wrong. Americans’ constitutional and normative separations between government and private industry rightfully limit government’s authority. So businesses are on the front lines!
Moreover, the cyber pathogens are humans and our enterprises, through our cyberspace connections. Government could not stop all these pathways. We bring personal devices to work. Supply chain vendors connect throughout the marketplace, enabling vulnerabilities to jump environments. And like the medical field, an all-of-society baseline approach starts with improved cyber hygiene.
The starting point is improved security practices across all environments to raise the overall cyber hygiene.
Doug DePeppe is a partner and cyber risk advisor with i2IS Corporation. A cyberlaw attorney, he participated in the 2009 White House 60-day Cyberspace Policy Review, and other national cybersecurity initiatives. Doug writes a blog column on cybersecurity for CSO Online Magazine and is a co-founder of the Western Cyber Exchange.