Cyber Commander Expects Damaging Critical Infrastructure Attack
The U.S. response entails multiple government organizations.
Adm. Michael Rogers, USN, who leads both the National Security Agency and U.S. Cyber Command, predicts a damaging attack to critical infrastructure networks within the coming years. If an attack happens, the agency and Cyber Command will coordinate a response along with other government agencies and potentially the private sector organizations that own many of the networks.
Critical infrastructure is the backbone of the nation’s economy, security and health, according to the Department of Homeland Security (DHS). It includes the systems and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, the economy or national public health or safety. It also includes broadband and wireless networks and the massive power and communications grids.
“I fully expect that in my time as commander, someone—whether it’s a nation-state, group or individual—will attempt to engage in destructive activity against one of those, if not more than one,” Adm. Rogers says.
In that case, Cyber Command will support DHS and other government agencies to protect government-owned portions of the infrastructure. “The Defense Department will apply its capability in support of other organizations. The current model is that DHS has the lead within the federal government for the broader security protections associated with critical infrastructure in the U.S. government,” Adm. Rogers explains. “We’ll partner with the FBI because they’ve got the law enforcement piece.”
He adds that the FBI is the primary organization for protecting networks domestically and emphasizes that the Defense Department will have to remain within the law. Meanwhile, the National Security Agency (NSA) also will partner with the DHS and the FBI to protect “designated segments of the civil infrastructure,” he explains.
Preferably, Cyber Command will pre-empt an attack. “Our biggest focus really is going to be bringing our capabilities to bear to attempt to interdict the attack before it ever gets to us,” he states. “Failing that, we’ll probably also provide some measure of capability to work directly with those critical infrastructure networks to help address critical vulnerabilities where they could use stronger defensive capability.”
Part of the challenge is that Cyber Command has no control over other networks. “This has got to be a two-way partnership because I’m not in their networks. I don’t monitor what’s going on in their networks,” Adm. Rogers points out, adding that he has no way of monitoring how effective an attack on another agency’s networks might be.
If directed by the president to intervene in an attack, Cyber Command and the NSA largely will be responsible for sharing information with others—origin of an attack, malware involved and the tactics, techniques and procedures being used, for example. “We’re bringing the cyber capability online. The buildout is between 2013 and 2016, so we’re about halfway there. So, you know, we’re taking an airplane and we’re trying to fly it and build it at the same time,” he offers.
Experts disagree about the likelihood of a destructive attack on critical infrastructure networks. Richard Forno, director of the graduate cybersecurity program at the University of Maryland, Baltimore County, questions who would have the motive to launch such an attack. “The concern is there and always has been there. So the possibility remains. What is up for discussion is the probability of such an event as waged by certain groups,” Forno says. He adds that “absent an outbreak of World War III-like hostilities” or a “national government going 100 percent crazy very quickly,” a destructive nation-state-sponsored attack is unlikely. “But would a terrorist or criminal group do something like that out of the blue for whatever reason? More likely of a plausible scenario, I think.”
Additionally, Forno points out, a destructive attack could hinder an adversary’s own operations. “You can’t collect intelligence on an enemy or communicate if the Internet is down,” he says. “That may play into a nation-state’s calculus about what type of attack they might employ in a given situation.”
Robert Ferrell, a retired Defense Department special agent for information security, says such attacks are not uncommon. “Short answer is that not only is [Adm. Rogers] right, it’s already happened, albeit on a localized scale. People have been engaging in that since those networks came online. It’s akin to declaring that you predict someone will have an auto accident during your tenure. Duh.”
On the other hand, Martin Libicki, a senior management scientist specializing in cyber warfare, RAND Corporation, says Adm. Rogers’ prediction is unlikely to come true, in part because a destructive attack to the critical infrastructure has not yet happened. “One never says never in this business because all of cyber war is just one surprise after another. But I can tell you, in 20 years, nothing like this has remotely happened anywhere. In other words, no infrastructure has been taken down seriously,” Libicki declares.
The disagreement hinges in part on the definition of a destructive attack. Adm. Rogers did not offer his own definition. Ferrell points out that intrusions into government or industry computers have led to stolen weapon systems data and that even the White House’s unclassified networks have been infiltrated multiple times. “As for infrastructure itself, it’s true that no hacker seems to have opened any dams or scrammed any nuclear reactors yet,” Ferrell acknowledges. But, he adds, given the number of critical systems reachable via the Internet coupled with the growing sophistication of other countries, “It’s a question of when, not if.”
Libicki cites the 2012 attack on Aramco’s internal network that reportedly wiped the hard drives of thousands of computers. “They probably had a loss of efficiency in their internal office networks. They had to replace 30,000 computers. But it didn’t affect their ability to pump oil,” Libicki says. “I would say that depending on where your serious meter is set, that’s probably not serious.”
Libicki also compares the costs of cyber attacks to the cost of air strikes against the Islamic State of Iraq and the Levant (ISIL) terrorist group. The air strikes, he estimates, will cost several billion dollars a year. “No cyber attack at this point has yet crossed the $1 billion threshold.”
He also questions whether anyone would have both the motive and the ability. Nation-states lack motive in part because they would face retaliation. The only other organization with the capability would be the Russian mafia, he states, and it couldn’t make money from such an attack. Terrorist groups lack motive because they prefer action that can be video recorded and posted on YouTube. “I can’t rule out the possibility that some brilliant guy walks into ISIL and says, ‘I’ve got a neat trick.’ I just don’t think one person, no matter how smart, could pull this off,” Libicki states.
Adm. Rogers describes the current threat as more complex and diverse. “Increasingly, you don’t see a crisis in the world today that doesn’t have a cyber aspect to it,” he says, citing ISIL’s use of the Internet for propaganda purposes as one example. “The number of actors is broadening and the depth of their capabilities is increasing. If you’re in the defensive business, it’s getting tougher and tougher.”