Is the U.S. ready for cyber war?
Thinking the unthinkable ensures that the government is prepared in case it does happen
Does the United States, and by extension federal agencies, face a cyber war? It’s a term that’s been kicked around in cybersecurity circles for a number of years, but recent events have elevated the chance that one could occur, and if that were to happen, it would elevate the already high stakes involved in cyber hostilities.
Just after computer security labs earlier this year revealed details about the Flame virus, which they said had been infiltrating systems in Iran and elsewhere for years and copying documents and recording audio, the New York Times revealed that the virus was created through the joint efforts of Israel and the United States and that both countries had probably also been behind the Stuxnet worm that infiltrated the Iranian nuclear infrastructure a few years ago.
In a June 19 follow-up story, the Washington Post confirmed the authorship of the Flame virus. It was designed to collect intelligence about Iran’s ability to develop a nuclear weapon in preparation for possible cyber espionage to slow that development, the Post said. Crucially, the article also quoted cyber experts as saying that Flame was “designed to replicate across even highly secure networks.”
The United States has been and continues to be under constant attack from other nation states looking to penetrate its networks and gain intelligence, with players such as China suspected of being the major sources. There’s now broad speculation about whether the United States will retaliate with attacks similar to what it launched against Iran to disrupt other countries’ plans.
And if those countries decide to retaliate, the United States would be vulnerable because its critical infrastructure is highly dependent on computers to operate and, so far, it’s not highly secure. The Pacific Northwest National Laboratory (PNNL), a federal contractor to the U.S. Energy Department, issued a report in June that highlighted the challenges that infrastructure faces.
The report highlighted numerous vulnerabilities, including a rapid growth in endpoints in communication networks linking parts of the energy grid, more interconnected networks, growing complexity, an expansion in the use of commercial IT and improper use of the huge amounts of data gathered about the infrastructure.
When early critical infrastructure systems were created, neither security nor misuse of the interconnected network was considered, said Philip Craig, a senior cybersecurity research scientist at PNNL.
“Today, we are still focused on enhancing the security of control systems,” he said. “Outdated security methods that use a maze of disparate, multivendor and stacked tools will only delay a cyberattack, providing numerous opportunities for a more advanced and modern cyber adversary to attack cybersecurity postures throughout critical infrastructure.”
Cybersecurity legislation under consideration in Congress could provide the impetus to find answers to this and other security issues the federal government faces. But it’s an election year, and most people feel that such highly visible legislation has little chance of passing.
The Republican-dominated House, for example, handily passed its version of cybersecurity legislation, but it was opposed by the Democratic majority in the Senate and also by the White House because they felt it didn’t have sufficient teeth to enforce vital infrastructure security. The Republicans, in their turn, feel their opponents’ proposals give government too much control over private-sector networks.
Many cyber professionals continue to downplay the idea of cyber war because it connotes a much broader conflict than they see happening today or that might happen soon. However, as Flame and Stuxnet show, high-stakes cyber espionage and cyber terrorism are clearly possible and are already being conducted.
What the U.S. government and federal agencies need to understand, they say, is that security is no longer about security devices and technologies and preparing for cyber conflicts in the manner of Cold War maneuvers against large enemy forces. It’s much more about gathering intelligence about adversaries, understanding what their intentions are and then using that information to counter the small groups that attack weak points in U.S. defenses.
And in that sense, the United States is not yet prepared for cyber war.