Obama's Doomsday Cyberattack Scenario Unrealistic, Experts Say
President Barack Obama during a speech in Emporia, Va., Oct. 18, 2011.
CREDIT: Pete Souza/White House photo
President Barack Obama on Friday (July 20) used the Wall Street Journal editorial page to urge the Senate to pass the revised Cybersecurity Act of 2012, which would set security standards for critical-infrastructure industries.
Obama led his argument with a dire, if hypothetical, scenario.
"Across the country trains had derailed, including one carrying industrial chemicals that exploded into a toxic cloud. Water treatment plants in several states had shut down, contaminating drinking water and causing Americans to fall ill," he wrote.
The president's opinion piece, placed on an editorial page usually hostile to his administration, was aimed at Senate Republicans who had opposed an earlier version of the bill on the ground that it would create a new regulatory bureaucracy.
"Our nation, it appeared, was under cyber attack," the president wrote. "Unknown hackers, perhaps a world away, had inserted malicious software into the computer networks of private-sector companies that operate most of our transportation, water and other critical infrastructure systems."
The original version of the bill, co-sponsored by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-W.Va.) and Dianne Feinstein (D-Calif.), would have authorized the Department of Homeland Security to inspect and assess private-sector facilities designated as "critical infrastructure," such as power plants, water-treatment facilities and financial networks.
The bill would have forced designated entities to comply with government-set cybersecurity standards.
"To their credit, many of these companies have boosted their cyber defenses," Obama wrote. "But many others have not, with some lacking even the most basic protection: a good password. That puts public safety and our national security at risk."
Meeting stiff opposition from conservatives, the bill in its original form could not garner the 60 votes needed to break a Senate filibuster. So Thursday (July 19), Lieberman introduced a watered-down version of the bill that removes the mandatory provisions and instead makes compliance with new cybersecurity standards voluntary.
The revision offers inducements for companies that choose to comply, such as protection from liability relating to a security incident.
"We are going to try carrots instead of sticks as we begin to improve our cyber defenses," Lieberman said in a statement. "This compromise bill will depend on incentives rather than mandatory regulations to strengthen America's cybersecurity. If that doesn't work, a future Congress will undoubtedly come back and adopt a more coercive system."
Is it even necessary?
"Foreign governments, criminal syndicates and lone individuals are probing our financial, energy and public safety systems every day," Obama wrote.
Digital security experts are divided over whether the bill is necessary, and even whether the dramatic scenes depicted by Obama in his opinion piece are even possible.
"Has a major attack happened? No," said Steve Santorelli, a security researcher at Team Cymru in Lake Mary, Fla., who's worked in the past for Microsoft and Scotland Yard. "Are they scanning and exploring? Almost certainly someone is, but it's not clear exactly who or why."
"There's going to be an attack on specific trains loaded with what just happen to be specifically dangerous chemicals so that it or they jump the rails and cause a catastrophe?" asked George Smith, an expert on national-security technology at GlobalSecurity.org in Washington. "This belongs strictly to the last 'Die Hard' movie."
"They could have run a simulation based on the plot of 'Independence Day,'" said Julian Sanchez, a research fellow specializing in technology at the libertarian Cato Institute in Washington. "That would not be a 'sobering reminder' that alien invasion is 'one of the most serious economic and national security challenges we face.'"
"There is little to zero evidence reservoirs and water systems can be significantly damaged by cyberattack, even if one grants the minor possibility of remote trifling with pumping systems," Smith said. "Water purification and supply is a nationally distributed matter. There is no way to universally degrade it in the United States."
Maybe for power plants it is
But attacks on the electrical grid and other utilities dependent upon supervisory control and data acquisition (SCADA) software may be closer to reality.
"The 2008 Florida blackout was not malicious, but could have been," said Joe Weiss, an engineer and power-industry security consultant based in northern California.
Weiss was referring to a sudden power outage in February 2008 that began with an explosion at a substation near Miami and left 2 million people without power all the way up to Tampa and Orlando.
"An engineer at a substation removed overload protections while doing diagnostics," Weiss said. "A SCADA operator remotely actuated equipment, and it blew up."
A SCADA system at an Iranian nuclear facility was the target of Stuxnet, the successful U.S.-Israeli engineered worm that is the world's first publicly known cyberweapon.
Despite the fact that the facility's computers were not connected to the Internet, Stuxnet got in and changed the software on programmable logic controllers (PLCs) operating uranium-processing centrifuges, causing them to spin out of control and setting back the Iranian nuclear program by more than a year.
"Many of the fundamental problems are caused by software vulnerabilities in PLCs that are impossible to fix," Santorelli said. "They were never designed to be secure because the folks that developed them, like everyone else, never really saw this threat coming when the systems were built a generation ago,
""It's sobering to think that the same PLCs that Stuxnet attacked are also in the rides that we take our kids to in theme parks every weekend," Santorelli added.
Why not just unplug it?
"Last year, a water plant in Texas disconnected its control system from the Internet after a hacker posted pictures of the facility's internal controls," Obama wrote in Friday's opinion piece. "More recently, hackers penetrated the networks of companies that operate our natural-gas pipelines."
The solution seems obvious: Disconnect critical-infrastructure facilities from the Internet. But it turns out it's not that easy.
"Many of these systems are remotely administered by vendors and plant operators to cut down on staffing and cost," said Anup Ghosh, chief executive office of Fairfax, Va., software security firm Invincea and a research professor at George Mason University. "They are remotely administering and updating via the Internet.
"Sometimes SCADA networks are indirectly connected to the Internet when the operators on office networks," Ghosh added, "bridge the connection between Internet and SCADA control networks inadvertently."
In any case, even without an Internet connection, there's always a way in, Sanchez said.
"Every system needs some procedure for receiving external updates and patches, which creates a vulnerability," Sanchez said. "In most cases, you almost certainly want an air gap between the SCADA [system] and any network ... [but] it's very rarely possible to isolate a system completely even if it's not directly online."
The carrot or the stick?
The experts were divided about whether forced security upgrades or voluntary compliance was better for critical-infrastructure industries. Ghosh and Sanchez endorsed the voluntary approach proposed by the revised Lieberman bill.
"Providing incentives for critical infrastructure providers seems like a good approach," Ghosh said, "as long as the incentives are not overly proscriptive. Better would be results-oriented incentives that allow for companies to innovate with new techniques to meet desired ends."
"The difference between a mandate and an inducement is often a matter of semantics," Sanchez said. "You can call a requirement 'mandatory' with a specified penalty, or you can offer liability protection — but then refusing to do what's needed to qualify for that exemption probably raises your insurance costs."
However, when Weiss was asked whether the watering-down of the bill made it useless, he replied, "Honest to God, if you want to keep the lights on and the gasoline flowing, yes, it is."
"This bill continues the status quo, and the status quo is not protecting the grid," he added.
A heavy but firm hand
Sanchez and Weiss also had different opinions over whether more industry regulation was needed.
"The North American Electric Reliability Corporation (NERC) already sets enforceable cybersecurity standards for electric utilities," Sanchez said. "The natural gas, petroleum, and chemical industries all have programs to establish and disseminate best practices for the relevant SCADA networks. And DHS and other government agencies have their own programs already."
To Weiss, the utilities, and especially self-regulating umbrella organizations such as NERC, are part of the problem.
"Electrical utilities are not securing anything. They are in a compliance game," he said. "The billing system in an electric utility is more secure than the actual power plant, and that includes nuclear plants.
"Utilities have self-defined every shortcut you can think of," Weiss continued. "Seventy percent of power plants don't have to be looked at for cyber. They've self-defined out of being critical. All you need to do is look at the public record to see what's considered critical and what's not.
"Which plants are designated as critical and which aren't is a matter of public record," he added. "The industry has created a road map for hackers."