Government ill-equipped to thwart cyberwarfare

The U.S. infrastructure is outdated and vulnerable to cyberattacks. If government reaction doesn’t improve the country electrical could be crippled.

In January, V. Miller Newton, CEO and president of PKWARE, made his annual list of predictions for most likely cyberattacks of the year.

Number 3 on the list: The U.S. electrical grid will be attacked. He's been making predictions since 2011, and claims 95 percent accuracy so far (he also predicts that healthcare systems were at risk and that smart watches would be hacked).

[ Related: Battling cyberattacks with bombs? ]

"This country's infrastructure runs on antiquated technology and systems," he says. "We've already seen an electrical power grid hacked in December of last year in Ukraine," which blacked out 103 cities and partially blacked out an additional 186.

Cyberwarefare isn't new, but Newton and other security experts expect that these attacks will ratchet up and focus on anything that could cripple the U.S., whether that's shutting off something like the power grid, utilities, or water, or holding financial institutions or Fortune 500 companies ransom. They also say the slow pace of government reaction isn't ready to keep up with the race to hack, which can leave the country vulnerable.

"You're talking about massive disaster. You're talking about a complete blackout of the whole infrastructure of the United Sates," says Idan Udi Edry, CEO of Nation-E.

Shutting systems down easier than you think

It's easy to see why shutting down a power grid would be disruptive. But what might not be obvious is that it can be easy, especially since critical systems are online, says Timothy Carone, a teaching professor in IT, analytics and operations at the University of Notre Dame's Mendoza College of Business.

"Software gets upgraded just like it does on your computer or iPhone," says Carone. "You have the same challenges upgrading elements of an electrical grid that you have with a regular computer."

[ Related: Cybersecurity much more than a compliance exercise ]

So just like a computer or smartphone needs security patch updates, so do networks that run critical systems. If not addressed, those vulnerabilities are a way in for someone who wants to do damage.

"The western world, which is considered to be the leader in technology and innovation is actually the most vulnerable because of the effect of the digital age," says Edry.

Putting your thermostat or baby cam online as part of the internet of things (IoT) makes them vulnerable to hackers where they wouldn't have been before, the same is true for any infrastructure system.

"All of those assets and all of those integrations and vulnerabilities are opening themselves up," says Edry. "These are the most critical points. It's IoT of the Industrial size."

And these aren't a bunch of guys sitting in a basement trying to see how far they can get into someone's system either. They're criminal gangs, intelligence agencies or proxies for them, says Carone. And they're smart.

"Our systems are such that not only can people break into them, but they actually use our system to train people to break into them," he says. You’ll experience a hack, which is followed by five more. "These aren't six separate hackers, [rather] it's clearly one person teaching the other five how to hack in and what to do with the system."

Holding systems for ransom

In February, Hollywood Presbyterian Medical Center admitted that it paid $17,000 to hackers to get their systems back. These kinds of attacks could be scaled up, says Carone, to cause chaos. Example: hackers take over the electrical grid to a section of a city that includes the headquarters of several Fortune 500 companies along with a residential neighborhood. "[Hackers] can tell each of the companies separately 'If you want your power restored you need to give us some obscene amount of money and by the way we've also cut power to the neighborhoods in your area,'" he says.

Not only will that cost those companies a huge amount of money, but it could pit residents against companies if they are told that the reason they don't have power is because of their corporate neighbors. In other words: chaos.

Keeping up with the hackers

"This is a new world problem that needs a new world solution," says Newton. "The world has looked at security over the past 10, 15, 20 years from a perimeter perspective. Keep the bad guys out."

The mindset, he says, has to change. One way to do that is to protect crucial information by encrypting it so that, even if someone breaks in, "it's totally innocuous. The hack is like a non-event."

However, awareness, says Edry, is "very weak." Decision-makers, especially in government, aren't giving this issue the attention it needs, and when they do, the response is too slow. He thinks something major will need to happen before the problem gets that attention it deserves.

Because government does move so slow, Carone sees the solution coming from the private sector. "I think you're going to find practitioners in the field take it upon themselves to generate solutions and try to put that defense posture in place, whether it's ensuring safety of the electrical grid or the electoral process," he says. "[Otherwise,] it won't get done because government just can't make decisions fast enough."

Join the CSO newsletter!

Error: Please check your email address.

More about University of Notre Dame

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jen A. Miller

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts