from – economics21.org – by Mark P. Mills
Hackers typically fall into two groups: private individuals or organizations with varying skill levels who hack for financial, nuisance, or harassment motives; and nation-state or nation-sponsored entities with high skill levels that hack for geopolitical motives.
According to CrowdStrike, a cybersecurity consultancy, geopolitical developments have become the “most important drivers for cyberattacks,” with the latter now firmly part of the “global threat landscape.” Adds Kevin Mandia, CEO of FireEye, another cybersecurity firm: “It does not seem reasonable to expect the majority of the private sector to defend itself from military cyber attacks. We do not expect a homeowner to prevent a military unit from breaking into their bedrooms, so why should we expect companies to prevent or detect similar attacks in cyberspace?”
Dealing with this reality has implications for how federal agencies should work with the private sector and for the appropriate allocation of public resources. The potential for nation-state attacks also has implications for liability protection for utilities in the event of a cyberattack; for sharing classified information with utilities; and for interindustry and interagency coordination. As the GAO reported, the Department of Defense’s own infrastructure is vulnerable to cyberphysical attack.
Rather than focus on “Climate Change Adaptation Road Maps,” the Pentagon should prioritize helping the private sector secure and defend America’s critical electric infrastructure. The Defense Advanced Research Projects Agency announced plans in January 2016 for a $77 million, four-year program to help utilities detect cyberattacks; but given the scale and complexity of the challenges, it is only a small step.
Tech titans, including Facebook, Google, Apple, and Microsoft, have pledged to helpadvance the deployment of “green” and smart grids. They should also acknowledge, and help resolve, the cybersecurity challenges associated with such initiatives. The foundational responsibility for solutions originates with the technologies’ providers, not the users in the industrial and utility sectors. Similarly, investors and policymakers should explore ways to encourage greater focus on innovative venture capital in cyberphysical security—which accounts for less than 1 percent of total venture-capital investment.
If U.S. state and federal cyberphysical security policies are to become coherent and effective, they must be anchored in acknowledging three realities: (1) the rush to make U.S. grids greener and smarter also increases their cyberphysical attack surface; (2) there are two radically different classes of cyber threat: private hackers and nation-state (or nation-sponsored) hackers; and (3) evolving cyberphysical threats are unlike other physical-security issues that utilities have heretofore faced.
Sound grid-cybersecurity policy would therefore:
- Avoid top-down, one-size-fits-all legislation.
- Slow—and, in some cases, halt—smart- and green-grid transformation that increases the attack surface until adequate cybersecurity features are available and incorporated.
- Reallocate grid budgets to increase funding for security, resilience, and reliability, and require cybersecurity metrics as part of pre-deployment requirements for green and efficiency programs.
- Boost utility-sector collaborative engagement with federal cybersecurity programs, especially those of the U.S. Department of Defense.
- Encourage private-sector-led cybersecurity technology research, development, and deployment, so that companies on the front line can move at the speed of innovators, not bureaucrats.
- Ensure that policies, mandates, and regulations in cybersecurity are based on overall objectives—rather than being prescriptive and subject to becoming rapidly obsolete.
The central challenge for U.S. utilities in the twenty-first century is to accommodate the conflict between political demands for more green energy and society’s demand for more reliable delivery of electricity. Greater grid cybersecurity in the future means that policymakers must rethink the deployment of green and smart grids until there are assurances that security technologies have caught up. While the government needs to improve its vital role in helping with cyber “situational awareness,” the private sector must lead the way in defending against cyberphysical threats that evolve and move at tech-sector—not bureaucratic—velocities.