Security and Resilience (Cyber and Physical)

Cyber attacks: How real is the threat?

An interview with Michael Daniel, cybersecurity advisor to President Barack Obama (2012–16) and president, Cyber Threat Alliance. Daniel was a keynote speaker at the American Public Power Association’s 2018 National Conference. Excerpts from this interview were previously published in Public Power Daily.

Michael DanielWhat is the real potential for a cyber attack on any of our critical infrastructure and on the electric grid in particular?

A cyber attack is a very significant threat — one that you need to be prepared to deal with, just like you prepare for the risk of natural disasters, accidents, personnel turnover, legal issues or other risks in business.

Nation-states are beginning to incorporate offensive cyber capabilities into their toolboxes. The likelihood of an attack is increasing. If you look at what happened in Ukraine, there has certainly been some experimenting. If you are the owner and operator of a critical infrastructure system — power, natural gas, health care, transport, etc. — you should be paying attention.

However, real-world politics and other factors constrain what the bad guys can do. It’s not Hollywood; it takes more than 30 seconds to carry out a cyber operation. It’s not trivially simple on the other side, either — you have to develop a large body of knowledge and expertise to do it well.

Media sometimes sensationalize cybersecurity issues. How do you deal with this while keeping in mind that there are genuine threats and bad actors we need to warn against?

I used to joke when I was at the White House that my title should have been “cyber calibrator.” I spent half my time running around and telling people “No, this is a serious case,” and the other half of my time trying to deal with recklessly apocalyptic reporting by media. I had to say, “No, the entire country is not going to be plunged back into the stone age tomorrow.” So, it’s often a question of balance — of drawing attention to serious threats but not making apocalyptic declarations that don’t serve anyone.

You’ve said cybersecurity is more than a technical problem. What kind of a problem is it?

Cybersecurity is what is described (not just by people from Boston) as a “wicked problem.” It is complex and multifaceted. That’s what makes cyber so hard — we treat it as a technical issue. It is a technical issue, but it’s also a business and economic issue. It’s a human psychology issue. A large part of the problem is that we haven’t thought about how humans interact with machines. We’re recommending long passwords that are not words in the English language and different passwords for every site — no human can actually do that!

Cybersecurity is a risk to be managed, not a problem to be solved. Anyone that comes in and tells you they can drive your cyber risk to zero is trying to sell you snake oil. But it’s also not true that there’s nothing you can do about your cybersecurity.

How do you get small businesses to realize they, too, are vulnerable and must manage risk?

Security by obscurity is not true — you are not secure because you are small. If you’re connected, they can find you. In fact, cyber criminals often look for small organizations that they think might be less protected. Remote, rural areas of the U.S. are not hard to get to in cyberspace.

Cybersecurity is a problem that confronts everyone. The difference is in how you think about it and what you do about it. A small utility’s approach has to be different from a larger utility’s. A smaller entity does not need to invest in expertise and tools as sophisticated as a large corporation — and is not expected to — but it must do something.

What are some of the basic cybersecurity steps a small utility can take?

In our experience, the mere fact that the leadership of an organization — the CEO and board — begins to track and regularly ask questions about it can significantly improve cybersecurity. The fact that it’s a regular item on the board meeting agenda, that the CEO and senior staff are talking about it, can make things measurably better. When cybersecurity is a priority, when employees realize that senior leadership cares about and values cybersecurity, they are willing to invest time and effort into it.

Should cybersecurity be someone’s dedicated job, or is it really everyone’s job?

It’s a little bit of both. Yes, we need more people who can write code and deal with the technical nature of firewalls and antivirus software. But we also need cyber-savvy lawyers, business school graduates, economists, and social psychologists who understand how people make decisions. A basic level of cyber understanding needs to be written into everyone’s job description. By the time you get into management, you should understand at least as much about cybersecurity as you do about reading a balance sheet (even if you’re not a finance person). It’s a basic requirement of doing business.

Is government doing enough on the cyber front? Should they do more or less?

Typically, the models we have for interactions between the government and private sector fall into one of two categories — the government is either a contractor or regulator. In cybersecurity, those relationships may not work. We talk about public-private partnerships and consulting, but no one is quite sure what they mean.

Where the policy work needs to happen now is more on the operational and collaboration side. How do federal, state, and local governments actually work together with the power sector in a way that makes sense? Especially when you talk about incident response. Take, for example, the recent disclosure about VPN filter malware in small home and office router equipment. The malware has a plug-in to track activity on SCADA systems, which means it could be repurposed and used in other areas. That’s a good example of the proliferating threat in this area.

As electric utilities, what cyber responsibilities do we have to our customers?

We should make cybersecurity as simple as possible for our end users and put as little burden as we can on them. We should develop more cybersecurity information we can share with end users — for example, on the security of internet-connected thermostats. We may also want to educate them on protecting their data privacy, such as good password practices. I believe that good cybersecurity improves privacy. And effective privacy policies improve cybersecurity.

There are simple things you can do to be much better off in cybersecurity and customer data protection. For example, IT storage has become so cheap that organizations never get rid of anything. But as a cybersecurity professional, I can tell you that the best kind of data is data you don’t have. So, if there isn’t a business reason to store data beyond a certain date, get rid of it. Have simple policies in place and follow them.