Cybersecurity and Physical Security

Cyber risks are real but not hard to manage

Michael Daniel, Cybersecurity Advisor to President Obama (2012 - 2016) and President, Cyber Threat Alliance, will address public power leaders at the National Conference in New Orleans on Monday, June 18 (2:45 to 4 pm CDT) on How Cybersecurity Is Redefining Our World. Public Power Daily interviewed Daniel in advance of his keynote.

 Given current world events, what is the real potential for a cyber attack on any of our critical infrastructure, and on the electric grid in particular?

The threat is very real and evolving. Nation states are beginning to incorporate offensive cyber capabilities into their toolboxes. The likelihood of an attack is increasing. If you look at what happened in Ukraine, there has certainly been some experimenting with what those capabilities can do. If you are the owner and operator of a critical infrastructure system — power, natural gas, healthcare, transport, etc. — you should be paying attention.

However, I like to balance this out with real world politics and other factors that constrain what the bad guys can do. It’s not Hollywood, it takes more than 30 seconds to carry out a cyber operation. It’s not trivially simple on the other side either — you have to develop a large body of knowledge and expertise to do it well.

A cyber attack is a very significant threat — one that you need to be prepared to deal with just like you prepare for the risk of natural disasters, accidents, personnel turnover, legal issues, or other risks in business.

In case of such an attack, is any particular sector of our critical infrastructure more susceptible than the other?

No sector is more susceptible than the other. But if you look at our society, our digital dependence continues to increase. Any sector is digitally dependent.

Can a Ukraine-style attack to the electric grid happen in the U.S.?

It certainly can happen here. Our adversaries have the capability to carry it out. If they decide it is in their interest to do that, they can figure out how.

Media sometimes tends to sensationalize cybersecurity issues and claim that the grid is about to go down. How do you deal with this, while keeping in mind that there are genuine threats and bad actors that we need to warn people about?

I used to joke when I was at the White House that my title should have been “cyber calibrator.” I spent half my time running around and telling people “This is a serious case,” and the other half of my time trying to deal with recklessly apocalyptic reporting by media. I had to say, “No, the entire country is not going to be plunged back into the stone age tomorrow.” So it’s often a question of balance — of drawing attention to serious threats but not making apocalyptic declarations that don’t serve anyone.

The current Administration’s position on cybersecurity has not been very clear. What is your take on it?

The elimination of my position by the current Administration is a bit baffling. Because this Administration’s position on domestic cybersecurity and its relationship with the power sector is remarkably consistent with what we were building in the Obama Administration. I have no criticism on what the Administration is currently doing on federal network security or critical infrastructure.

Where the policy work needs to happen now is more on the operational and collaboration side. How do federal, state, and local governments actually work together with the power sector — both for-profit and nonprofit versions — in a way that makes sense? Especially when you talk about incident response, when something bad happens. Take for example the recent disclosure about VPN filter malware in small home and office router equipment. The malware has a plug-in to track activity on SCADA systems, which means it could be repurposed and used in other areas. That’s a good example of the proliferating threat in this area.

You’ve said cybersecurity is more than a technical problem. What kind of a problem is it and what is a good risk management approach?

These kind of problems are what are described (not just by people from Boston) as a “wicked problem.” They are complex and multifaceted. That’s what makes cyber so hard, we treat it as a technical issue. It is a technical issue but it’s also a business and economic issue. It’s also a human psychology issue — a large part of the problem is because we haven’t thought about how humans interact with machines. We’re recommending long passwords that are not words in the English language and different passwords for every site — no human can actually do that!

Cybersecurity is a national security problem and part of the international landscape. All these different things roll together. Because of its complexity and because you can never reduce your risk to zero, you have to think of cybersecurity in that risk management framework. Given your mission, you have to figure out how to implement cybersecurity to lower your risk as much as possible and still operate as a business.

That’s the right mindset — cybersecurity is a risk to be managed, not a problem to be solved. Anyone that comes in and tells you can drive your cyber risk to zero is trying to sell you snake oil. But it’s also not true that there’s nothing you can do about your cybersecurity. The risk can and must be managed.

What is the wake-up call for small businesses on cybersecurity? How do you get them to realize they too are vulnerable and must manage the risk?

Security by obscurity is not true — you are not secure because you are small. That’s not a viable approach. If you’re connected, they can find you. In fact, cyber criminals often look for small organizations that they think might be less protected. Remote, rural areas of the U.S. are not hard to get to in cyber space.

Cybersecurity is a problem that confronts everyone. The difference is in how you think about it and what you do about it. A small utility’s approach has to be different from a larger utility’s. A smaller entity does not need to invest in expertise and tools as sophisticated as a large corporation — and is not expected to —but it must do something.

What are some of the basic cybersecurity steps a small utility can take?

In our experience, the mere fact that the leadership of an organization — the CEO and board — begins to track and regularly ask questions about it can significantly improve cybersecurity. The fact that leadership is paying attention on a regular basis, that it’s a regular item on the board meeting agenda, that the CEO and senior staff are talking about it can make things measurably better. When cybersecurity is a priority, when employees realize that senior leadership cares about and values cybersecurity, they are willing to invest time and effort into it. So just that one step can go a long way and that’s not a fancy new technology. It’s a management issue.

People are amazed that I don’t have much in the way of technology recommendations. There’s a lot of technology out there and what is needed now is to consider how you implement and use the technology in a way that is most effective for your organization.

Could the technology solutions be cost prohibitive for smaller organizations?

I actually don’t think so. It’s very easy to get distracted by the latest bright shiny object or the latest cool technology. Organizations can end up with 47 different cyber tools on their network and not be sure what all these tools even do. In fact, they make themselves less secure because they don’t understand what all the products do.

There are products and services available to small organizations that can manifestly improve cybersecurity. There are firms that specialize in helping small organizations within their budget needs.

Should cybersecurity be someone’s dedicated job or is it really everyone’s job?

It’s a little bit of both. Yes, we need more people who can write code and deal with the technical nature of firewalls and antivirus software. But we also need cyber-savvy lawyers, business school graduates, economists, and social psychologists who understand how people make decisions. A basic level of cyber understanding needs to be written into everyone’s job description. By the time you get into management, you should understand at least as much about cybersecurity as you do about reading a balance sheet (even if you’re not a finance person) — it’s a basic requirement of doing business. As an organization gets larger, you need someone who has cybersecurity as a sizable chunk — if not all — of their job.

Electricity is one of the few critical infrastructure sectors with mandatory cybersecurity standards. Is there a need for more standards to keep organizations cyber ready?

It will vary by sector and by the type of information technology you’re talking about. It’s one thing if your Excel spreadsheet crashes and quite another if your pacemaker crashes. The way we approach different sectors is going to vary and that’s OK.

Broadly, across the United States as a whole, if there are no formal standards in an industry, you’ll see informal standards of care begin to emerge. The standards may be set by a regulator, by Congress, or a court. There will be minimum expectations that you’ve implemented some cybersecurity basics to protect your organization.

Is government doing enough on the cyber front? Should they do more or less?

It’s a challenge to figure out how traditional roles and responsibilities will apply in cyber space vs. the physical world. Typically, the models we have for interactions between the government and private sector fall into one of two categories — the government is either a contractor or regulator. In cybersecurity those relationships may not work. We talk about public-private partnerships and consulting but no one is quite sure what they mean. We’re trying to work out what we want those roles and responsibilities to be but none of the analogies in the physical world map exactly into the cyber space, because of the math and the physics. That’s a big policy challenge.

Are there physical vulnerabilities that increase cyber threats in organizations?

Our physical and cyber worlds are beginning to merge, especially with the Internet of Things. The internet is becoming deeply enmeshed in our physical world. Take an industrial accident for example — you have to work to contain a chemical spill whether it happened because the valves broke physically or were opened through the internet. Ultimately, we have to learn to integrate our cyber and physical responses much more tightly across the domains.

The financial sector has started a cyber risk analysis program in which they’ve taken lessons from what the power sector has been doing in the physical world for decades — in the form of mutual aid. So you can import some concepts from the physical world and figure out how they’d work in the cyber space.

As electric utilities, what are the cybersecurity issues and responsibilities we have toward our end use customers?

We should make cybersecurity as simple as possible for our end users, and put as little burden as we can manage on them. We can make people put on their seat belts and then they are responsible for driving safely. Similarly, we can make them aware of cybersecurity and they have to shoulder some responsibility for being safe online.

We should develop more cybersecurity information we can share with end users — for example, on the security of internet-connected thermostats. Urging customers to consider security in their buying decisions is a very powerful tool.

We may also want to educate them on how to protect their data. I believe that good cybersecurity improves privacy. And effective privacy policies improve cybersecurity.

Moving forward, every business in the U.S. is going to be expected to have basic cybersecurity and privacy controls in place. These don’t have to be extravagant, budget-busting technologies. There are simple things you can do be much better off in cybersecurity and customer data protection. For example, IT storage has become so cheap that organizations never get rid of anything. But as a cybersecurity professional I can tell you that the best kind of data is data you don’t have. So if there isn’t a business reason to store data beyond a certain date, get rid of it. Have simple policies in place and follow them.

Are there specific bad actors we should watch out for?

There are multiple bad actors out there. They range from hacktivists who want to prove they can stage an attack, to nation states that believe they are pursuing their national interests, to criminal organizations out to make money. We face threats from all of them and should be on the alert.

Any parting thoughts?

Cybersecurity is not an impossible problem. You can really do something about it.