Will it be a blitzkrieg-like invasion where a nation’s critical energy and water systems are suddenly destroyed, plunging society into chaos and panic? Or will it consist of a series of persistent guerilla attacks that aggravate the populace, weaken institutions and erode everyone’s confidence in their daily systems?
Or will it revolve around employing falsified data to control the “decision space,” which Vincent R. Stewart, USMC, calls “fifth generation warfare”? In this situation, hackers inject erroneous data into the system to coax last line of defense operators and engineers toward hazards like energizing an area in the midst of extreme wildfire danger. Even getting individuals to doubt their data is a victory.
Or will it be a shadow war, similar to the espionage during the Cold War, where security analysts will need to spend considerable time following up leads to determine whether an incident was a real attack or just a mindless bot? Significantly, more effort is needed to support criminal investigation of opportunistic mercenaries as well as geopolitical smoke screens.
As a pragmatist, I believe it will likely be, and already is, all of the above. In 2015, Ukraine’s grid was laid low by a rolling thunder attack orchestrated by sophisticated, state-sponsored hackers. Ransomware attacks, like the one that cost Norsk Hydro $25 million in lost production, fit the mercenary and guerrilla pattern. So do the repeated attacks on oil producers in the Middle East.
Clouding the decision space? That’s the impact that Stuxnet had on Iran’s nuclear ambition for years. As a result, you should not think about preparing for the next cyberwar. You should prepare for many.
And in the midst of it all we’ll see copycat opportunists seeking money or chaos. Just as Sir Francis Drake became rich by serving as a hero to the British and a pirate to Spain, bot masters like Evgeniy Bogachev will be able to leverage geopolitics for wealth and fame.
Unintended consequences of cyberwar efforts will also occur. Imagine that the ultimate cyber weapon accidently escapes containment leading to a sudden catastrophic event. A more gradual issue could result from a cyber arms race. Escalation of costs to protect an advanced society could be significant and disproportionate. In this kind of scenario, the unintended consequence of cyberwar is economic death by a thousand cuts. Fully autonomous Level 5 cars will run on over 1 billion lines of code and depend on a global supply chain: mistakes that can be just as debilitating as some kinds of attacks are inevitable.
A final reason to prepare for cyberwar includes use of attacks as a conflict de-escalation mechanism. Targeted industrial sabotage rather than an all-out shooting war has become a measured response option for policy makers.
The silver lining
In this situation what could possibly be the good news?
The good news is that the world is very aware of the problem. Salt River Project, a large utility in Arizona, admits that cyberattacks were not high on its list of possible causes of a blackout 10 years ago, according to Mark Johnson-Barbier, senior principal analyst at SRP. Now, it’s one of the first things considered, although, as he adds, SRP has not experienced a cyber-induced blackout.
Financial incentives will also encourage improvements. Banks have plenty of incentives to reduce cybercrime, which will fuel innovation. Insurance companies will demand investigations before paying claims, which in turn will give us more information about the modus operandi of criminals and, ultimately, better defenses. Cooperation, like we saw between security companies in the 2000s, will occur with more frequency on the operations side.
Efforts are also underway to improve the integrity of the cyber supply chain. Wars are won or lost by supply chains. “An army marches on its stomach,” Napoleon said, who lost his army after outrunning his supplies in Russia. By creating — and using — technologies that ensure the integrity of firmware and data, we can begin to build a bulwark for repelling attacks as well as procedures for reducing the impact of successful ones.
CyberSecurity Data Sheets (or CSDS) stem from an Electric Power Research Institute methodology, and encourage automation suppliers to more fully describe the attack surfaces and potential hazards of their products, similar to the way manufacturers describe chemical hazards in a Material Safety Data Sheet (MSDS). A software bill of materials (SBOM), meanwhile, would encourage technology suppliers to more fully document third-party code integrated into their products to avoid mystery and unwanted components. Companies such as aDolus currently offer SBOM-like services. Taken together, SBOM and CSDS arguably form a product genome for screening products and understanding how they might behave in an attack.
Similarly, we are seeing technologies and processes being developed for detecting synthetic data that can cloud the so-called decision space. Cross-referencing machine data against the law of physics is one promising idea being examined at Lawrence Berkeley Lab. If the temperature declines reported by a sensor aren’t possible in reality, the sensor has likely been corrupted. Others are looking at using AI to pinpoint suspicious patterns in machine data.
Perimeter technology innovation is a game changer. Data diodes allow data to stream one way from operating networks to IT networks without providing a return path for covert traffic or exploits. The intriguing combination of optical and copper lines was once only employed by nuclear plants and oil companies due to their $50,000 price. Now, companies are lowering the price of basic data diodes to around $4,000. Expect to see technologies like this at the sub-station and asset protection level.
Improving product and data integrity through these steps won’t stop attacks. But it will make it more challenging for them as well as better prepare organizations for the worst to come. Or, as Churchill said, “Success goes from failure to failure without loss of enthusiasm.”