Re-Engineering America’s Cyber Glass House
Blackouts caused by an explosion hit the Natanz uranium enrichment site in Iran last Sunday in what appears to be an attack aimed at slowing down nuclear weapons development. Iran blamed Israel for the blast, and press reports speculated it was a result of an Israeli cyberattack. Although the attack is broadly consistent with Washington’s goal of preventing a nuclear-armed Iran, the episode is yet another reminder of the vulnerability of America’s own infrastructure to cyberattack.
The attack on Natanz provides an immediate reminder of the 2009-2010 Stuxnet attack on Iran in which malware caused 1,000 centrifuges to break by spinning out of control. This time, instead of developing highly tailored malware and carefully placing the virus on USB drives to evade Natanz’s airgaps, the attackers took out the facility’s power source. To this day, analysts have debated the long-term impact of Stuxnet on Iran’s nuclear progress. Sunday’s incident, however, is likely to cause long-term headaches for Iran, as some intelligence officials are estimating it may take nine months to restore Natanz’s full productivity.
Did a cyberattack cause the blackout? Maybe. The lack of immediate certainty regarding the cause of the power source failure implicitly acknowledges the potential kinetic effects caused by cyberattacks. Just as the days of moats and castle walls are obsolete, the end has also come to the safety provided by virtual firewalls. Today’s cyberattacks are complex and multidimensional. Hackers spend significant time formulating an effective attack strategy, not only targeting vulnerabilities in the bits and bytes but also exploiting the people and processes of the enterprise. Too many private companies and public utilities narrowly focus their cybersecurity fixes, implementing a series of controls and standards with little understanding of how the system as a whole may respond to an attack.
In the book Countering Cyber Sabotage, Andrew Bochman and Sarah Freeman discuss how any one particular defensive tactic is inadequate to prevent current and future cyberattacks. “At the end of the day, there are certain types of adversaries that can find their way through,” Bochman explained at a recent event hosted by our organization, the Foundation for Defense of Democracies. “And if they do, and when they do, there are some things you can now do to make sure that the very worst things don’t happen.”
The solution is a cyber secure-centric engineering process called Consequence-Driven, Cyber-Informed Engineering (CCE). In plain-speak, as systems that control things like power generation, water utilities, and chemical plants that impact our everyday life get developed and even after they are deployed, operators think like hackers to identify pathways to cause mission failure and then work to mitigate doomsday scenarios through engineering solutions.
We do not know what tomorrow’s advanced attack may bring and what techniques and tools a determined adversary will develop. But how the hack happens has become almost irrelevant. The adversary will always find a way to compromise a system. The best risk mitigation becomes blocking the ability of an adversary to cause the failure of a critical function, and focusing on continuity, resiliency, and the ability to operate through the crisis.
In the 11 years between Stuxnet and Sunday’s blackouts, what has the United States done to build resilience – the ability to anticipate, withstand, recover, and adapt – into its own critical infrastructure? It is often said that the United States lives in a cyber glass house; over the past decade, Washington’s solution has been to build stronger windowpanes. Too little attention has focused on what happens after the glass shatters. In this new battlespace of escalating cyberattacks, America must prepare to recover and adapt.
Congress wisely understood the importance of resiliency when, as part of the Fiscal Year 2021 National Defense Authorization Act, it tasked the executive branch with developing “Continuity of the Economy” (COTE) planning efforts. Establishing a COTE plan will entail understanding the intricate relationships between and among industries. In so doing, the plan can develop a prioritized recovery order that ensures immediate and efficient actions demonstrating U.S. government and economic resilience in the face of the latest, most advanced attacks.
Just like CCE helps utilities, critical infrastructure providers, and other companies become resilient in the face of a determined attacker, COTE makes the nation as a whole more resilient. Through a structured prioritizing of essential functions, the United States will bolster its deterrence against cyber adversaries since the country will live to fight another day even after a large-scale attack.
The ability to recover after the glass breaks and ensure essential functions continue is what sets apart the vulnerable from the resilient. Whether or not it was indeed a cyberattack that brought Natanz to its knees, the United States should learn from Iran’s vulnerabilities. It is tempting to see only the upside to our adversaries’ weaknesses, but America must not forget that a determined, well-resourced actor will penetrate even the most secure systems, American critical infrastructure included. If the press stories are accurate, this time the cyber actor was a U.S. ally, but the next time, we may be the target.
Dr. Georgianna Shea is the chief technologist of the Transformative Cyber Innovation Lab and Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD) and previously served as a subject matter expert and consultant to the Office of the Secretary of Defense on cyber resiliency.
Dr. Samantha F. Ravich serves as chair of CCTI and a commissioner on the U.S. Cyberspace Solarium Commission. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.