By Gregory Hale
It may have seemed short and not full of detail, but when President Obama focused on cyber security during his State of the Union address Tuesday night, the idea of securing areas like critical infrastructure became front and center.
Just that one paragraph could lead to more discussion and possibly some real action by government. The State of the Union is a broad address covering a multitude of issues, so the idea the President mentioned security, albeit brief, brings security more the forefront than it already is. And for an industry just getting its arms around securing its critical infrastructure, the time is right to step up security programs.
Paragraph 67 out of 103 simply said:
“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids. We are making sure our government integrates intelligence to combat cyber threats, just as we have done to combat terrorism. And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information. If we don’t act, we’ll leave our nation and our economy vulnerable. If we do, we can continue to protect the technologies that have unleashed untold opportunities for people around the globe.”
Just by cherry picking each sentence, it should become apparent the President gets it and wants to ensure cyber security remains at the forefront of people’s minds and thoughts. Now comes the hard part, which is delving down into the details.
“Securing our nation’s infrastructure is vital to our economy and way of life,” said Graham Speake, vice president and chief product architect at NexDefense, Inc. “It is imperative that all of us – government, solution providers and end users work together to protect the automation and control systems that drive our economy forward and serve our communities each and every day. Any legislation passed by this Congress and those to come, must improve cyber security for the greater good, and not simply to satisfy a compliance checklist. Legislation, policy, and technology should empower infrastructure owners and operators to mount credible defenses against focused and targeted threats that initiate both domestically or from abroad.”
Encouraging companies to share cyber security information with the government while protecting privacy remains a vital aspect moving forward, along with modernizing law enforcement’s tools to fight cybercrime and establishing a national standard for companies to notify employees and customers about breaches.
“Cybersecurity information sharing is a critical need currently in fighting cyberattacks,” said Chris Doggett, managing director at Kaspersky Lab North America. “Too much vital information which could be used to prevent attacks is not used effectively due in part to ineffective information sharing. However, we must be careful that the concept of ‘information sharing’ does not do more damage than good. It should not cross-over into the area of broad-reaching surveillance (in conflict with our right to privacy), nor should regulations be enacted that force information disclosures which compromise criminal investigations. In addition, we must be careful that mandated sharing definitions do not result in ill-advised disclosures, such as in circumstances which result in incremental damage to the victims of the attacks.
“Updating our regulations to prohibit the types of crime that are occurring in cyberspace today and to empower law enforcement agencies to pursue and apprehend those who commit such crimes is a critical step. One of the reasons that organized crime has turned to cyberspace and that we have seen such an exponential rise in attacks is that the risk to those who commit them is much lower than in physical crimes. We must increase the risk factor to make such crimes less attractive to commit; to correct the current imbalance between risk and reward for criminal activity. That said, this will be a legislative issue that belongs to Congress and I know key members there have legitimate concerns about lesser crimes being prosecuted overzealously.
Iran Nuclear Program: Stuxnet Subcontext
During the Tuesday State of the Union address, President Obama also talked about the slowdown of Iran’s nuclear program, which has a Stuxnet subcontext.
“Our diplomacy is at work with respect to Iran, where, for the first time in a decade, we’ve halted the progress of its nuclear program and reduced its stockpile of nuclear material. Between now and this spring, we have a chance to negotiate a comprehensive agreement that prevents a nuclear-armed Iran; secures America and our allies – including Israel; while avoiding yet another Middle East conflict,” Obama said in the address.
Iran’s nuclear program suffered a severe halt in 2010 when Stuxnet, a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems, infiltrated the Natanz nuclear facility in Iran. The worm used known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-art security technologies and procedures. ISSSource reported the program was a joint effort between the U.S. and Israel.
The worm used at least four Zero Day exploits and had Microsoft Windows driver modules signed using genuine cryptographic certificates stolen from respectable companies, contained about 4,000 functions, and utilized advanced anti-analysis techniques to render reverse engineering difficult.
Stuxnet had its true origin in the waning moments of George W. Bush’s presidency in 2009, said former senior intelligence officials, one of whom worked for the National Intelligence office, according to an ISSSource report.
At the time, President Bush wanted to sabotage the electrical and computer systems at Natanz, which is a fuel enrichment plant in Iran. After Bush left office, President Obama accelerated the program, these sources said.
Obama’s Tuesday address went on to say, “There are no guarantees that negotiations will succeed, and I keep all options on the table to prevent a nuclear Iran. But new sanctions passed by this Congress, at this moment in time, will all but guarantee that diplomacy fails – alienating America from its allies; and ensuring that Iran starts up its nuclear program again. It doesn’t make sense. That is why I will veto any new sanctions bill that threatens to undo this progress. The American people expect us to only go to war as a last resort, and I intend to stay true to that wisdom.”
Going to war is one thing, but what about cyber war?
— Gregory Hale
“Creating a common, national set of standards which mandate reporting to consumers the disclosure of their personal information when breaches occur would be a pragmatic and logical advancement. I think there are concerns anytime a new national mandate is considered, but we need to be more transparent with consumers in our view. Currently, the sheer volume and variation of requirements that occur from state-to-state makes it difficult and burdensome for companies to both determine which actions they should take, and to execute notifications to affected individuals. The result is an expensive, inaccurate and untimely process which does not best serve the interests of the affected consumers or the companies who are victims of such attacks.”
There are issues with the government getting more involved in regulating cyber security.
“I always become a little uncomfortable with legislators begin to enact drastic changes in response to recent events,” said Joel Langill, of RedHat Cyber, an independent ICS security researcher. “This approach is very ‘reactionary’ and in the long run, is not effective at mitigating the risk from a dynamic threat landscape.
“The electric utility sector was turned upside down with the introduction of the original NERC CIP compliance standards, but because they tended to be ‘backwards looking’ they underwent multiple significant changes over several years that is yet to determine if they have been successful at preventing potential cyber attacks. It is clear, however, that because of the reporting requirements imposed by NERC CIP that we are aware of the significant number of attacks on the energy sector as reported annually by ICS-CERT.
“Where these reactionary laws tend to cause the greatest problems are within today’s global, multinational corporations that have operations in not just a single country, but countries that span the globe. Many of these countries are also working diligently to pass their own legislation to address cyber risks to those enterprises responsible for critical infrastructure. A perfect example of this is the recent legislation approved by the French government that will effectively require cyber security technologies and professionals to be certified or accredited by French agencies. Image the burden this can place on a large multinational corporation that has worked diligently to select a vendor based on sound criteria only to find out that this vendor is not currently on the ‘approved’ list in a particular country.
“I believe that the government performed their main task when they developed the Cybersecurity Framework as released by NIST. The actual details of how this is to be implemented, with whom information should and will be shared, and the resulting consequences that could result from legal proceedings must be left in the hands of the individual enterprises. Our current economic basis must not place undue regulatory stress on these corporations for fear of the appearance of excessive government oversight,” Langill said.
John Cusimano, director of industrial cybersecurity at aeSolutions, agrees the Framework was well done and any new legislaton should follow that lead.
“I am not necessarily in favor of regulation but I hope that whatever does get passed is balanced and addresses both IT and OT security because this is what is truly required to protect critical infrastructure, Cusimano said. “To me, the big news in 2014 was how well the NIST Cybersecurity Framework addressed both IT and OT security and how it recognized industry consensus standards from both realms. This balanced approach is one of the factors why the Framework has been so well received and adopted by industry. Another huge selling point for the Framework with industry is that it takes a risk-based approach rather than a prescriptive, one-size fits all, approach. Again, let’s hope that if any new regulation is passed this year that it follows the lead of the Framework.”
With the potential for more government involvement, there are more questions.
“After all, once the government has authority to force companies to implement specific measures, this then assumes that the government knows best,” Langill said. “What if they are wrong? Will the government then be held liable for any consequences that may result?
“This is not an easy problem to solve,” he said, “and for this reason, there is not a quick and easy solution.”