WASHINGTON - “This alert [from the Department of Homeland Security and the Federal Bureau of Investigation] provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation and critical manufacturing sectors.”
— Joint DHS and FBI memorandum, March 15
One curiosity of the cyber age is that the American public seems relatively unconcerned by what, arguably, is the biggest threat from the internet: attacks on the nation’s “critical infrastructure” — the electric grid, payment networks and water systems, among others.
The reaction to the recent DHS-FBI “alert” is a case in point. The report received middling media attention the day it was issued — and then coverage virtually vanished. Americans and their news outlets seem more preoccupied with U.S. President Donald Trump’s endless political crises and Russia’s interference with the 2016 election.
No one — well, no one except the president and his most ardent supporters — denies that these matters are important. But they may ultimately be less important than the disorder or chaos inflicted by a full-scale cyberassault on the institutions and networks that sustain everyday life.
Just how vulnerable are America’s critical systems? Probably no one knows, but a good guess might be “more than you think.” Do we really want the Russians poking around in our various cybernetworks looking to make trouble?
This is not child’s play. The New York Times recently reported that a cyberattack on a Saudi Arabian petrochemical plant was intended to blow it up; the attack failed only because the computer code was defective. Earlier in the century, the so-called Stuxnet computer virus — reportedly created by Israelis and Americans — damaged machinery used in Iran’s nuclear program.
It’s possible that the threats to U.S. critical infrastructure are exaggerated by non-experts and alarmists (i.e., people like me). It’s also possible that the explosion of hacking has prompted firms to improve their cyberdefenses. “If there’s any silver lining to the attacks,” says Vikram Thakur, a senior researcher at Symantec, a cybersecurity firm, “it’s that the security posture of our infrastructure has gotten better.”
Still, the Russian threat is indisputable. In recent congressional testimony, James Lewis of the Center for Strategic and International Studies put it this way: “Russia is a haven for the most advanced cybercrime groups, and no clear line delineates the criminal world from the government. The Kremlin sees Russian cybercriminals as a strategic asset.”
To counter this threat — and others — we need to take practical steps limiting the exposure of critical infrastructure to cyberattacks. Although there is no hope of providing complete protection, we can do better than at present. In an interview, Robert K. Knake, a former Obama administration official now at Northeastern University, made three useful suggestions.
First, we should put the electric grid offline. Instead of using the internet to transmit data and operating instructions, communications would shift to a self-contained network. Though some internet connections might remain, it would be harder for outsiders to penetrate the system and take control of electricity flows. (The main obstacle to this proposal, said Knake, is not technology, but money. Who’s going to pay for it?)
Second, America’s military bases should have their own sources of electricity — that is, they should be taken off the electric grid either permanently or as a backup. The problem with leaving them on is obvious: In a crisis, the grid might be immobilized, weakening the military’s ability to respond.
Third, Congress should create an agency to investigate major computer hacks. The purpose would be to learn as much as possible and publicize the results so that others could prevent similar breaches. The new agency would resemble the National Transportation Safety Board, which investigates transportation accidents.
The internet represents a permanent change in the international order. It has created new avenues for conflict and social breakdown, both at home and abroad. It has altered the nature of warfare in constantly evolving ways. We need to prepare national defenses just as we would for a conventional attack. We can’t pretend this is a bad dream that will vaporize when we awake.
I admit that I thought the DHS/FBI memo would be the catalyst that crystalized public opinion. People would recognize that our adversaries are messing not only with our political ideals but also with fresh water, reliable electricity and accurate medical records. Public opinion would shift from indifference to outrage, making possible a more aggressive response.
It hasn’t happened. What is certain is this: If we fail to act, we will have only ourselves to blame for the consequences.
Robert J. Samuelson writes a column focusing on economics and business for The Washington Post. © 2018, The Washington Post Writers Group