A declaration of bankruptcy for US critical infrastructure protection

According to the Wall Street Journal, DoD’s first formal cyber strategy is based on the doctrine that a cyber attack on US critical infrastructure can be retaliated by a conventional military strike. The article is decorated with macho statements from unidentified military officials, such as “if you shut down our power grid, maybe we will put a missile down one of your smokestacks.” The military person who said that may have had full confidence in how deterring and frightening his or her line would be to wannabe attackers, and yet could not be more off the mark. Here is what everybody can read from DoD’s cyber strategy, given that the WSJ’s report is authentic (which I don’t call in question):

1. We, the Department of Defense, acknowledge that US critical infrastructure is vulnerable to cyber attack.

2. We don’t assume that any of the numerous efforts launched by DoD, DoE, or DHS, supported by several Presidential Directives, had a significant positive impact on US critical infrastructure protection. We don’t assume that new legislative efforts that are discussed in Congress will change the picture. Therefore we, the military, need to take matters in our hands, and will eventually solve this software problem with a hardware solution.

3. We assume that cyber attackers would be identifiable and locatable, thereby making them potential targets of our conventional precision weapons. We also assume that any hostile act of retaliation would not lead to complications with a hosting country that may be completely uninvolved and unaware of the cyber attack that might have been completed months or years ago.

Let’s look at these items in detail.

1. It is refreshing to see government officials acknowledging this simple fact that is known to insiders for years. Hard to believe a DHS official will ever admit something like this in public.

2. There is some irony here. Historically, DoD is the initiator of CIP research and concepts as related to cyber attacks – see US Army captain Barry Ezell’s thesis, published in 1998. I wonder what other Departments, most notably DoE and DHS, have to say about DoD’s devaluation of their protective efforts. Whatever they will say, it would certainly be beneficial to arrive at one commonly shared doctrine.

3. This is the most bizarre proposition. DoD strategy planners seem to have difficulties understanding that cyber strikes don’t follow the rules and patterns of conventional warfare. In order to launch a cyber strike, no air force is needed, no air base, no fissile material, no supply chain of ammunition etc. A significant cyber strike could be executed by a cyber equivalent of a corporation similar to Xe Services – a comparatively small network of international experts who may operate from any location in the world, working on contract for the highest bidder. Such organizations may partly even use assets who are completely unaware of what exactly they are doing. Let’s assume core team members for a certain mission are located in Switzerland, the Netherlands Antilles, and the United States, working on contract for… well, who knows? Maybe a rogue nation state, or a terrorist organization that just happened to be successful enough in fund raising, or they might just do it “pro bono”, i.e. as a PR stunt to attract clientele. So exactly which smokestack is going to be hit by a US missile in retaliation, and when – a day, a month, or years after the fact?

The bottom line is that deterrence won’t work to defend against cyber attacks. However, the most ironic aspect of this discussion is this: I have written months ago that compared to a conventional military attack in economical terms, Stuxnet was a bargain. The same applies to defence. It is much cheaper, and certainly more intelligent, to implement reasonable cyber defence mechanisms for critical infrastructure than to accept a cyber strike and retaliate using conventional military force (given that this would be feasible at all) – praying that such potential retaliation would keep attackers at bay. There is little myth about how to secure control systems. Nevertheless it hasn’t been done for years, deliberately ignoring the risk in order to polish quarterly figures. Everybody from the energy sector to automotive suppliers kept installing networks and complex cyber systems like crazy, spending millions on gadgets like web servers in field devices, and pennies on cyber protection. SIS, for example, are a success not because they are safer, but because they offer better economy and more convenience than analog safety systems. In essence, DoD is arguing that all this bean-counting cost-saving we have seen in I&C over the last decade has put us in a position where only the world’s most potent military force can help to ensure reliable operation of critical infrastructure. Well, they got a point, even if I see the solution elsewhere.

I hope that policy makers will read the new cyberwar strategy in all its facets, and will reconsider if the military is the appropriate organization for critical infrastructure protection against cyber threats.

Ralph Langner