Time to Stop Hitting the Cyber Snooze Button on US Infrastructure

Jack Harrington is vice president of cybersecurity and special missions at Raytheon.

When summer thunderstorms roll through, bringing a few scattered power outages in the coming weeks, we will be gently reminded of how critical electricity is to our daily comfort and ultimately our survival.

But what if the cause of the next outage is more sinister than a garden-variety disturbance of local weather patterns?

Power grids have proven to be vulnerable to cyber terrorists. Hackers interrupted a regional power supply abroad (in the Ukraine), and white hat hackers in the Midwest recently demonstrated there’s nothing special about our own grid that would protect our systems from the eventuality of a similar – and potentially much more damaging – fate.

This is precisely the type of scenario that should strike fear into the hearts of the cyber savvy. Those of us who make our bread and butter in the world of cyber defense have long warned of the possibility of cyberattacks that could threaten our critical infrastructure, our economy and our very way of life by extension.

We now have several real-life examples proving such fears are far from unfounded. One only needs to read the latest news headlines to understand that our cyber systems are already under attack from various adversaries, both at home and abroad.

If a threat to our power grid is not enough to frighten you (and it certainly should be), consider this: attacks targeting supervisory control and data acquisition, or SCADA, industrial control systems rose 100 percent in 2014 compared to the previous year, and in 2015 the financial sector and utilities paid the highest costs of cyber crime compared to other industries. 

We are already seeing more evidence and reports of cyberattacks on critical infrastructure, including power generation, water, transportation and health care as we head into summer. In fact, a Stuxnet-like malware was recently discovered targeting and probing our industrial control systems.

Fortunately, both deep defense-grade and commercial security solutions have been developed to protect critical infrastructure networks and withstand attacks, but we must continue to move the ball forward. Any organization without robust security programs and tools in place must consider immediate adoption to maintain safe and reliable operations. After all, it’s not only critical infrastructure that faces such risk.

In fact, Ukraine offered us yet another frightening example in 2014. In May of that year, hackers were able to cripple Ukraine’s electronic voting system in advance of a presidential election. Just imagine the chaos that might ensue if that were to happen here at home during the coming fall.

It’s uncomfortable to consider, but in a world where everything is connected and therefore vulnerable, the very foundation of our own democratic principles could quite simply be jeopardized by a motivated group of hackers.

It seems everyone agrees that after years of punting the proverbial ball downfield, it is now time to take possession and take charge. Last month, a Senate committee on homeland security and government affairs heard some compelling testimony from well-known TV anchor-turned-cyber author, Ted Koppel, who believes our nation is at risk of a crippling cyberattack.

Committee members generally agreed such an attack is not only possible but also likely. For that reason among others, Homeland Security Department officials are pushing for a reorganization of the National Protection and Programs Directorate that would more closely align government and industry efforts to protect our critical infrastructure from cyberattack.

This month, new legislation was introduced in the Senate to protect our electrical infrastructure from cyberattack. The Securing Energy Infrastructure Act proposes taking our industrial control systems offline in an effort to isolate them from insidious threats that can lurk in our always-on and always-connected networks.

While this approach might be a bit unconventionally retro in nature, it is heartening to see members of Congress working with industry to think about new (and old) ways to address a very real and difficult challenge.

But further thinking and action are needed on a global scale. By working with our allies and industrial partners across the globe to ensure information sharing about cyberthreats and attacks, we can do much to further secure our collective online existence.

Twenty years ago, a power outage in Ukraine would have barely been a blip on the global media’s radar. But in the age of the “internet of everything,” a regional power outage in Ukraine has just taken away our cyber snooze bar. Regardless, the consequences of oversleeping are far too great to consider ignoring the alarm for an extra nine minutes of peace.