Sen. Angus King (I-Maine) thinks the United States can learn something from Ukraine when it comes to cybersecurity.
King, who serves on the Senate Energy Committee, wants the government to consider unplugging some digital systems at strategic positions in the nation's power grid -- and replacing them with physical ones that hackers can’t compromise.
This is what helped Ukraine recover after a massive cyberattack that hit its electrical grid in 2015 and shut off power for about 225,000 customers. Three companies targeted in the attack were able to recover power by switching off their digital systems and reverting to manual operations.
Yet the U.S. is far more reliant on its digital systems -- and King warns that switching to manual on the fly after a crippling attack would be difficult.
“The grand fear is that a cyberattack could take down the grid and that would take down with it hospitals, financial centers, people’s day-to-day lives,” King told me. “There’s no question lives would be lost.”
King compared the idea of taking key parts of the electric grid offline to the push among election cybersecurity experts for paper ballots rather than voting machines that record ballots digitally -- and are more vulnerable to tampering.
“Sometimes the old stuff is the best,” King said.
As the Homeland Security Department warns that Russian government-backed hackers have been trying to infiltrate the U.S. energy sector since at least March 2016, King is sponsoring a bill with Sen. James Risch (R-Idaho) that would fund a $10 million National Laboratories study focused on isolating key portions of the grid. The Securing Energy Infrastructure Act would also establish an Energy Department-led working group that would create a grid cybersecurity strategy focused on helping energy companies defend their most critical systems from attacks.
The bill passed the Senate last Congress but not the House. Given its record of bipartisan support, King is hopeful the study can pass both chambers within a couple of months this go-round.
Rep. Dutch Ruppersberger (D-Md.) who’s co-sponsoring the House version of the grid study bill with Rep John Carter (R-Tex.), described it in a news release as a “ 'back to the future’ approach” to grid security.
The idea for the study came from Idaho National Lab researchers who had studied the Ukraine attack, King said. In the case of that attack — which Ukrainian officials attributed to Russia — the lights were back on after only a few hours. The Ukraine attack was accompanied by a denial of service strike that overwhelmed telephone networks with phony traffic, seemingly designed to prevent customers from getting information about the outage.
A massive attack against the electrical grid has long topped the list of cyber experts’ greatest fears, but the 2015 Ukraine attack is the only known case of a significant grid attack.
That’s partly because it requires far more specialized knowledge to hack into industrial control systems that run power grids than it does to hack into consumer technology such as computers and smartphones. And the nation-state-backed hacking groups that are capable of such attacks are also probably hesitant to launch them for fear they will quickly escalate into military conflicts.
Still, Russia has made aggressive moves to develop cyberweapons that could be used to disrupt the electric grid. And the risk of such an attack would only become more likely if the United States and its Cold War adversary were engaged in a broader military conflict.
King warned during a hearing last week of the Senate Energy Committee that Russian hackers are already attempting to penetrate the grid. If they successfully compromised major electrical utilities, he warned, they could shut down power to large segments of the United States, bringing critical services to a halt.
“This is not a threat. This is happening now,” King said. “This is not something that may happen next year or two years from now.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Microsoft has identified another Russian-government linked hacking operation targeting prominent think tanks that are critical of Russia, my colleagues Elizabeth Dwoskin and Craig Timberg reported.
The spearphishing campaign, which targeted more than 100 European employees of the German Marshall Fund, the Aspen Institute Germany, and the German Council on Foreign Relations, was launched by the APT28 hacking group, the same Russian military intelligence unit that interfered in the 2016 U.S. election, according to a Microsoft blog post.
“The announcement is also the second time in the past six months that Microsoft has gone public with its efforts to thwart APT28, which is sometimes called Strontium or Fancy Bear,” Elizabeth and Craig reported. “The attacks we’ve seen recently, coupled with others we discussed last year, suggest an ongoing effort to target democratic organizations,” the company said in its blog post. “They validate the warnings from European leaders about the threat level we should expect to see in Europe this year.”
PATCHED: Voters in Georgia voiced concerns about the security of ballot-marking devices to replace the state's paperless direct-recording electronic (DRE) voting machines, the Atlanta Journal-Constitution's Mark Niesse reported. Election security experts have warned that DRE machines can be vulnerable to hacking. A bill in Georgia would lead to the adoption in the state of touch-screen machines that issue paper ballots, but voters during a hearing said hand-marked paper ballots would be a safer alternative. “Hand-marked paper ballots are the state of the art when it comes to secure voting systems,” voter Elizabeth Shackelford said, according to the Journal-Constitution. “Security of our vote is extraordinarily paramount. . . . Why would you not go for the ultimate in transparency?”
A ballot-marking system would cost the state $150 million while a hand-marked voting system would amount to $30 million. Niesse reported that “election officials said the touchscreen voting machines, called ballot-marking devices, are accurate because they can help avoid errors that could be introduced by voters marking their ballots by hand.” State legislators are scheduled to hear from the public again today.
PWNED: The cybersecurity firm CrowdStrike found that Russian state-sponsored hackers are significantly faster than their North Korean and Chinese counterparts in moving into a network after initially accessing a victim's computer systems, Wired's Andy Greenberg reported. CrowdStrike said in its 2019 Global Threat Report that Russian hackers took on average less than 19 minutes to move into a victim's network following the initial compromise, a metric that the company calls “breakout time.”
Dmitri Alperovitch, chief technology officer at CrowdStrike, said this metric helps illustrate how formidable Russian hackers are as an adversary. “Russia is really the best adversary,” Alperovitch told Wired. “We’ve engaged with them on investigations, discovering and combatting them, and this breakout time is a real proxy for how good they are. It really captures that operational tempo . . . they're just incredibly fast, almost eight times as fast as the next adversary.”
The company analyzed more than 30,000 breach attempts to determine breakout times, Wired reported. North Korean state-sponsored hackers' average breakout time was about two hours and 20 minutes. Chinese hackers took on average four hours to move into a target's networks and Iranian hackers took more than five hours.
— Ren Zhengfei, the founder of Chinese telecommunications giant Huawei Technologies, denied that the company's products have back doors that Chinese authorities could use for spying, The Washington Post's Hamza Shaban reported. U.S. officials have said that Huawei could be used by Beijing as a platform for spying and have sought to convince allies to block the company from involvement in their 5G networks because of security concerns. In an interview on “CBS This Morning,” Ren also denied that Huawei shares information with Chinese authorities.
“Asked whether his company’s hardware has built-in vulnerabilities to enable government spying, perhaps without his knowledge, he said, ‘It is not possible because across our entire organization we have stressed once and again that we will never do that,’ ” Hamza reported.
— Two House Democrats requested a briefing from Facebook following a complaint filed with the Federal Trade Commission alleging that the company didn't make clear that some users' health information could be exposed without consent, the Hill's Emily Birnbaum reported. The complaint from a group of patients and health data experts alleged that Facebook didn't clarify to users that they could be exposing their health information when they became part of medical support groups.
House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.) and Rep. Jan Schakowsky (D-Ill.), chairwoman of the panel's subcommittee on consumer protection and commerce, demanded a staff briefing from Facebook on the matter in a letter to chief executive Mark Zuckerberg. “Despite the indications that the groups were private and anonymous, people and companies who should not have been admitted to these groups gained access to them and to lists of group members,” the lawmakers wrote.
— More cybersecurity news from the public sector:
— Microsoft-owned GitHub expanded its bug bounty program and increased the amounts of rewards to researchers, VentureBeat's Emil Protalinski reported. “GitHub also revealed that it paid out over $250,000 to security researchers in 2018 through its public bounty program, researcher grants, private bug bounty programs, and a live-hacking event,” according to VentureBeat. “Of that total, $165,000 was specifically paid out to researchers through the public bug bounty program.”
— Ethical hackers said they found security flaws in five password managers, The Washington Post's Geoffrey A. Fowler reported. As a result, users of those password managers are at a risk of a targeted malware attack, according to a report from Independent Security Evaluators. “It found the Windows 10 apps for 1Password, Dashlane, KeePass, LastPass and RoboForm left some passwords exposed in a computer’s memory when the apps were in ‘locked’ mode,” my colleague wrote. “To a hacker with access to the PC, passwords that should have been hidden were no more secure than a text file on your computer desktop.”
— A Dutch cybersecurity researcher found a database exposed online that contained data on more than 2.5 million people and underscored the extent of China's surveillance activities in the country's western region of Xinjiang, the Associated Press's Yanan Wang and Dake Kang reported. The researcher, Victor Gevers, “found that SenseNets, a Chinese facial recognition company, had left the database unprotected for months, exposing people’s addresses, government ID numbers and more,” according to the AP. “After Gevers informed SenseNets of the leak, he said, the database became inaccessible.”
— More cybersecurity news from abroad:
- Senate Commerce Committee hearing on “policy principles for a federal data privacy framework” on Feb. 27.
- The Atlantic Council holds a discussion on “operationalizing cyber strategies” on Feb. 27.
- The Center for Strategic and International Studies holds an event on “China's pursuit of semiconductor independence” on Feb. 28.
- The Center for Strategic and International Studies holds an event on “digital governance and the pursuit of technological leadership” on March 4.
5 takeaways from McCabe's media blitz:
Trump declares space a “war fighting domain”:
The controversies of Karl Lagerfeld on and off the catwalk: