The federal government has warned companies in five sectors that “advanced persistent threat” actors (read: nation states) are targeting them. The advisory, issued by the FBI and the Department of Homeland Security, was clear that these unnamed actors (likely Russia) are engaged in a “multi-stage intrusion campaign” with the goal of compromising “low security and small networks” to gain access to “high value asset owners within the energy sector.”
The warning stated that “…threat actors are actively pursuing their objectives over a long-term campaign.” My question is, why doesn’t the United States do the same?
If Russian actors have a long-term strategy to have the capability to damage U.S. critical infrastructure networks, the United States needs to have a long-term strategy to protect them. Warnings are not the same as strategy.
Don’t get me wrong—the advisory is useful—it contains indicators of compromise to help security teams detect the threat actors. But it also contains a long list of best practice recommendations (twenty-eight in total) to assist organizations protect themselves. If the alert found it necessary to reiterate what critical infrastructure operators should be doing already, it is safe to assume that those targeted did not follow best practice.
It would take a mid-market organization several years and several million dollars to implement the full package of best practices. It involves re-configuring networks, placing sensors throughout, and establishing an extensive monitoring program. Most companies in the electricity sector are not going to make that investment on their own.
Utilities operate on very thin margins. Many have their rates set by local utility boards and simply do not have the budget necessary to protect their networks and systems against advanced actors.
As I wrote in a paper examining the potential of a cyberattack on the U.S. power grid earlier this year,
Risk managers at utilities will argue that they must balance the possibility of a cyberattack against the near certainty that weather events will affect their customers. A decision to increase spending on cybersecurity could come at the expense of burying power lines, raising them above the tree line, or trimming trees along the lines.
The evidence shows this position to be entirely reasonable. The Department of Energy received only three reports of cyber incidents in the electricity sector, none of which affected customers for all of 2016. Meanwhile, weather events caused outages affecting 5.2 million customers. When tapping into the same pool of money for risk mitigation, weather wins over cyber every time.
The Trump administration can and should do more to clarify its deterrence policy with respect to a Russian attack on the grid. It can and should increase information sharing with companies under threat and help them share more information with each other. But what the Trump administration really needs to do is figure out how to work with Congress to increase these companies’ investment in security.
Increased regulation, at least in the absence of new funding, will not do. In other industries where prices are not controlled, a level-playing field of requirements could lead to increased investment across the board. With utilities, it is likely to lead to more money going to “demonstrating compliance”—documenting how existing controls already meet the mandate.
A better, and politically more palatable option might be to create a universal security fee that is billed with usage charges every month. If a new tax on consumers is not politically palatable, the Trump administration could propose going the other way. Instead of raising taxes on individuals, cut taxes on utility companies that make investments above their current level in cybersecurity. Or look at the next round of stimulus spending as an opportunity to funnel funds directly to security improvements in the sector.
All of these options are imperfect. Any one of them would be better than hoping and praying that the next advisory will scare utility operators into changing the underlying economics of their industry.