From today's Washington Post:
National Security: Russian operation hacked a Vermont utility, showing risk to U.S. electrical grid security, officials say
While the Russians did not actively use the code to disrupt operations, according to officials who spoke on the condition of anonymity to discuss a security matter, the discovery underscores the vulnerabilities of the nation’s electrical grid. And it raises fears in the U.S. government that Russian government hackers are actively trying to penetrate the grid to carry out potential attacks.
Officials in government and the utility industry regularly monitor the grid because it is highly computerized and any disruptions can have disastrous implications for the country’s medical and emergency services.
Burlington Electric said in a statement that the company detected a malware code used in the Grizzly Steppe operation in a laptop that was not connected to the organization’s grid systems. The firm said it took immediate action to isolate the laptop and alert federal authorities.
The facts do not come out until paragraph three, preceded by very scary headline and paragraphs 1 and 2. The laptop was not connected to operations. It could have been infected by an employee viewing porn sites. The infection contained at least a snippet of code attributed to Russian origin.
I'm willing to believe that the malware found was of Russian origin. But hackers share malware freely and excerpt and morph it to fit their needs. The Stuxnet virus, supposedly of US Government origin is like that. Finding a snippet of Stuxnet code on an infected computer today is very weak evidence that the US Government put it there.
Here is my central point. Bad guys can very simply and cheaply use hacking to spread fear in out country, and to erode trust in our institutions, and to cause us to spend our money foolishly. Measured in terms of money, it is asymmetric to the extreme. Security vendors salivate over prospective sales of $100-$150 billion in smart grid or cyber security hardware and software. It might have cost the bad guys less than $10 to get the malware on the Vermont computer. That suggests a leverage of 10,000,000:1! Readers may wish to argue for a lower number, perhaps 1,000:1. But we should all agree that the gain is very much bigger than 1, thus asymmetric in favor of the attacker.
Next, I think back to the so-called Strategic Defense Initiative of the Reagan years (known as Star Wars). It has been said that Star Wars was the straw that broke the back of the Soviet Union. Perhaps Star Wars was genuine, or perhaps it was an insanely successful ruse. No matter. That little packet of information, true or false, achieved what 30,000 nuclear warheads over the span of 40 years did not accomplish. It was asymmetric to the extreme.
It seems entirely plausible that the Russians, North Koreans, Iranians, or other enemies can have a field day practicing asymmetric cyberwar with the USA. The beauty of the scheme is that they do not need to ever succeed in causing a blackout or anything else with physical reality. All they need to do it to destabilize our society with anxiety. If we accept that the Russians did meddle with the US election, then destabilization rather than electron of Trump seems to be a much more believable motive. Hundreds of millions of Trump opponents, still stinging with disappointment, are willing to jump on that destabilizing wagon at this moment in time.
It may be true that the USA is much more skilled than any other country in offensive cyberwar capability. But it is also true that we are more vulnerable because (a) we are so computer dependent, and (b) because our free speech traditions allow the media megaphone to amplify fears and concerns. The USSR in the 1980s was vulnerable in different socioeconomic ways. Star Wars was merely the trigger, not the total cause of Soviet Union collapse.
What can we do? We can't repeal the 1st amendment. But we can and should solicit the cooperation of the media. Using today's Washington Post article as an example, all that would be needed would be to to make the raw facts appear first. Make facts the first paragraph and the headline. The authors would still be free to embellish the facts with speculation about scary possibilities, but the editors could simply move those to paragraph 20 of the story. It is ironic to note that other countries with weaker free press traditions (including much of Western Europe) would find it easier to do than we would.
It is my opinion that if we could accomplish that simple change in how we emphasize and highlight information, that the USA.
There are also other things not related to cyber security that we can do to make ourselves less vulnerable, but I'll leave those for another day.