In September 2007, in a remote laboratory in Idaho, researchers began to show that that picture had begun to change, dramatically and irreversibly. Dubbed "Aurora," the researchers' project demonstrated the ability of a cyber hacker to destroy physical equipment—in this case a generator used to create electricity for the power grid. The Aurora research brought the question of physical safety and the ability for a nation to defend itself from attack in the cyber world to the forefront. For the next three years, this difficult discussion would largely remain just a discussion, contemplated, if passionately, in corners of Washington and at wonk-ish meetings across the U.S.
The first dramatic images of a generator shaking and belching smoke were vivid enough to force the informed to begin to consider the implications of such an attack occurring in the real world. We began to envision scenarios of a broad-scale attack on U.S. infrastructure, with the potential to cause blackouts that could last for months, contaminate our water supply, and cause industrial disasters. Forget Facebook—we began to worry about our ability to keep the lights on.
In 2010, along came the Stuxnet Worm, which took the hypothetical scenario extrapolated from the Aurora research and proved not only that it had been done, but also that it was released and traveling through cyberspace undetected. The worm carried with it all of the potential outcomes of Aurora to be triggered by a packaged-up set of autonomous code. Now the risk was real and it became very vivid. [Editor's note: Read the full text of Assante's Congressional testimony on Stuxnet (PDF, registration required).]
For the first time in a public forum we could read about a real-world scenario with physical consequences playing out as a result of an attack from a remote computer. In our minds' eyes, the images of toxic vapor rising from a chemical processing plant or a series of explosions at power plants across the country began to crystallize.
[Also see 4 things the Roman aqueducts can teach us about securing the power grid by Assante and Mark Weatherford]
This new "face" of the cyber threat tears away at our notion of cyber security being confined to the "cyber" world. It elevates certain types of computer attacks to a higher-level of decision-making in a nation state and turns what was traditionally a law enforcement matter into one for the military and intelligence community. Before Aurora and Stuxnet, a leader could afford to ignore or to tolerate the majority of cyber attacks and choose to quietly conduct investigations and deal with longer-term efforts to raise awareness and develop more responsible and capable participants in the computer ecosystem. When we considered the cyber security threat, most of us could easily dismiss the headlines as routine. Viruses, identity theft, WikiLeaks, even large-scale financial scams are part of our every-day vernacular, understood as an unavoidable consequence of our life on the web. We all recognize these risks exist, the costs can be quite large, but, after all, we like our e-mail, we like Facebook, we like the convenience of immediate access to virtually everything. We still get in the car each morning to go to work.
Cyber risk, is most often an invisible threat: unseen, often undetected, and absorbed by society as a necessary evil that comes along with the vast improvements made possible by the internet. Rarely do these threats occur in such a way that scares us—even more rarely do they occur in a form that we would begin to consider government, let alone military, intervention necessary or appropriate. Even though the losses of information and monetary value are very real and ultimately have physical, "real-world" impacts, they lack the vividness that taps into the human perception of real danger. Certainly a President can recognize the negative circumstances and deplore the many acts that result in the theft of information or financial damages to organizations, but they did not feel compelled to directly respond in a public manner using instruments of national power. The cyber effort could be left to professionals across the nation and dealt with in a less than real-time manner, not having the necessary gravity to call into question the confidence of a people in their leader. Stuxnet has changed that precept and made the cyber threat a clear and present danger.
Stuxnet has delivered to the President, and other leaders throughout the developed world, the possibility of being confronted with a cyber attack that would require a real-time response using the instruments of national power. In its release of the International Strategy for Cyber Space, the White House has clearly communicated its national security doctrine for cyber attacks that carry with them this recognizable danger to public safety. The document states, "Right of Self-Defense: Consistent with the United Nations Charter, states have an inherent right to self-defense that may be triggered by certain aggressive acts in cyberspace". The nation's defense objectives are clearly stated, "The United States will, along with other nations, encourage responsible behavior and oppose those who would seek to disrupt networks and systems, dissuading and deterring malicious actors, and reserving the right to defend these vital national assets as necessary and appropriate".
This right to act in defense would also extend to friendly nations, "When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defense, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests. In so doing, we will exhaust all options before military force whenever we can; will carefully weigh the costs and risks of action against the costs of inaction; and will act in a way that reflects our values and strengthens our legitimacy, seeking broad international support whenever possible."
The White House makes it clear that it is developing a strategy of deterrence and credible response that will rely on treating certain acts as law enforcement matters with real consequences for threat actors, and others as national security matters that may illicit a military response. This notion of military response to a cyber attack, to include the use of violence to defend our nation, is a direct result of the ramifications and dangers made clear and present by potential attacks like Stuxnet.
In addition to a clear policy of deterrence and military retaliation, these types of attacks justify strong, coherent, and cohesive domestic policy to ensure these threats are adequately protected against throughout our critical infrastructures. Today, incentives are not appropriately aligned for business owners to make sound investment decisions with respect to these risks, resulting in under-secured systems and assets. Many call for a strong regulatory framework should be put in place for all critical infrastructures to lessen the likelihood of a successful attack and provide the ability to manage a Stuxnet-like attack.
Regulation will ultimately be necessary, but I must share my recent experience with electric power system cybersecurity standards. These standards have polarized the industry and have imposed compliance requirements on a highly-dynamic and not fully understood area of risk. The result has been a conscious and inevitable retreat to a compliance/checklist-focused approach to the security of the bulk power system. Regulation, although necessary, should be re-evaluated and designed to emphasize learning, enable the development of greater technical capabilities through more qualified staff, and discourage the creation of a predictable and static defense. This will take time and will not be an easy task.
This new reality will also require the clarification of emergency powers and authorities to respond to and defend against such attacks, potentially from within private networks. The mechanisms to enable this kind of action have been highly-contested, and many legislative proposals tabled and left behind. The issue they grapple with was perhaps best highlighted by the chairman of the House Armed Services Committee, Rep. Howard P. "Buck" McKeon, (R-Calif.), in his comments on the Rules of Engagement in cyberspace for the Defense Department, saying "because of the evolving nature of cyber warfare, there is a lack of historical precedent for what constitutes traditional military activities in cyberspace."
[Also read George Hulme's If Stuxnet was an act of cyberwar, is the US ready for a response?]
As a nation, we have many questions to answer if we are to determine how to make the right decisions in response to cyber security threats or attacks, particularly those that might ultimately lead to the use of military force. What would demand such a response? Certainly it is a combination of factors, to include our confidence in the understanding of who conducted the attack, why it was conducted, and what their future intentions and capabilities may be. But the decision will ultimately rest on the impacts and implications of the attack itself. The President will be faced with the need to decide if constraining the nation's ability to produce or supply a given product for some period of time would qualify. This is no small matter when the product in question is a life-sustaining drug in short supply or the loss of electricity to a major city or the contamination of a water source. We must also wrestle with our inability to control all actors operating from U.S. territory or with links to our interest from precipitating a justified response by another country that parrots our own policy. These are the scenarios that will need to be considered and developed into the strategy of both deterrence and credible responses.
With the advent of Stuxnet and Aurora, we have truly entered the "bad new world" of cyber security—a "bad new world" that now demands our attention at the highest level. Unlike in the past, the headlines of today call into question our nation's ability to "provide for the common defense," and threaten the safety of our citizens and our way of life. This new face of cyber security is one that has vivid physical impacts, and is no longer a movie script that requires the suspension of disbelief.
The paradox of the matter is this: the risk we have learned to so easily dismiss may ultimately cost our society more than those attacks we are now driven to protect against. The average cost to of cyber attacks to medium to large businesses is a concern, but the longer-term implication of the loss of intellectual capital is stunning. These real costs are a reminder that any national strategy needs to effectively span the spectrum of attacks as the cost incurred by the U.S. as a result of Stuxnet-like attacks to date is zero.
Such, however, is the nature of why and how man feels compelled to act. It is the dramatic events able to penetrate our armor of self-deception that get our attention. We are left to consider the difficult to assess consequences of all cyber attacks on our productivity, viability, competiveness, and national security. We must develop doctrines that are flexible enough to deter a death that comes by a thousand cuts while rationally deterring more vivid attacks that directly impact public safety.
We are left with the difficult imperative to shape a prudent defense against both the litany of attacks impacting our country's competitiveness and economic well being and to the now illuminated specter of attacks that will result in physical damage. We would be wise to invest our efforts into developing highly technical and skilled cyber defenders and finding ways to enable them. The bad new world should not deter us from deploying and driving the technology of tomorrow nor should it tie the hands of our defenders with compliance-focused security programs. We must look to the future with eyes wide open recognizing the vivid and less vivid implications to getting it wrong.
Michael Assante is President and CEO of National Board of Information Security Examiners and former Chief Security Officer at the North American Electric Reliability Corporation (NERC).