National Security

Network News

Sandy turned off the lights, the phones, and the heat. A cyber attack could make it all happen again.

Verizon's chief technology officer surveyed a flooded major switching facility in lower Manhattan and put it bluntly: "There is nothing working here. Quite frankly, this is wider than the impacts of 9/11." Damage from Sandy is estimated to reach $20 billion, and interrupted phone service is among the least of it. Flooding in New York's century-old subway system is without parallel. Bridges and roads, homes and businesses have been destroyed. Days after the storm, many businesses remain closed, their employees out of work. And tens of thousands are suffering -- cold and in the dark.

Storms and floods are not the only infrastructure threats that invoke comparisons to 9/11. Secretary of Defense Leon Panetta made headlines recently when he noted that the economic consequences of a successful cyber attack on our financial system, electric grid, or other infrastructure could dwarf the economic consequences of 9/11. Actually, this wasn't news. Former Director of National Intelligence Mike McConnell had said the same thing five years earlier. They're both right. And the consequences of that kind of attack might not be merely financial. A cyber attack causing an explosion at a chemical plant, for example, could cause grievous loss of life.

This is not fantasy. We know we can blow up an electric generator using nothing but a keyboard and a mouse. Water systems have been polluted using a laptop. Centrifuges in nuclear plants have been physically destroyed with software. In August, a computer virus called "Shmoon" wiped all the information off 30,000 computers at Saudi Arabian Oil Co. The virus came from Iran. Today, half a dozen U.S. banks are under attack, almost certainly also from Iran. We know our electric grid is being probed from abroad.

Who's paying attention?

The Senate can't pass even watered down legislation that would simply require that critical infrastructure sectors develop their own security standards. In early August a bill sponsored by Senators Collins and Lieberman went down to defeat when the owners and operators of the electric grid objected vehemently about government-mandated standards. The objection was frivolous. The bill called for voluntary standards to be promulgated by industry, not government. Still, the owners demanded liability protection. From what? From the risk of observing their own standards! This is ironic, because if disaster struck, rate-payers (that's us), insurance (we pay the premiums through our rates), and the government (that's us again) would be stuck with the tab -- not shareholders. No wonder the grid's owners and operators have a higher taste for risk than the businesses that depend on them.

In fact, government policies actually encourage such risk-taking. Insurers play an important role in reducing risk because they have a direct interest in reducing claims, but this market dynamic works poorly when government shields shareholders from liability. Consider how government-subsidized flood insurance prevents markets from requiring people to assume the risk of their own choices. More significantly, the U.S. government currently indemnifies the owners of nuclear power plants on a no-fault basis for damage in excess of $12.6 billion. That limit is derisory compared to the potential damage from a nuclear meltdown. Raising or eliminating that limit would require higher insurance coverage, which in turn could lead insurers to play a tougher role in setting and enforcing their own security standards.

To be fair, the big, private-sector electricity generators and transmission companies are serious about security. But their security officials are no match for a state-sponsored attack. The Department of Homeland Security has Industrial Control System Response Teams, known as ICS-CERT. These fly-away teams respond to advanced cyber threats at the urgent request of system owners, and they reportedly spend most of their time dealing with power systems -- electricity and gas. So the threat is real, yet many players in this industry still don't understand it. In some cases, employees of grid operators can reportedly access remote field equipment through Bluetooth connections to the Internet. These practices are rash. An attacker doesn't care whether he gets into the grid through a big company's main generator or a carelessly connected municipal field station. Once he's in, he's in; and if the electricity goes out, everything stops.

That's why isolating the key control systems of our critical infrastructure from the Internet should be a national goal. But the trend is in the opposite direction. If you have an iPhone, try this experiment: Search "SCADA" in the app store. (SCADA stands for "supervisory control and data acquisition.") You'll find a handful of free or cheap mobile apps for accessing industrial control systems through their programmable logic controllers, or PLCs. As an ad for one of these apps puts it, "Plant engineers, PLC software developers, maintenance people, and in general anyone dealing with PLC based systems will be able to connect to them at any time, from anywhere." This is convenient, but it's a security nightmare.

The Internet is porous and insecure, and if you can penetrate a publicly accessible network to steal information, you can also corrupt or wipe the information on the network, or shut the network down, or destroy the equipment that runs on it. Sound melodramatic? It isn't. The Stuxnet cyber attacks on centrifuges in the Iranian nuclear program resulted in the physical destruction of centrifuges. If Saudi Aramco can wake up and find 30,000 of its computers wiped, the same thing can happen to your bank or your power company. The "Shmoon" virus apparently didn't reach the control systems on the Saudi company's extraction and refining operations -- but only because the attackers couldn't get to those systems. In North America, many of our electric grids operating systems are exposed to the public Internet and therefore penetrable.

The plain truth is that the United States cannot defend the electronic systems that create much of our wealth and power. The government alone cannot fix this. Most of our networks are privately owned and operated. Even if government had the resources to strengthen and police these networks (it doesn't), we don't want the government living in the channels through which we conduct our business and private lives. Nor do we want the government mandating invariably rigid standards for industry. Unfortunately, however, much of our critical industry is not stepping up to the task.

Congress should learn a lesson and deal with cyber vulnerabilities one at a time and not in an omnibus bill that won't pass. Here's what it should do:

1. Require the owners and operators of a narrow class of critical infrastructure to promptly develop cyber security standards in a government-approved process. Standards should be flexible and regulatory layers should be rationalized. Failure to meet these standards after a reasonable interval should be made public.

2. Amend or repeal laws to enhance the role of private insurers in security standards. When shareholders rather than government bear risk, risk drops because businesses buy it down. That dynamic should be encouraged, not suppressed.

3. Protect companies from liability for sharing threat information with the government, with insurers, and among themselves. Companies often complain that the government doesn't share enough information with them -- especially classified information. But why don't companies improve security by sharing cyber threat information among themselves? The ostensible reason is fear of antitrust liability. The real reasons are potential damage to their brand and the belief that hoarding threat information creates competitive advantage. But the risk of brand damage can be avoided if sharing is restricted to threats, not damage; and it can't be true that all companies in an industry have a competitive advantage in security. Those that don't would improve their competitive position by sharing threat data. As a former antitrust prosecutor, I think the antitrust excuse is a red herring, but let's remove the excuse. It's easy to do, and cost free.

4. Encourage private investment in cyber security through favorable tax treatment. When Congress gets serious about an issue, its agenda shows up in the tax code.

We don't just store information on our "information" networks; we use them to run everything we do -- from the ventilation and security system in your office building, to the operation of the switches on Amtrak and big city subways, to the matching and clearing systems behind our securities exchanges, the governance of the electricity grid, controls over off-shore drilling rigs in the North Sea and the Gulf of Mexico, and local water treatment plants. Many of these systems are poorly protected. The vulnerability of our critical infrastructure is what permits a third-rate power like Iran to play jujitsu with a superpower. Let's not wait for a disaster to happen. A nation that permits this vulnerability to continue is a nation that has lost the will to defend itself.

Matt Cardy/Getty Images


It’s the Stimulus, Stupid

Why Obama won reelection when virtually every other incumbent in the West has been bounced from office.

It's been a rough couple of years for incumbents around the world. In May 2010, Britain's ruling Labour Party got walloped by the Conservatives, losing 91 seats while the Tories picked up 97; Prime Minister Gordon Brown gave way to David Cameron. In February 2011, Ireland's ruling Fianna Fail won barely 15 percent of the vote, and was replaced by a coalition of rival parties. In June, Portugal's Socialists were routed by the center-right Social Democrats. In November, Spain's People's Party crushed the ruling Socialists, winning the biggest parliamentary majority in 30 years. Earlier this year, Socialist Francois Hollande upended Nicolas Sarkozy in France. The leaders of Italy and Greece were forced out of office in favor of technocrats.

But yesterday, in case you missed it, Barack Obama not only beat Mitt Romney, but his party either held its own or picked up seats in the Senate.

It is hardly possible to overstate the tidal force of the global economic crisis on the politics of the West. Nearly every incumbent who ruled during this period has been ousted -- the left by the right, the right by the left. And, in most cases, the margins were of historic dimensions. Of course there were local factors: the utter contempt with which so many French voters had come to regard Sarkozy, the British weariness with Brown's grim visage. But it's hardly surprising that the worst economic crisis in 70 years brought down the men who presided over it. And whatever else may be said of Obama's re-election, we need to regard it in this extraordinary light.

Why did Obama win when all the others lost? First, of course, because he wasn't in office when the crisis began; polls have found that many Americans still blame George W. Bush for the recession. Obama also benefited from a weak opponent who stirred no passion, and had little appeal to new voters who had swelled the rolls since 2008. And the Democrats had a better ground game than the Republicans.

All true; and yet none of these factors fully account for Obama's success in overcoming such a powerful trend. The same forces that wreaked havoc across Western Europe led to massive job losses in America's industrial heartland. And yet it was just those states -- Michigan, Ohio, Wisconsin, Pennsylvania -- that ensured Obama's victory. The reason that happened is because job loss wasn't the final story: Thanks in part to actions taken by the administration, including both stimulus spending and the auto bailout, unemployment numbers steadily dropped, both in the industrial core and elsewhere. By the time the election was held, the economy had begun to recover, and more Americans thought the economy was improving than the other way around.

The United States chose a different path out of the recession than did most of its Western partners. The bond market left eurozone countries, especially weaker ones like Greece, Italy, Portugal, and Spain, little choice but to adopt austerity policies in order to shrink the deficit and attract investors. Those states have suffered negative growth. But England, which was under no such pressure, chose to make deep budgets cuts in order to restore fiscal balance. And the result has been that while the United States has returned to pre-crisis levels of growth, England's economic outlook remains "bleak," according to European Union forecasts, with 0.9 percent growth projected for 2013 after a 0.3 percent drop this year. (There are, of course, many other factors.) 

According to the Organization for Economic Co-operation and Development, the U.S. economy is expected to grow at a rate of about 2.5 percent this year while the eurozone will be virtually flat; and unemployment in America will run (as it typically does) 2 to 3 points below Europe. The harsh limits on government spending imposed by EU rules and bond investors was, of course, precisely the policy which Mitt Romney was urging on American voters. The numbers show how wrong he was.

Given the deep sense of disappointment over what Barack Obama could have been and was not, we need to remind ourselves how profoundly adverse was the situation which he inherited -- economically and politically -- and how much progress his administration has made in stabilizing the situation. And because that is true, Obama now has the chance, as other Western leaders do not, to pursue the goals he laid out when he first ran for office. As the economy continues to improve, and the effects of health-care reform begin to be felt, it's even possible that, as Obama has put it, "the fever will break," and he will enjoy the kind of broad public support which will make it difficult for Republicans in Congress to continue to obstruct him at every turn, as of course they will seek to do. The announcement of the death of hope and change may turn out to be premature.