Wednesday, August 23, 2017

DHS: NIAC Cyber Threat Report - August 2017

PDF LINK





















#12,711


Although this blog is primarily focused on emerging infectious disease threats, community & Individual preparedness comes second on the list of topics I cover. Every September I run a couple of dozen preparedness blogs for National Preparedness Month, and as a native Floridian, I give Hurricane preparedness a fair amount of blog space as well. 
While hurricanes, tornadoes, earthquakes, floods and even pandemics lead the list of `likely' major disasters, the one that keeps most emergency managers awake at night is a prolonged `grid down' event.
Short term power outages affect most of us each year, usually lasting anywhere from a few minutes to a couple of hours. Longer outages, while less common, are far from rare.  A few recent examples:
In 2013, in Dr. Lucy Jones: `Imagine America Without Los Angeles’, we looked at a plausible earthquake scenario that could leave millions of Southern California residents without power, water, internet, and sewer . . . not for weeks . . . but for months.

There are many other areas of the country that could suffer a similar fate, including Alaska,  the Pacific Northwest (see OSU: Pragmatic Action - Not Fatalism - In Order To Survive The `Big One’), New Madrid, or even South Carolina (see #NatlPrep: Half Of All Americans Need An Earthquake Plan).
While the damage might be relatively localized, a major earthquake could damage pipelines, power transmission lines, and other infrastructure that could affect a much larger area of the country. 
Then there's space weather (see USGS: Preparing The Nation For Severe Space Weather) which as the potential to take down an entire nation's electrical grid, and damaging it to the point where it might take years to repair. Similar to a deliberate EMP attack, a `Carrington' level CME directed a earth could seriously damage both our economy and our society.
As vulnerable as we are to natural disasters, as we grow increasingly dependent upon technology, so does our vulnerability to deliberate cyber attacks.
In 2015, Ted Koppel published a book called Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath, that explores this very scenario, and we've revisited it a number of times over the past few years (see The Lloyd’s Business Blackout Scenario).
Despite years of dire warnings, our infrastructure remains cobbled together out of both old and new equipment, with many places still reliant on 80 year old technology.  
Every four years the ASCE (American Society of Civil Engineers) releases a report card on America’s infrastructure, and their most recent report (2017) warns that our cumulative GPA for infrastructure sits at only a D+, and two of our most vulnerable infrastructures are drinking water and the electrical grid (see When Our Modern Infrastructure Fails).
Some excerpts from that report:

From Energy, which they rate as a D+:
Overview

Much of the U.S. energy system predates the turn of the 21st century. Most electric transmission and distribution lines were constructed in the 1950s and 1960s with a 50-year life expectancy, and the more than 640,000 miles of high-voltage transmission lines in the lower 48 states’ power grids are at full capacity. Energy infrastructure is undergoing increased investment to ensure long-term capacity and sustainability; in 2015, 40% of additional power generation came from natural gas and renewable systems. Without greater attention to aging equipment, capacity bottlenecks, and increased demand, as well as increasing storm and climate impacts, Americans will likely experience longer and more frequent power interruptions.
Of course, it isn't just the electrical grid at risk: Think banking, communications, nuclear power plants, even the stock market.   A deliberate attack on any of these sectors could have an extreme impact.

It is against this backdrop that yesterday the President's National Infrastructure Advisory Council (NIAC) released a 45 page report addressing urgent cyber threats to our critical infrastructure.  One that doesn't mince words.  I've only included the executive summary and bullet points.

Follow the link to download the full report, and plan to read it before the lights go out.


SECURING CYBER ASSETS
Executive Summary: Imperative Takeaways
Our review of hundreds of studies and interviews with 38 cyber and industry experts revealed an echo chamber, loudly reverberating what needs to be done to secure critical U.S. infrastructure against aggressive and targeted cyber attacks. Cyber is the sole arena where private companies are the front line of defense in a nation-state attack on U.S. infrastructure. When a cyber attack can deliver the same damage or consequences as a kinetic attack, it requires national leadership and close coordination of our collective resources, capabilities, and authorities.

Our Assessment


The National Security Council (NSC) tasked the President’s National Infrastructure Advisory Council (NIAC) with examining how Federal authorities and capabilities can best be applied to support cybersecurity of high-risk assets. We reviewed a comprehensive dataset of more than 140 Federal capabilities and authorities, demonstrating impressive depth and complexity of Federal resources.


We believe the U.S. government and private sector collectively have the tremendous cyber capabilities and resources needed to defend critical private systems from aggressive cyber attacks—provided they are properly organized, harnessed, and focused. Today, we’re falling short.

Recommendations

The challenges the NIAC identified are well-known and reflected in study after study. There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber attack to organize effectively and take bold action. We call on the Administration to use this moment of foresight to take bold, decisive actions:
Establish SEPARATE, SECURE COMMUNICATIONS NETWORKS specifically designated for the most critical cyber networks, including “dark fiber” networks for critical control system traffic and reserved spectrum for backup communications during emergencies.
ACTION REQUIRED BY: U.S. Department of Energy (DOE), U.S. Department of Homeland Security (DHS), Office of the Director of National Intelligence (ODNI), NSC, and the Strategic Infrastructure Coordinating Council (SICC) (Electricity, Financial Services, and Communications)
FACILITATE A PRIVATE-SECTOR-LED PILOT OF MACHINE-TO-MACHINE INFORMATION SHARING TECHNOLOGIES, led by the Electricity and Financial Services Sectors, to test public-private and company-to-company information sharing of cyber threats at network speed.
ACTION REQUIRED BY: DOE, DHS, ODNI, NSC, and the SICC
Identify best-in-class SCANNING TOOLS AND ASSESSMENT PRACTICES, and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis.
ACTION REQUIRED BY: NSC, DHS, and Congress
Strengthen the capabilities of TODAY’S CYBER WORKFORCE by sponsoring a public-private expert exchange program.
ACTION REQUIRED BY: NSC, DHS, and Congress

Establish a set of LIMITED TIME, OUTCOME-BASED MARKET INCENTIVES that encourage owners and operators to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices.
ACTION REQUIRED BY: DOE, DHS, ODNI, NSC, and the SICC
Streamline and significantly expedite the SECURITY CLEARANCE PROCESS for owners of the nation’s most critical cyber assets, and expedite the siting, availability, and access of Sensitive Compartmented Information Facilities (SCIFs) to ensure cleared owners and operators can access secure facilities within one hour of a major threat or incident.
ACTION REQUIRED BY: DHS, ODNI, NSC, Federal Bureau of Investigation (FBI), Office of Personnel Management, and all agencies that issue/sponsor clearances
Establish clear protocols to RAPIDLY DECLASSIFY CYBER THREAT INFORMATION and proactively share it with owners and operators of critical infrastructure, whose actions may provide the nation’s front line of defense against major cyber attacks.
ACTION REQUIRED BY: NSC, DHS, ODNI, FBI, and the Intelligence Community
PILOT AN OPERATIONAL TASK FORCE OF EXPERTS IN GOVERNMENT AND THE ELECTRICITY, FINANCE, AND COMMUNICATIONS INDUSTRIES—led by the executives who can direct priorities and marshal resources—to take decisive action on the nation’s top cyber needs with the speed and agility required by escalating cyber threats. (Explanatory chart on page 16)
ACTION REQUIRED BY: DOE, DHS, ODNI, NSC, the SICC, the Department of Defense (DOD), Treasury, and Department of Justice (DOJ)
USE THE NATIONAL-LEVEL GRIDEX IV EXERCISE (NOVEMBER 2017) TO TEST the detailed execution of Federal authorities and capabilities during a cyber incident, and identify and assign agency-specific recommendations to coordinate and clarify the Federal Government’s unclear response actions.
ACTION REQUIRED BY: DOE, DHS, ODNI, NSC, and the SICC
Establish an OPTIMUM CYBERSECURITY GOVERNANCE APPROACH to direct and coordinate the cyber defense of the nation, aligning resources and marshaling expertise from across Federal agencies.
ACTION REQUIRED BY: DHS, ODNI, NSC, DOJ, and DOD
Task the National Security Advisor to review the recommendations included in this report and within six months CONVENE A MEETING OF SENIOR GOVERNMENT OFFICIALS to address barriers to implementation and identify immediate next steps to move forward.
ACTION REQUIRED BY: National Security Advisor
The time to act is now. As a Nation, we need to move past simply studying our cybersecurity challenges and begin taking meaningful steps to improve our cybersecurity to prevent a major debilitating cyber attack.
Our Nation needs direction and leadership to dramatically reduce cyber risks. The NIAC stands ready to continue to support the President in this area.
         (Continue . . . .)


While there is not much the average citizen can do to mitigate these big ticket concerns, it is important that everyone realize that our infrastructure is vulnerable to a variety of threats, and that as communities and individuals, there is genuine value in being prepared.

So . . . if a disaster struck your region today, and the power went out, stores closed their doors, and water stopped flowing from your kitchen tap for the next 14  days  . . .  do you have: 

  • A battery operated NWS Emergency Radio to find out what was going on, and to get vital instructions from emergency officials?
  • A decent first-aid kit, so that you can treat injuries?
  • Enough non-perishable food and water on hand to feed and hydrate your family (including pets) for the duration?
  • A way to provide light (and in cold climates, heat) for your family without electricity?   And a way to cook?  And to do this safely?
  • A small supply of cash to use in case credit/debit machines are not working?
  • An emergency plan, including meeting places, emergency out-of-state contact numbers, a disaster buddy,  and in case you must evacuate, a bug-out bag?
  • Spare supply of essential prescription medicines that you or your family may need? 
If your answer is `no’, you have some work to do.  A good place to get started is by visiting Ready.gov.
While preparedness may seem like a lot of work, it really isn’t.  You don’t need an underground bunker, an armory, or 2 years worth of dehydrated food.  But you do need the basics to carry on for a week or two, and a workable family (or business) emergency/disaster plan. 
For more information on how to prepare, I would invite you  to visit:
FEMA http://www.fema.gov/index.shtm
READY.GOV http://www.ready.gov/
AMERICAN RED CROSS http://www.redcross.org/