Ukraine’s power grid was recently hacked, constituting the second hack of this kind against a country’s critical infrastructure since Struxnet’s attack against Iran’s nuclear program was discovered in 2010. Now the U.S. is thinking about its own critical infrastructure, and whether or not it may be vulnerable to these kinds of attacks from people who know a lot about the internet:
“Every bit of this is doable in the US grid,” stated Robert M. Lee, former Cyber Warfare Operations Officer for the US Air Force. Lee also cofounded Dragos Security, a security company dedicated to protecting the online systems of critical infrastructure.
But what is critical infrastructure? Critical infrastructure is a term that encompasses water plants, power-generation plants, oil refineries, and basically any system of high importance to the safety and functional operation of a country.
If you ask the U.S. government want critical infrastructure is, you’ll find that the term can be divided into sixteen different sectors, all of which are seen as important to the functioning of the country and therefore are vulnerable to hacker sabotage. The divisions include chemical, communications, commercial facilities, critical manufacturing, dams, defense industrial sector, emergency services response and recovery, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors and materials, transportation systems, water and wastewater systems.
The government been considers the entertainment company Sony to be a facet of critical infrastructure, as was revealed after the 2014 Sony hack. This is because entrainment production studios actually fall into the same category as commercial facilities like hotels, amusement parks, convenient centers and sports stadiums, meaning they’re protected in the government’s eyes. Of course, not everyone agrees with this perspective.
Paul Rosenzweig can be counted among the skeptics; he’s the former deputy assistant secretary for policy in the Department of Homeland Security. He wrote,
“This strikes me as faintly ludicrous,” after learning that Sony had protected status. “America will not collapse if Hollywood is dark. If everything is critical, then nothing truly is critical.”
Why does it even matter? Because whether or not something gets the label of critical infrastructure determines whether or not the government is committed to protecting it from cyber criminals. According to the president’s cybersecurity report of 2009, “The common defense of privately-owned critical infrastructures from armed attack or from physical intrusion or sabotage by foreign military forces or international terrorists is a core responsibility for the Federal government.”
The U.S. government takes this seriously enough that Barack Obama signed an executive order last year stating that the government could levy economic sanctions against individuals overseas who engage in harmful cyberattacks or commercial espionage provided that the attacks are past a certain threshold of damaging and hurt the “national security, foreign policy, economic health or financial stability of the United States.”
Unfortunately, since most of the U.S.’s critical infrastructure is owned by private companies, the government cannot impose security measures on these industries. The only exception is if the government regulates the industry, such as the financial, health and nuclear industries. Otherwise, all the government can do is advise good practices and hope that we won’t be the next Ukraine.