The 2016 election for president is in full swing as I can attest to personally from my vantage point here in scenic (if chilly) New Hampshire. Unfortunately, with the exception of tepid concerns about privacy and the CISA, there is little to no noise around the massive and growing threats to our cybersecurity. This isn’t new or surprising, but my hope did recently spring anew when current events showed how demonstrably insufficient our security is around even our most critical infrastructure. The candidates are mostly intelligent folk, I rationalized, so maybe they just needed a reminder that would bring this issue top of mind.

Enter December’s massive Ukrainian blackout, the first power outage to be attributed to a cyber-attack, followed later that month by an Associated Press investigative report highlighting how frighteningly vulnerable the U.S. power grid is to foreign hacks. Surely these were the types of red flags that warranted heavy discussion on the campaign trail.   

ADVERTISEMENT
Sadly, to paraphrase candidate Trump, it looks like cybersecurity is a “low-energy” issue. People associate failings in security with the mainly annoying theft of credit card or private healthcare data.  Both of these are important, but even the courts have continued to rule that actual damage and pain are relatively low.  

In order to raise the energy level, we need to focus on the much larger ramifications of leaving our national infrastructure — specifically the grid that powers everything from our cellphones to our refrigerators to the internet — vulnerable to attack. If we do, then maybe the voters (and hence, the pandering pols) will understand why it’s important for us to spend more time addressing security. 

A brief timeline of hacking the grid:

Generating destruction: The Aurora Exercise, March 2007

In a 2007 experiment, an Idaho National Lab researcher posed as an attacker, accessed a network-connected generator (which had been installed for this test), and caused it to rattle and burn itself to pieces by simply opening and closing breakers out of sync.  The experiment proved that if malicious actors could access the networks that these systems connect to, and could use a cyber-attack to control the machine, that catastrophic and unrecoverable damage (generator destroyed in 3 minutes) could occur. 

Fingerprints and finger pointing: Wall Street Journal, April 2009

In the spring of 2009, WSJ author Siobhan Gorman told of the weaknesses of the nation’s electrical grid, highlighting the presence of Chinese and Russian reconnaissance (among others) on our national power grid, indicating that these intruders had left behind software programs and tools that would make disabling power simpler, if they ever needed to.

NSA reports: “They’re here” in 2014

For those who pooh-poohed the WSJ article of 2009 as journalistic hyperbole, November of 2014 brought discomfiting confirmation in the person of NSA and Cyber Command head Admiral Mike Rogers, who told Congress, "There shouldn't be any doubt in our minds that there are nation states and groups out there that have the capability to do that, to shut down or stall our ability to operate our basic infrastructure, whether it is generating power across this nation, or moving water and fuel."  

All access attacking: AP’s yearlong study in 2015

With an eye to the developing crisis, AP performed a yearlong study in 2015, investigating specific attacks and general weaknesses.  It turns out that not only was Admiral Rogers correct, but that intruder capability had turned into activity. The AP arrived at a jarring conclusion: “About a dozen times in the last decade, sophisticated foreign hackers have gained enough remote access to control the operations networks that keep the lights on.” They also reported that investigators had seen indicators that a new player, Iran, likely had a role in one of the major attacks. 

A power struggle in Ukraine: Election year update

Enter 2016, and about a month before the first primary vote is cast, Ars Technica reports that “about half the homes in the Ivano-Frankivsk region of Ukraine” had lost power due to an infection by an older common malware package called “Black Energy”. Black Energy made systems inoperable and even erased the disks on some affected systems.  It was thought to have originated in Russia, but attribution is never very easy. The lights, though, were out, and the cause was a cyber-attack. 

The future going dark? A look ahead

Enough about the past and present. Sara Peters writes in Dark Reading about the recent ISACA study which shows that 84 percent of surveyed IT professionals expect to see critical infrastructure disrupted by a cyber-attack in 2016. ISACA is an organization of auditors and control-reviewers, and are not prone to hyperbole. So I think it fair to believe that this is likely a reasonable, or at least well-reasoned, prognostication. 

So what are we waiting for? 

Almost ten years ago, we saw the potential for damage from these attacks, and five years ago we had evidence that reconnaissance was underway. Two years ago the NSA told us that we had been compromised, and last year we saw evidence that the compromise was pervasive and spreading. Just last month, in another country with a similarly aging infrastructure, people lost power, control, and probably confidence because their systems were coopted and shown to be inferior to the challenges that attackers pose. 

The world is clearly in a turbulent state. The rise of more aggressive nation states like Iran leveraging cyber-attacks and the increasingly sophisticated use of technology by terrorists make this not only a challenge for us to face over the next four years, but a problem we need to start addressing today. The leaders we elect to serve us in these times must be able to understand and articulate a strategy to protect us. None are talking about it now, and I don’t know if any of the current lot can. But we should be asking, and we must keep asking.

Cybersecurity is clearly a primary concern for our industries and our infrastructure. It is time to make it a primary issue for our candidates.

Danahy is CTO and co-founder of Barkly, a cybersecurity firm.