Service members and civilians conduct simulated cyberattack scenarios during Cyber Guard 2015

commentary

(Inside Sources)

February 29, 2016

In Greater Alignment: Public and Policymakers on Cyber

Service members and civilians conduct simulated cyberattack scenarios during Cyber Guard 2015

Photo by Marvin Lynchard/DoD

by Michael A. Brown

For the first time, Gallup included cyberterrorism in its annual survey of Americans' feelings about critical threats to U.S. interests over the next 10 years. Nearly three-quarters of respondents, 73 percent, said they felt cyberterrorism was a critical threat, behind only international terrorism and the threat that Iran might acquire nuclear weapons, but ahead of infectious diseases and the conflict in Syria. Issued early this month, the survey results come amid a flurry of activity on the issue on Capitol Hill and at the White House.

In recent years, Americans have had their emails read, bank accounts compromised, and sensitive background histories stolen. Airline reservation systems have been remotely accessed. Law enforcement and intelligence officials — and their families — are endangered by hackers' revelation of home addresses and personal information. Just recently, Hollywood Presbyterian Hospital paid hackers $17,000 in ransom to regain control of its data. And the list of actions continues.

While the full effect of such exploits is debatable, some experts see these as precursors of a coming cyber 9/11 that will cross over into the physical domain. The scattered events Americans are witnessing now could be mere scene-setters, this line of thinking goes, just like the attacks on U.S. assets abroad that presaged the 9/11 tragedy.

CIA Director John Brennan said during an interview recently with CBS's “60 Minutes” that the “cyber environment is one that really is the thing that keeps me up at night.” Apparently he is not alone.

The Gallup poll doesn't indicate if America's concern about cyberterrorism is on the rise or not, since the question was never asked before, but it does signal concern about cybersecurity at a time the administration and Congress are stepping up their engagement on the issue.

In widely publicized testimony before Congress on Feb. 9, Director of National Intelligence James Clapper presented lawmakers with the Worldwide Threat Assessment of the U.S. Intelligence Community (PDF), which emphasizes that “devices, designed and fielded with minimal security requirements and testing, and an ever-increasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructures and U.S. government systems.”

On the same day, the White House released the president's Cybersecurity National Action Plan to address “one of the most important challenges we face as a nation.” The plan envisions the creation of a new Commission on Enhancing National Cybersecurity, billions of dollars to modernize federal government IT systems, and initiatives to encourage private citizens to become better stewards of their own online security. When the president unveiled his 2017 budget blueprint, the $19 billion earmark for cybersecurity was one of the few not immediately dismissed on Capitol Hill.

President Obama's new plan comes on the heels of December passage of the Cybersecurity Act of 2015, which allows greater sharing of information between public and private entities involved in cybersecurity. The most significant cybersecurity bill to come along in years, the measure was approved by bipartisan votes in both houses, including an overwhelming 93-0 vote in the Senate.

The action in Washington comes amid emerging evidence that state and non-state actors possess disruptive capabilities that are primed for exploitation.

Take for example a 2013 incident in which a group of Iranian hackers, possibly backed by the Iranian government, were able to remotely gain control of the tiny Bowman Avenue Dam in Rye Brook, N.Y. Nothing much happened and even if the breach had resulted in a total failure of the dam, its systemic impact would have been minimal. But, imagine, if those same hackers had instead somehow seized control of the Arthur R. Bowman Dam in Oregon, which at a height of 245-feet provides irrigation and flood protection for thousands of people.

Or imagine an attack that might allow adversaries to gain control of parts of the U.S. power grid, casting Americans into darkness, shutting down communications networks, stopping financial transactions and making transportation all but impossible. This is hardly something out of science fiction: Last year, 80,000 Ukrainians temporarily lost power when hackers remotely hijacked the controls of a pair of power companies.

Absent a bellwether disruption in the homeland that crosses from the cyber into the physical domain, policymakers could opt to shelve the issue to focus on other perceived pressing needs. Fortunately, this does not appear to be the case. It is increasingly clear now that U.S. officials, businesses and the public have a shared understanding about the risk of inaction.


Michael A. Brown is the Department of Homeland Security Fellow at the non-profit, non-partisan RAND Corp. He has master's degrees in security studies from the Center for Homeland Defense and Security at the Naval Postgraduate School, and in public administration from Rutgers University-Newark.

This commentary originally appeared on Inside Sources on February 29, 2016. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.