Former DHS Secretary Michael Chertoff warned on Tuesday that changes wrought by the COVID global pandemic are exacerbating vulnerabilities in the global economy, including the risk of crippling cyber attacks on critical infrastructure like the electric grid.
COVID has enhanced countries’ reliance on the Internet and digital technologies, as governments and businesses have become “virtual” by necessity. But that has only highlighted the lack of coordination and cooperation between nations and critical industries, exposing the fragility of the global system and the need for greater resilience, Chertoff said.
Get started on your cybersecurity degree at American Military University.
He was speaking as part of a virtual event organized by Dragos, a cyber security firm. The event was moderated by the World Economic Forum’s Head of Centre for Cybersecurity, William Dixon, and featured Dmitri Alperovitch, the Executive Chairman at Silverado Policy Accelerator and Co-Founder and Former CTO at CrowdStrike and Annessa McKenzie, the Vice President of IT and CSO and power generator Calpine.
China, Russia Turn Up the Volume
Chertoff warned that hostile nations like Russia and China are increasingly relying on digital means to project power abroad. The two countries were engaging in more overt and aggressive actions online before COVID hit, Chertoff said, noting Russia’s increasingly bold use of cyber attacks to weaken Ukraine as well as Estonia and Georgia in recent years. The events of the past few months and fraying relationships with the U.S. and the West will only exacerbate that, he said.
China, especially, is “likely to turn up the volume” on its malicious cyber activity given the Trump administration’s hostility over that country’s response to COVID and efforts to reign in that China’s influence in global supply chains.
Lee, of Dragos, said that software vulnerabilities in critical infrastructure are nothing new. What has changed is the willingness of malicious actors like Russia, Iran and China to engage in “very aggressive actions” at a time when the appetite internationally to hold them to account has waned. (Check out my podcast interview with Dragos on the hacking groups targeting ICS.)
A Fragile World Order
Those growing tensions, compounded by the COVID pandemic, make clear how fragile that global system is, the experts agreed. Huge sectors of world economies are now more reliant than ever on the Internet to function. That makes the Internet and supporting critical infrastructure like electric power generation and distribution even more important as a foundation of economic well being, Chertoff said.
McKenzie, the CSO of Calpine, said that the pandemic may well promote positive changes such as more innovative thinking in industries, like the electric sector, that have long lagged in technology adoption. “We have an opportunity to leap frog, absolutely.” But those changes also usher in new risks. “Moving to the cloud offers opportunities, but also vulnerabilities,” she said. “The speed with which we get there opens us up to not do things with discipline…We need to be vigilant of that.”
Shared Technology, Shared Risk
Indeed, experts agreed that critical infrastructure sectors have benefitted from a form of “security through obscurity” in the past: with diverse software and hardware platforms requiring adversaries to customize their attacks and attack tools for each target organization.
A greater reliance on shared infrastructure like cloud computing platforms could make it easier to create tools and attacks that work across a broad swath of critical infrastructure sectors. “As we move toward cloud and homogenous infrastructure we’ve now created similarities between us,” McKenzie said.
“Using a common OS (operating system) and homogenous infrastructure is all correct from the profitability standpoint, but it allows for scalability of the trade craft,” said Lee of Dragos. “Attacks that would take a state actor three or four years to build are suddenly available to a non-state actor like a cyber criminal group.”
Ripple 20: Devastating to Critical Infrastructure
The recently disclosed Ripple 20 vulnerabilities in a ubiquitous TCP/IP software library are an example of how critical infrastructure firms are vulnerable to commodity software attacks.
Those flaws in a software library developed by the firm Treck more than 20 years ago, have spread silently to tens- or even hundreds of millions of devices over the decades. According to the Israeli firm that discovered the flaws, JSOF, the vulnerable library has been found in everything from printers to infusion pumps; to industrial control devices.
Dmitri Alperovitch of Silverado said the flaws are “devastating” to critical infrastructure because the software is widely distributed in ICS hardware from companies like Schneider Electric, but that many of those systems are not actively managed or – in some cases – can not be patched. “It’s next to impossible to patch these systems. Once they’re deployed, they’re never touched and don’t get updates – effectively (the flaws) are around for as long as the equipment is around.”
Lee of Dragos said that Ripple 20 highlights a long-standing problem in the industrial control sector: manufacturers of devices used in critical infrastructure have historically not paid close attention to “what is in their products.” That is changing – slowly – but Ripple 20 risks making a lingering problem related to vulnerable third party software acute.
In This Together?
The solution, according to the experts, is a recommitment to collective action and collective responsibility. “One thing the pandemic has underscored is that there is a set of challenges that cannot be handled at national or state level,” he said. “There is a global commons that we cannot wall off. We need collective action to secure them.”
With suspicions among and between nations greater than at any time since The Cold War, Chertoff called on the world’s powers to embrace the notion of shared destiny and shared prosperity. “If we want to have the benefits of a global economy and international connectivity and alternative supply chains, we need to go to our allies and rivals and say ‘look, there are some issues that we all have a stake in. If we fail, we all fail and we’ll all pay the price,” he said.