Russian Hackers Targeted Critical U.S. Infrastructure — What Happens Now?

Last week, the U.S. Department of Homeland Security and the FBI announced that Russian hackers targeted and penetrated some of the country's most sensitive infrastructure including power, nuclear, water, and aviation networks. Joel Brenner wasn't surprised.

Joel Brenner, former inspector general of the National Security Agency and head of U.S. Counterintelligence in the Office of the Director of National Intelligence, and currently a senior research fellow at the MIT Center for International Studies, which tweets @mit_cis.

On the reveal by DHS and the FBI

What's new here is that the public is being told from high levels of government that this is as serious as some of us have been saying for quite some time. And it is very serious because our electric grid in particular, and frankly lots of our critical infrastructure — by which I mean the kinds of systems that make the whole country work, not just electric power, but chemical plants or railroad transportation — all of these things are penetrable. They're architecturally weak and easily penetrated and we've known that for quite a while.

On the insecurity of subcontractors

Lots and lots of penetrations of major networks come through the third parties they deal with — the vendors, the contractors. Let me give you an example: the Target breach some years ago, which shocked the public, was actually accomplished by importing malware through their heating ventilation and air conditioning subcontractor. If you're an attacker, you look for the easy place to find — what's the soft underbelly? And that's often not the actual target you're after, but somebody that they deal with on a regular basis and trust. And that's what the Russians have been doing.

... But even when you're looking at an individual company, not just a sector, you're talking about systems of systems. And those systems of systems are being used by individuals and very often, the people are the weakest part of that system. People click on stuff they shouldn't click on. My old friends at NSA used to say that the weakest link in any system was never the silicon-based unit on the desk, it was the carbon-based unit in the chair.

On if Russia could have turned off the lights in the U.S.

That's how I read it. I think that we are seeing what in military terms is called “preparation of the battle space.” In the old days, the military people talked about preparation of the battlefield — you pre-positioned tanks near the border, you moved ammunition up where you'd need it, you did some psychological operations in the territory you were going to attack, for example. Now they talk about the battle space because so much of it is electronic. And I think that what we saw here, was the pre-positioning of tools that could be used to bring down a particular network.

On how knowing Russians penetrated U.S. critical infrastructure now affects U.S. foreign policy

The existence of these vulnerabilities themselves conditions our exercise of national power. I'll give you an example: In 2014, when the bank JP Morgan was breached, initially it was thought that was a Russian attack. It wasn't, but that's what President Obama thought. And there's a piece in The New York Times in which Obama was quoted as asking his intelligence chiefs whether Putin was sending him a message. That is, was Putin telling Obama — this was when Ukraine was up in flames, not just smoldering — that if we, the United States, took more forceful action in Ukraine, that Putin was going to take down a major American bank?

Now that's something that the president would have to take into account when deciding how to exercise or whether to exercise our national power, including military power.

The existence of fundamental vulnerabilities in civilian control critical infrastructure does affect the White House's ability to pull the lever of international power ... The hostilities are taking place in the grey space, between war and peace. At the level that is carefully calibrated to be below the level of what the public calls “acts of war,” which are an armed attack in the parlance of international law. So we're seeing things that are hostile. They are expensive. They do hamper us, they hobble us, but they're not things that are going to lead to open warfare. That's the space in which Putin is playing and he plays his cards very well ...

There are some forms of power that are more effective before they are exercised than after they are exercised. Because after they are exercised once, you take response measures, you are at war, you are dealing with this. Right now, it is the mere existence of this possibility that could condition our response to Russian future provocations in Ukraine, in the Baltics, and elsewhere.

On how the U.S. is playing in the "grey space," like Stuxnet and WannaCry

[On Stuxnet] I am not going to confirm what's widely accepted that it was the United States and Israel did that. The public information about it certainly looks that way. I can't speak to it directly because I was in office at the time ...

It's a very important conversation that you're opening, which is: What happens when a cyber weapon, which might take only a few foreign intelligence services, once it's out there, it's like a cookbook recipe and a bunch of graduate students can do it, bunch of undergraduate students can do it. That's happening right now and I think that that really raises the question of wouldn't it be desirable if we had some international constraints on it.

On how to protect the critical infrastructure, when it's run by private sector businesses

The most frequent number I see is that something on the order of 85 percent of what we classify as critical infrastructure is privately owned. And in the United States the government cannot simply issue orders as to how people ought to run their businesses, and we don't want them to do that. So the question is, how do we move that sector or group of sectors toward a more secure posture?

The electric grid is for the most part regulated at the state level. The federal government regulates interstate transmission, but not the generation and delivery of electricity. So that we really are talking about, how could the federal government play a more active much more robust convening role with public utility commissioners at the state and territorial level? I would like to see that.

On taking critical infrastructure off the internet

I think that isolation of critical controls — limited number of critical controls in critical infrastructure — isolating them from the public internet is absolutely essential if we're going to become materially more secure ... We do see it in some places, for example in pipeline controls now. We see companies that have analog controls on pipeline pressure so that if the online, electronic, digital controls were to go haywire and intentionally run up the pressure in a line so that it would explode, you'd have an analog control that would override that.

... But by and large,  we've actually in some of these cases, we've had controls that were accessible through Bluetooth, so the guy in the truck didn't have to get out of a truck on a rainy day to check the device ... I've given an extreme example but ultimately, unless we are willing to pay some money and incur some inconvenience to isolate certain parts of our controls from the public internet, then we cannot become materially more safe.

On the cybersecurity recommendations he sent to the Trump Administration

We know that it was read and favorably reviewed and that as a result, the final [executive] order [13,800] that came out had a lot more to say about critical infrastructure than the previously public drafts that have been circulated, and perhaps we had some influence on that ... But what we haven't seen yet is evidence of much follow up. And it's been a year or nearly a year … and there have been quite a few cabinet-level commissions and so on ... but we haven't heard from them and I don't know what they're going to say.