On May 22, 2018, it will have been 20 years to the day since President Bill Clinton issued PDD 63 (Presidential Decision Directive No. 63: Protecting America’s Critical Infrastructure). The PDD laid out a plan to protect critical sectors of the economy, such as telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private, by May 2003. You can read PDD 63 at https://fas.org/irp/offdocs/pdd/pdd-63.htm It is well worth taking the time to do so.
In the last couple of years of the 20th century, there was a lot of activity aimed at meeting the five-year deadline. There were plans issued by the government and individual sectors and the FS-ISAC (Financial Services Information Sharing and Analysis Center) was established and launched by Treasury Secretary Larry Summers in October 1999, in preparation for Y2K.As a co-founder of the FS-ISAC and a contributor to the Banking and Finance Sector: The National Strategy for Critical Infrastructure Protection, (March 2002) and the National Strategy to Secure Cyberspace (September 2002). Those heady days of progress were soon succeeded by 15 years of inaction as the plans of PDD 63 have languished. Yes, we have seen the formation of a number of ISACs at home and abroad, but the U.S. critical infrastructure has become more and more vulnerable as technology has advanced and we have become ever more dependent on the Internet for communications—and we have not kept up with our defenses. Shame on us!
Meanwhile our enemies and world competitors have advanced enormously. We have read about the Chinese and North Koreans mapping out the U.S. electricity grid, the Russians having taken down Ukraine’s grid, and now we read in the front-page article “U.S. Says Hacks Left Russia Able to Shut Utilities” by Nicole Perlroth and Davide E. Sanger in the March 16, 2018 edition of The New York Times, that we have evidence that the Russians have gained access to US power plants. That’s not at all surprising given how little we have done vis-à-vis the guidelines of PDD 63. There is a second article “How Hackers Lit a Fuse” by Nicole Perlroth and Clifford Krauss on the front page of the Business Day section of the same newspaper that describes cyberattacks on Saudi Arabia’s petrochemical industry that were intended to blow up facilities.
So, what can we do about it? In the short term, we really have no other choice than reverting back to prior technologies, which means paper ballots for voting and disconnecting (or “air gapping”) critical systems from the Internet wherever possible until we have the appropriate protective systems in place. Yes, it will cost a fair amount of money to do these things, but far less than the cost of being without power for months, or even years, and not trusting election results because of influencing voter views over social media and cyberattacking voting systems and electoral databases.
What else should you do? Well, for a start, you might read my book “Engineering Safe and Secure Software Systems” (Artech House, 2012). In the book, I describe what it takes to build software systems, which essentially run our entire National critical infrastructure, as well as practically everything else, that are both secure from cyberattacks and safe such that the systems will not harm humans or the environment. With the first death believed to have been caused by a self-driving car, managed by Uber, on March 17, 2018, we need to consider whether we are heading too quickly into our robotic and AI future. You can read about the car accident and some immediate consequences at http://www.latimes.com/business/autos/la-fi-hy-uber-self-driving-20180319-story.html For the record, I advocate emulation of railroad systems and railway infrastructures for autonomous road vehicles with dedicated lanes and centrally-controlled systems. I think that pursuing robotic cars that try to emulate human drivers is the wrong way to go, but it is one that will likely dominate over the next decade or two due to the power of car manufacturers. My preference, and I believe the ultimate approach, will be “street drones.” But more on that another time.
*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: https://www.bloginfosec.com/2018/05/14/securing-the-critical-infrastructure-two-lost-decades/