Richard Stiennon, Industry Analyst discusses Digital Pearl Harbor - Ep. 74
Richard joins us to discuss what cyber war looks like and how we can prepare for the proverbial "Digital Pearl Harbor".
Episode Table of Contents
- [01:16] Digital Pearl Harbor Being the Next Generation of Security Threat
- [06:33] A Course on Cyber Terrorism and Digital Pearl Harbor
- [11:12] Cascading Effects of Digital Pearl Harbor
- [16:19] Cybersecurity Talents Against Digital Pearl Harbor Threats
- About Our Guest
Digital Pearl Harbor Being the Next Generation of Security Threat
Arika: Welcome to To The Point Cyber Security. I am one of your hosts, Arika Pierce and joined by Eric Traxler, as always. Good morning! We have back with us a guest that was with us a couple of weeks ago, Richard Stiennon. How are you doing, Richard?
Richard: I’m doing great.
Arika: So Richard, you were on a couple of weeks ago. You're an industry analyst and an author, a writer, an overall expert. One of the things that we wanted to jump into this week is talking about, essentially, what's next in terms of security. And one of the examples I know we've talked about in some of our prep time was cyber Pearl Harbor.
Arika: We had Katie Arrington on the podcast a couple of weeks ago as well. We talked about how the next threat, it's really going to be a cyber threat, in terms of what's on the horizon. There's a lot going on right now in the world. We wanted to take a step back and get some of your thoughts in terms of just the environment that we're in now. What do you think we can do to better protect ourselves from nation-states and others?
Eric: And I think cyber Pearl Harbor typically refers to the disabling attack on critical infrastructure. I don't know that Pearl Harbor was a critical infrastructure attack.
Richard: It wasn't.
Eric: I don't know that I love the term. I understand what people are trying to convey though, Richard.
Digital Pearl Harbor Being an Encompassing Term
Richard: The Secretary of Defense of the U.S. started using that term, even though the term goes back to Richard Clarke and French Caldwell. Gartner talked about it a lot in 2000. Cyber Pearl Harbor became just an encompassing term for taking out the lights, and the emergency response networks, and shutting down a country.
Richard: I had to take an academic approach because I had written a book on cyber war called Surviving Cyber War back in 2010. It was actually my first book. And I'm an amateur military historian. I like reading classics of military history. I use a lot of illusions to military things.
Richard: And I realized, as I was writing it, especially since my publisher was selling it as a textbook, that it wouldn't be well received by the academic world, because they didn't know anything about the history and historiography, they call it.
Richard: So I went back to school, I got a masters in War In The Modern World. My master's thesis turned into my book, called There Will Be Cyber War.
Eric: There already has been.
Richard: That's the predominant response I get whenever people see the title of my book. I had to call it that because one of the professors at King's College, where I was going to school, had written a book called There Is No Cyber War.
Richard: You know, it was just an academic looking at it, using Clausewitzian definitions of warfare and the use of force, would say, "All that stuff that went on in Estonia, and the country of Georgia, that wasn't cyber war. That was something else." Because it didn't involve the use of force and killing people.
Defining What Digital Pearl Harbor Is
Richard: In a modern era, very few people other than academics understand that argument. I had to title it that. It's basically a history of all the state sponsored attacks. I had to have definitions that would set this in place. That's why I had to define what a cyber Pearl Harbor is. To me, cyber war is the use of computer network exploitation, or computer network attack, CNE and CNA, by military forces. That's cyber war.
Richard: If we catch the Pentagon shutting down command and control in Iran, that's cyber war. No question.
Eric: Whether combined with kinetic attacks?
Eric: I mean at least it's cyber attacks.
Richard: It's cyber attacks done by militaries. That's war-like stuff. They're just achieving their aims without having to fire missiles or put boots on the ground. So, to me, the cyber war would be defined by that. I think I predict that there will be a cyber battle. When it happens, it's going to be very disruptive to how militaries are structured.
Richard: A cyber battle will be some sort of incursion between networks and capable countries. What, there are only five, right? U.S., Israel, Russia, China, North Korea, maybe, and Iran.
Richard: So that's six. But they'll be engaged in some sort of conflict. There won't be a war. It'll be a conflict. It could be in the Taiwan straights. It could be in the South China Sea. It could be in Ukraine, which you can argue has already happened.
A Course on Cyber Terrorism and Digital Pearl Harbor
Richard: Where one military, gains an advantage and wins a battle because they took out the other's ability to communicate, or guide missiles, or get the intelligence, surveillance, and reconnaissance that they need.
Richard: To me, that would be most similar to a Pearl Harbor which was a surprise attack on the navy in Pearl Harbor at the outset of our World War Two. As opposed to the concept that somebody is going to shut off the lights in the United States, which would be a great terrorist act.
Richard: No question that terrorists would have a greater impact and cause more damage, and probably more loss of life than they would buy commandeering airplanes and flying them into office towers. And yet they never have. I had to teach a course on cyber terrorism and you really have to scrape the bottom of the barrel to find things that could be classified as cyber terrorism.
Richard: The Tamil tigers doing a DDoS on an embassy in Sri Lanka is about the best example anybody can come up with. That was from the '90s. Terrorists haven't figured out, other than for influence operations, they haven't figured out cyber terrorism.
Eric: Not yet. But it is easy. It's cost-effective. With globalization and the internet, it's easy. We have to send planes to wherever we need to go, or ships.
Eric: The keystrokes travel pretty quickly and pretty far.
Arika: How ready are we, in your opinion?
Richard: Not ready at all.
Eric: No. We have the most to lose, Arika, out of anybody out there.
Richard: Right. We're the most exposed.
Eric: The most industrialized, most connected economy in the world.
What Happens Without Infrastructure to Depend On
Richard: We totally depend on our infrastructure. Without it we would be in deep, deep trouble. Now mind you, I'm a firm believer that the people of the United States really pull together during a crisis. I don't predict, you know, complete disaster.
Richard: Even if they burn up all the transformers, as some people predict, and some of those take a year to build in India to replace them, we'll still get by. Just like how did we react to the earthquakes and fires in San Francisco? San Francisco's doing fine.
Eric: I think it's a scale issue also. If you look at the NotPetya attacks from I think 2017, one, confirmed nation-state activity. Two, lost control. It was targeted at Ukraine, but Maersk was hit. FedEx was hit. I mean there were companies that were hit. $10 billion in damage. Arika, do you remember?
Eric: Do you remember being impacted at all? Maersk is the largest shipping company in the world. FedEx is clearly, I think, the largest shipper in the United States. Maybe the Postal Service has them beat by volume, but do you remember your Amazon boxes not getting to you on time?
Eric: I don't either. We accommodate. But at scale, imagine if shipping was shut down.
Arika: Everything was shut down.
Eric: For weeks. Or food, distribution, fuel. I was at a fuel pump this weekend, and for whatever reason, I was thinking about, "I wouldn't know where to get fuel if electricity wasn't running."
Eric: You just can't do that anymore.
What Will the Government Do During a Digital Pearl Harbor
Richard: During the ice storms we got ready for, I went out and filled my truck up so I'd have gas in the truck, bought a generator, and bought a five-gallon tank of gasoline. That'll last me 20 hours. That's all I got before I have to go stealing gasoline from the cars on the street.
Eric: So what does the government do, Richard? You see this is going to happen at some point. What do they do to help protect us? Who does it? Where's the emphasis here?
Richard: So there are regulatory bodies, NERC and FERC. One's the industry body, the other is the federal regulator. They're making progress. But when they first came out and said, "You know what? You have to have cyber controls." They asked all of the utilities in the U.S., about 3,000 of them to report all their critical facilities. You know, ones that could be damaged by a cyber attack. Their first response to this regulatory requirement was to say none of them were critical.
Richard: Power-generating stations, switching, transformer station, none of them.
Eric: Not that they were protected adequately, but that they weren't critical.
Richard: No, they weren’t critical, and therefore did not require the protections that the regulators were thinking about.
Richard: Those protections being, network security, endpoint security, regular security audits, all the things that we do in our IT infrastructure already. Because we learned our lesson, thanks to attacks that started in 1995. The power grid hadn't seen those, so they're just pulling a sack over their head, and saying, "See no evil, hear no evil."
Cascading Effects of Digital Pearl Harbor
Richard: But that's changed over the last six years. They've now reported, out of 10,000 facilities, I think they're up to about 2,000 are identified as critical. In other words, they might start protecting those 2,000 facilities. But there's 8,000 facilities that they didn't include, and we all know they're all connected. All you got to do is shut off one of the outliers, and it'll have cascading effects. As we learned in 2003, when the entire North blacked out.
Richard: It's a fragile system. We also know, thanks to Andy Greenberg's book, Sandworm, that they've already infiltrated the power grid networks here in the United States. The Russians, in particular. They're poking around, they're gathering intelligence, but they're using the same tools that they use to shut off power in Ukraine. For anybody in the security industry, this is just obvious. When it happens, we'll all get to say, "I told you so," which doesn't help save lives.
Eric: The kinetic world or physical world equivalent would be, they already have mines attached to the battleship's halls.
Richard: Right. That's perfect.
Eric: Probably the carriers too, which the Japanese missed during Pearl Harbor, but that could be a bigger problem in a cyber war.
Richard: You got it. What do we do? We need utilities and critical infrastructure, frankly to do their job. They are responsible for providing power and communications. They got some liability, but not very much, because the governments have granted a franchise to them to provide power. There's no competition It's a monopoly in each region.
Who’s Going to Blink First
Richard: Their prices are completely agreed upon with the local commissions. And they just say, "You know what? You're asking us to do all this security stuff. That's expensive. Therefore, let us raise the rates." And of course, government can't do that, because those are elected officials, and that would be hard.
Richard: So they just sit on their hands and do nothing. Who's going to blink first? Well, what's going to happen is they are going to lose power. They're going to be like PG&E in California. Although, those are necessarily cyber.
Eric: You keep referencing the fires, where they're shutting down the grid. It's either going down, or they're shutting it down to prevent additional fires. Then the people of the state are suffering greatly.
Richard: Don't forget the huge gas explosion in the Bay area.
Richard: They're going to go bankrupt, and they'll start over, because we still need them, in some form, but nobody actually went to jail or suffered a change in their livelihood. That's kind of what they're hoping. My solution is, remove the liability clauses. Right now, if a hospital loses power, and a bunch of people die or suffer in some way, the utility isn't responsible. You can't sue them. Because it's part of the deal. But if you go back and say, "You know what? If it can be proved that it was a cyberattack, now you are liable."
Richard: As soon as you do that, the people underwrite utilities with bond issues will reduce the amount, or whatever.
Richard: They won't be able to get funding for the things they do until they can demonstrate that they're secure in a cyber way. What will they do? They'll immediately invest hundreds of millions of dollars in the technology they need to prove that it wasn't a cyber issue. There's always a squirrel.
Eric: Right. Not actually address the issue.
Richard: They won't address the issue. That leads to maybe a government agency should be doing that cyber monitoring for them.
Eric: So who should be responsible? SISA, NERC, FERC?
Richard: All of the above.
Eric: You can't have all of the above. I don't think it works.
Richard: That's why we have cyber coordinators. There should be some coordination. Somebody identified as responsible, and give them the leadership and funding that they need to make it happen.
Eric: In the last couple minutes we have here, I want to switch gears slightly on this one. We had Katie Arrington a couple of weeks ago. She talked about CMMC, the Cyber Maturity Model Certification, where third party auditors are going to look at DIB (Defense Industrial Base) suppliers, and accredit them essentially for different levels of security.
Eric: First time I'd heard anybody talk about actually really helping move the needle in a major way in the cybersecurity world. Could we not just do something similar for the power companies?
Richard: I wonder, because power companies don't have the staff to understand what's needed, or to even formulate it.
Cybersecurity Talents Against Digital Pearl Harbor Threats
Eric: But nor do DIB suppliers. But the DOD is saying, Katie is saying, "Hey, if you want to do business with us, pony up. Now, we'll provide some funding for this capability." So if the government provided funding, which allowed them to hire, and I know we've got a cybersecurity talent shortage also we've got to address.
Eric: But if we had third party auditors accrediting them so they can get risk insurance, or we could deal with risk at least. At least say, "Hey, I was level three. I did everything I thought I needed to do." If the government is providing some funding to enable them to do this, is that potentially an answer?
Richard: If it's prescriptive enough. So look at PCI, right? Which is the only thing I can think of that's similar. Where the payment card industry said, "You know what? Do these 10 things, or else you can't be a merchant." And people started to do them. That didn't stop Target or any of the major breaches. All those were PCI compliant companies. But it set a low bar anyway, which is much better than what we have today in public utilities.
Eric: Well Katie argued for the ISO compliance requirements around manufacturing and we have less workforce issues, because people are wearing safety goggles, or there are safety controls in place at least. It's something. It's getting us, it's moving that needle in mass.
Eric: You didn't like the ISO compliance requirements?
Safety and Shop Floor Stuff
Richard: Well maybe for safety and shop floor staff, and quality. For sure, ISO 9000 did something for quality. But ISO 27000 for security would not get us very far. Doesn't move the needle at all. It's all just document stuff, and then you're good.
Eric: Okay. So I think she was talking more about using that as taking the NIST requirement and enforcing them. Third-party auditors, and making the environment a safer, more secure place.
Richard: Oh, we're going to need another show.
Arika: Well thank you, Richard. I think you've given us a lot to think about. I was trying to find some optimism at the end of the rainbow. So maybe the next time you join us, we can start it off on a little bit of a higher note.
Richard: We'll try. Because, believe it or not, I am an optimist. So, I'll leave it at that.
Arika: Well it sounds like it's going to get more challenging before it gets a little bit better.
Arika: So thank you again Richard for joining us again on the podcast. Thank you to all our listeners for tuning in each week. Continue to join us every week here on To The Point Cybersecurity. Thanks, guys.
About Our Guest
Richard Stiennon, security expert and industry analyst, is known for shaking up the industry and providing actionable guidance to vendors and end users. He recently relaunched the security blog ThreatChaos.com and is the founder of IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors. He was Chief Marketing Officer for Fortinet, Inc. the leading UTM vendor. Prior to that he was VP Threat Research at Webroot Software.
Before Webroot, Mr. Stiennon was VP Research at Gartner Inc. where he covered security topics including firewalls, intrusion detection, intrusion prevention, security consulting, and managed security services for the Security and Privacy group. He is a holder of Gartner's Thought Leadership award and was named "One of the 50 most powerful people in Networking" by NetworkWorld Magazine.
Mr. Stiennon has presented in 26 countries on six continents his speaking engagements have included:
- DIC 4th Annual Technology Conference.
- Gartner symposia in Orlando, Denver, San Diego, San Francisco, Washington DC, Cannes, Tokyo, Mexico City, Sao Palo, and Tel Aviv.
- Lectures at University of Wisconsin, University of Colorado.
- CIO Seminars in Mexico City, Bogota, China, Singapore, Australia, New York, Boston, Las Vegas, The Pentagon, Anchorage, , Honolulu, UK, Germany, Spain, Italy, Turkey, France, and Sweden.
- Recent Advances in IDS, Case Western University.
Mr. Stiennon has written for Network World (IDG) and CIO Update (Jupiter Media) His blog was hosted by CNet for two years and is still published by Network World.
Mr. Stiennon earned a B. S. in Aerospace Engineering from the University of Michigan. He holds two patents.