With his soft voice and calm Midwestern demeanor, Director of National Intelligence Dan Coats doesn’t seem like a scary guy. But lately, Coats has been saying some pretty scary things, and not just about Russia’s Internet-based interference in US elections. Coats is warning that weaknesses in US cybersecurity could be setting us up for a high-tech replay of the devastating terror attacks of Sept. 11, 2001.
“It was in the months prior to September 2001 when, according to then-CIA Director George Tenet, the system was blinking red,” Coats said recently at a Washington, D.C., think tank. “And here we are nearly two decades later, and I’m here to say the warning lights are blinking red again.”
A host of corporate and academic cybersecurity experts say Coats has every reason to worry, and so do the rest of us.
“It’s very scary out there,” said Joel Brenner, a senior research fellow in international studies at the Massachusetts Institute of Technology and former inspector general of the US National Security Agency. “People have little idea how relentlessly our critical infrastructure as well as our government agencies are being attacked, around the clock.”
Coats says Russia is the worst offender, but it has plenty of company, including the US economic archrival China, and rogue states like Iran and North Korea. In addition, the terrorist Islamic State movement has become a sophisticated and dangerous online foe. On top of all that, there’s the threat of powerful criminal gangs that are using ransomware to extort millions of dollars by crippling computers in businesses, hospitals, and even law enforcement agencies.
Any one of these entities would pose a formidable menace. The United States must somehow prepare to cope with all of them as they target government agencies, businesses, and consumers.
In recent years, the federal government has suffered a series of devastating digital security lapses. In 2015, the federal Office of Personnel Management revealed that hackers, probably sponsored by China, had stolen the personnel records of 22 million current and former government employees — a treasure trove of data for foreign spies. And in 2016, a mysterious group called the Shadow Brokers published an array of hacking tools stolen from the National Security Agency, making these sophisticated tools available to spies and criminals worldwide.
The federal government will spend about $15 billion on cybersecurity-related activities this year, a 4 percent increase from the previous fiscal year, according to Taxpayers for Common Sense, a budget watchdog group. But updating federal cybersecurity is a massive undertaking. Indeed, the US Office of Management and Budget reported in May that of 96 federal agencies it studied, only 25 had implemented proper security policies.
“We’re still about nine and a half years behind where we ought to be,” said Gregory Touhill, a retired US Air Force general and president of Cyxtera Federal Group, which works with government agencies on data security issues. Touhill said many agencies use cybersecurity tools so obsolete, “we can take ’em out for a beer because they’re 22 years old.”
Millions of American businesses are just as vulnerable, including companies that operate the nation’s critical infrastructure — electric power, water, and aviation, for example. In March, the Department of Homeland Security said Russian hackers had worked their way inside the computer networks of a number of US companies that deliver these critical services. The attackers stole information, but they could have done something far more dangerous — like shutting down electrical power plants, as Russian attackers did in Ukraine in 2015 and 2016.
Scott Aaronson, vice president of security and preparedness for the Edison Electric Institute, a power utility trade group, said a nation like Russia wouldn’t mount a similar attack against the United States because it would lead to war. A terrorist organization like the Islamic State would do it, but lacks the know-how.
“But that’s true until it isn’t,” Aaronson said.
So electric utilities are spending large sums to harden their infrastructure, just in case. One key tactic is the reintroduction of manual controls for managing the power grid, to be used as backups in case hackers take over a utility’s computer systems. Also, since 2013, electrical utility executives have met regularly with each other and with federal officials to plan their responses to cyberattacks.
Other critical sectors of the economy have made similar arrangements. For instance, the United States and the UK run regular “war games” to test the capacity of major banks to resist massive online attacks aimed at stealing billions of dollars, or worse — crashing the entire global economy.
But even the millions of smart devices in our homes could be used as staging areas for a cyber-Pearl Harbor. In 2016, attackers seized control of thousands of Internet-connected consumer devices like digital video cameras and baby monitors. They then used this “botnet” of subverted devices to launch an assault against Dyn, a New Hampshire company that routes huge amounts of Internet traffic. The attack temporarily shuttered or crippled several of the world’s most popular Internet sites, including Twitter, CNN, Fox News, and Netflix.
That’s just a taste of what criminals or hostile governments could do as billions of digital consumer devices with weak security features are plugged into the burgeoning Internet of Things.
“When computers are embedded in everything, everything is vulnerable,” said Bruce Schneier, a fellow at Harvard University’s Berkman Klein Center for Internet & Society and author of a forthcoming book on network security, “Click Here To Kill Everybody.”
Schneier believes it’s only a matter of time before hackers cause fatal accidents by seizing control of Internet-connected cars, or kill people directly by causing malfunctions in Internet-connected medical devices like pacemakers. An enemy state or terrorist organization might manage to hack thousands of such devices, with catastrophic results.
There’s only one hope of preventing such a disaster, Schneier said — government-mandated standards for all Internet-connected devices, to ensure that they meet basic safety standards and can be easily upgraded to compensate for newly discovered security flaws.
“One hundred percent law and regulation,” Schneier said. “Nothing else will work.”Hiawatha Bray can be reached at firstname.lastname@example.org. Follow him on Twitter @GlobeTechLab.