Nice to see that Richard Clarke agrees with me on the need for public disclosure and discussion on Grid vulnerabilities

Last Updated on Sunday, 1 November 2009 04:16 Written by Jeffreycarr Sunday, 1 November 2009 04:16

I’ve excerpted a few relevant sections from Clarke’s 28 Oct 2009 article at The National Interest “War from Cyberspace”:

No nation is as dependent on cyber systems and networks for the operation of its infrastructure, economy and military as the United States. Yet, few national governments have less control over what goes on in its cyberspace than Washington. And these major lapses in our defense present a threat we ignore at extremely high cost.

The possibility of an electric-power grid being hit by a cyber attack is less far-fetched than one might think. A CIA official has admitted that at least one blackout outside the United States was already caused by a cyber attack. An Energy Department laboratory determined that a cyber attack from the Internet could weave its way into the digital control system of a generator and cause the device to self-destruct. Officials have privately confirmed media accounts that logic bombs have already been placed in America’s power-grid control systems, presumably by foreign cyber warriors.

And this problem goes deeper still. The “critical infrastructure” of the transportation, finance, energy and communications sectors are owned and operated by nongovernmental entities, corporations that have proven highly resistant to regulation. The Federal Energy Regulatory Commission (FERC) issued new cybersecurity guidelines to U.S. power companies in January 2008, requiring greater separation of the operations systems from the public Internet. But it took two years for these rules to go into effect (they start in January 2010), and many critics do not believe that the FERC has the ability to audit compliance. The leaders of those corporations, when asked about cybersecurity, almost uniformly believe that they should fund as much corporate cybersecurity as is necessary to maintain profitability and no more. They will defend themselves against cyber crime. Defending them against a cyber war, they all concur, is the job of the government.

Note: I just put up a post about the FERC v NERC battle being waged in Committee hearings right now, and the bold text above is my emphasis added.

More from Clarke:

In the last year of his eight-year presidency, George W. Bush signed a national-security decision called PDD-54. That directive, still classified, ordered steps be taken to improve the security of the Department of Defense and other federal-government computer networks. Critics say it did almost nothing to address the weaknesses of the national infrastructure. President Obama launched a sixty-day review of cyber policy in March, but it resulted in no new major initiatives. He did announce the creation of a cybersecurity position within the staff of the National Security Council (NSC). But it has yet to be filled permanently. The new staffer will report not only to bosses in the NSC staff, but also to Director of the National Economic Council Lawrence Summers—who has vehemently criticized government cybersecurity efforts in the past as imposing costly burdens on U.S. companies, whose leaders supposedly know best what level and type of cybersecurity they need.

And some excellent policy questions that need to be asked:

Although President Obama may not yet know it, his freedom to maneuver in the world is likely already restricted by those vulnerabilities. Perhaps in a crisis, someone will tell him. Or maybe he will learn it by looking out the window at a darkened city after he has ordered a bombing raid on Iran, or sent a carrier battle group to protect Taiwan, or done something to irritate the Dear Leader of Pyongyang.

Maybe then he will ask policy questions such as: How does deterrence work in cyber war when our capabilities are secret and our weapons undemonstrated? Should we, because of our own vulnerabilities to cyber attack, initiate cyber-arms-limitation talks, instead of our current policy of opposing them? Can arms control work in cyberspace when verification is so difficult? Strategic defense was not possible in nuclear strategy, despite Ronald Reagan’s best efforts, but does that also apply to cyber war? Can public discussion, international norms and established lines of communication result in some sort of risk-reduction process to address the issues of crisis instability that seem to be inherent in cyber war? Are the generals and admirals at Cyber Command more thoughtful than SAC’s leaders were at the advent of the era of strategic nuclear war? We would like to think so, but in the absence of public-policy development, the American people cannot know the answer to that or to the many other questions that the possibility of cyber war raises. It is time for that public discussion.

Amen, brother. Amen.