The United States needs a ‘cyber-Sputnik’ incident to jumpstart the nation’s development of the cybersecurity analyst workforce and regulations it needs, according to a former military and intelligence official.
As a nation, the United States is dependent on its digital infrastructure. While this has created a higher standard of living and a more productive and connected society, it’s introduced into the nation’s critical infrastructure a level of vulnerability to cyberattacks, said John M. (Mike) McConnell, senior executive advisor with Booz Allen Hamilton, told attendees at the American Petroleum Institute’s Ninth Annual Cybersecurity Conference in Houston. Disrupting this digital infrastructure and its capabilities to deliver water, food, money and electric power, could cause strategic damage.
This is particularly true for the oil and gas industry, McConnell told Rigzone in an interview at the conference. McConnell, who has led development of Booz Allen Hamilton’s cyber and information assurance businesses, spent more than 40 years focused on foreign intelligence and international development issues, including nearly 30 years as a U.S. Navy intelligence officer. He also served for two years as the second Director of National Intelligence, a role created after 9/11 to bring together all aspects of the United States’ intelligence community, under the George W. Bush and Obama administrations.
The oil and gas industry’s exploration of Big Data to better predict business activity for greater efficiency, productivity and safety, and the age of the digital oilfield, with infrastructure such as programmable logic controllers for pumping and pipeline operations, places the industry at risk. “When we took advantage of the IT revolution, nobody thought about cybersecurity,” said McConnell. Today, a gap exists between old and new infrastructure – infrastructure with cybersecurity capability and that without. Steps must now be taken to close this gap, said McConnell, and more skilled workers are needed to address this gap in technology.
“The cybersecurity threat is bad and will continue to get worse,” McConnell told conference attendees at the event’s opening keynote on Nov. 11. Quoting a U.S. National Security official as saying that no computer system on earth can’t be penetrated, McConnell noted that there are two types of companies: those who have been penetrated by a cyberattack and know it, and those who have been penetrated but don’t know it.
To meet this growing threat, United States needs to get serious in creating a workforce not only equipped in cyber skills, but in STEM [science, technology, engineering and mathematics] and in business dynamics, McConnell noted, who estimates that the United States only has one-third of the cybersecurity professionals it actually needs.
When Russia launched Sputnik in 1957, it galvanized the United States to focus on developing its space exploration program. This included the passage of the National Security Act in 1958 that sought to encourage the nation’s best and bright to study science in school. In just over a decade, the United States was able to put a man on the moon. “When we make up our mind, we can do stuff,” McConnell told Rigzone.
Addressing cybersecurity threats is not as simple as a technology fix, McConnell noted. In McConnell’s and Booz Allen Hamilton’s experience assessing the cybersecurity readiness of companies, the deficiency in companies’ cybersecurity strategies is almost always people. “It’s not just about technology and processes, but people and policy. It’s not uncommon when we do an assessment that we may force them to realize that the skill sets and people they have don’t measure up,” said McConnell. In some cases, Booz Allen Hamilton will replace half a company’s workforce due to lack of formal worker training on cybersecurity.
In many cases, companies have not established a cybersecurity policy, or haven’t spent the time, money or resources to implement one, including what types of controls to have or which workers should have access to certain assets. In the case of Booz Allen Hamilton, the company decided that security was important enough to have its chief information officer (CIO) report to the corporate information security officer (CISO). Typically, the CISO would report to the CIO. In many cases, the CIO’s primary goal has been to keep systems running, not addressing cybersecurity issues.
CORPORATE BOARDS, EXECS WAKING UP TO CYBERRISKS
Corporate boards of directors and C-suite executives are just now becoming sensitized to issues of corporate and personal responsibility associated with cyberthreats, such as breaches of customer data at retailers such as Target and Home Depot.
In the past, when security managers have asked for more people and greater capabilities for detecting and addressing cyberthreats, officials said they didn’t want to invest the time and money and saw such efforts as a burden. Now, companies are realizing they are liable to lawsuits by consumers who are victims of data breaches, said McConnell. The fact that board members tend to be older and don’t have the same understanding or expectations of technology – such as access controls, two-factor verification and scrambled encryption and remote access control over systems — may also have played a role in the lack of focus on cybersecurity. This is not universally true, but true in many cases.
“What I’ve found is that if no one is pushing it in your face, it’s easy to get distracted by other interests and priorities,” said McConnell. But data breaches at JP Morgan, Target and Home Depot have made cybersecurity ‘the wolf at the door.’
Cybercriminals are causing executives and board members of oil and gas companies to take notice of cybersecurity issues. But economic espionage by nation-states poses the bigger threat the U.S. industries such as oil and gas. The most aggressive of these nation-states is China, which is seeking technology and information in a bid to boost its national economy. Today, China conducts approximately 80 percent of the economic espionage taking place worldwide. With the exception of five nation-states – including the United States – all nation-states engage in economic espionage. But it’s particularly acute from the Chinese.
With a population of 1.3 billion, China is a nation of educated people with a very low-wage base, said McConnell. China led the globe in terms of gross domestic product for 1,500 of the past 2,000 years. But in China’s view, they missed the Industrial Revolution and have had to live by rules set by the Allies following World War II. Now, the nation is seeking to catch up in terms of economic growth. To achieve this growth, China is seeking gain through economic espionage, obtaining technology from universities abroad and joint ventures.
The Chinese also have had ‘amazing success’ engaging in economic espionage – targeting technology, business plans, drilling rights, software and banking information – and finding ways to manufacture technology originating from the United States for less. McConnell cited one case of a U.S. defense technology company that went out of business after a Chinese defense company captured all their research data in one day and were able to make the technology at a lower cost. “There’s no major U.S. enterprise that the Chinese aren’t targeting,” said McConnell. “We’re creators and innovators, and they’re seeking our technology for their advantage.”
Despite this threat from China, McConnell believes that, in the long run, China should be a competitor and partner of the United States, not an adversary. “I don’t believe that the Chinese are inherently evil – they have their own interests and we have ours. We just have to work the politics to ensure our business interests and theirs are aligned.” China’s economic success in the long run also will improve the United States’ standard of living.
Still, this economic espionage could do strategic harm to the United States over the next five to 15 years if left unchecked, McConnell said.
What also concerns McConnell is the tools that nation-states are building for economic espionage – which can be transported in a smart phone – falling into the hands of extremist groups seeking to do harm, such as blowing up a pumping station or destroying banking or transportation infrastructure.
“We’ve losing valuable information and are at risk for harm at the extremist level,” said McConnell.
INFORMED DEBATE, DIALOGUE NEEDED FOR CYBERSECURITY LAWS
An informed debate and dialogue is needed to ensure that the right set of cybersecurity laws are passed that address the issue meaningful. “Having been the nation’s codebreaker, I know how severe the problem is and the potential for strategic damage,” said McConnell. If not, the United States could end up having to overreact to a major incident at the last minute. “When you overreact to an emergency, you always introduce issues and problems that are unexpected.”
While the United States may still not get a policy framework and laws right through informed debate, it’s still better for the country to shsape the landscape and allow U.S. intelligence to share information with the private sector and for law enforcement to take a difference approach in investigating cybercrimes. “We need a machine-to-machine information exchange system and standards for infrastructure,” said McConnell.
Last year, 14 bills cybersecurity-related bills were introduced into U.S. Congress; none of those bills got through. Currently, two bills addressing cybersecurity are in Congress. In the House of Representatives, the Rogers-Ruppersberger Cybersecurity Bill (H.R. 624) was reported out of the House’s Permanent Select Committee on Intelligence with a huge bipartisan majority, but has not been brought the floor in the U.S. House. This bill is going nowhere and needs to move forward, said McConnell. H.R. 624 would require the U.S. intelligence community to share with the private sector information in near-real time about potential cyberthreats. It also would require private sector companies to share information with each other and to meet a certain standard of cyber preparedness that would protect them against frivolous lawsuits. The bill was passed last year, then passed again in 2014.
In July, the U.S. Senate Intelligence Committee approved a bill to encourage companies to exchange information with the government on hacking attempts and cybersecurity threats. Committee chairwoman Dianne Feinstein (D-Calif.) and committee vice chairman Saxby Chambliss (R-Ga.) authored the bill, which experts saw as the best chance for the current Congress to pass legislation to encourage cooperation between the U.S. government and private security companies to boost cyber defenses for critical industries, Reuters reported.
Congress has not made any progress in passing cybersecurity legislation due to debate over concerns by various interest groups such as erosion of privacy rights. Cybersecurity legislation also has faced resistance from the business community. The U.S. Chamber of Commerce reacted vociferously against a comprehensive cybersecurity bill proposed in 2012 by Sen. Joe Lieberman (I-Conn.) and Susan Collins (R-Maine), even though the bill would have provided companies access to information they didn’t have and liability protection against cyber-related lawsuits if they met a certain standard. McConnell said he and then-Secretary of Homeland Security Michael Chertoff’s efforts to discuss the bill’s merit met with resistance from the Chamber of Commerce staff, who said it was just another way to impose regulation on industry.
Industry’s reluctance to disclose a breach also has played a role in the delay over passing a comprehensive cybersecurity bill, due to potential damage to the reputation and loss of business. Sen. Jay Rockefeller’s (D-W.Va.) Cybersecurity Act of 2013 would require publicly traded companies to disclose to the U.S. Securities and Exchange Commission breaches of data from cyberattacks. That requirement was turned into a guideline after companies complained it created a burden for them.
“Right or wrong, there’s a view that any regulation is bad,” said McConnell. “Quick frankly, the truth is in the middle.”
Frustrated with the lack of progress on legislation, President Obama signed an executive order ordering the National Institute of Standards and Technology (NIST) to create voluntary cybersecurity best practices for critical infrastructure companies. NIST is a good start and better than nothing, but is the lowest common denominator and needs to be more stringent.
Historically, the United States has been reluctant to maintain an intelligence network. With the exception of the Cold War, the United States would build a spy network after a crisis arose, then disband it. That changed after World War II, when President Truman created in 1947 the Central Intelligence Agency. In World War II, the United States enjoyed a strategic advantage of being able to read German military orders before their Nazi field commanders did, thanks to the Allies capturing information that allowed the Enigma code to be cracked. At first, the U.S. military didn’t want to read intelligence transmissions – saying it was ungentlemanly to read other people’s mail – but months after Pearl Harbor, was breaking Japanese code.
Despite having the tools to thwart the Soviet invasions of Hungry, Czechoslovakia and Afghanistan, the United States made no move to do so. McConnell said that the United States has the tools to block the strategic damage created by economic espionage, and needs to use them if the United States is to remain competitive globally.