In early September, Director of National Intelligence James Clapper said something to a House subcommittee on Intelligence about network security strategy that was frightening even by the standards of cyber security – which covers some inherently scary ground.
Clapper said that the next wave of electronic espionage may take the form of changing information, not stealing it or preventing access to it by denial-of-service or other types of malicious interference.
Think about it for a second: If, for instance, millions of IDs are stolen – from the government or business – the one (very skinny) silver lining is that sooner or later everybody knows that they are stolen, and corrective measures can be taken. If, however, the data in the record is changed in a way that benefits the criminal, foreign power or lone wolf without it being noticed…well, that’s a problem, and potentially a far more serious one.
Patrick Tucker, who wrote the piece at Defense One describing Clapper’s comments, identified critical infrastructure as one of the likely targets for such activities. He noted that Energy Department networks were infiltrated 159 times between 2010 and this year, according to information received by USA Today through a Freedom of Information request. And those are just the intrusions we know about.
The ability to infiltrate and potentially wreak havoc on critical infrastructure is particularly acute because these networks were architected before the age of the Internet. Critical information was not segregated and treated more carefully than less important data. Planners had no idea that a hack could come from a remote location -- or that a thumb drive could carry a virus and be easily introduced to the system. Even the linking of facilities via the Internet was not considered, simply because there was no Internet.
It is, of course, possible to retrofit security onto these existing but weak structures. However, retrofitting security is never quite as good as building it into structures from the ground up.
Thus, keeping critical infrastructure secure is a difficult task especially BYOD security. Aden Magee at Homeland Security describes an approach that is extremely nuanced. It includes, in his works, “sophisticated threat analysis and assessment methodologies.” The bottom line is to put yourself into the mindset of the hacker and figure out how he or she would try to infiltrate the organization. The government goes through this drill. It also prioritizes threats. It’s a complex game with lots of gray area.
The bottom line is that deep thinking – as well as good tool such as a Meraki Firewall – are necessary to protect critical infrastructure. The combination of the fact that the building blocks of many of the networks were put in place long before the nature of the threats became apparent with the cleverness of hackers makes Clappers warning especially chilling.