Utility Business Network Community

Senior decision makers come together to connect around strategies and business trends affecting utilities. This network includes the Customer Care, HR & Recruitment, and Resource Management special interest groups.

39,785 Subscribers

Article Post

Audio Link: Interview Featuring Dr Eric Cole | Cybersecurity and the Grid - Part 2

Dr Eric Cole served as the CTO at McAfee and chief scientist at Lockheed Martin Corporation. He is the author of a handful of books, including his forthcoming book, Online Danger: Online Danger: How to Protect Yourself and Your Loved Ones from the Evil Side of the Internet, which is due for release on February 20, 2018. Dr Cole graciously went into great detail about some of the hot-button tech issues that I believe everyone should be aware of. Below is a transcript for the interview I conducted with Dr Cole a few weeks ago. Owing to the length of the interview, this article is made into two parts. Click here for Part 1. This is part two of that interview.

Click here to listen along to Dr Cole's responses.

Ben: What is your personal feeling regarding the P versus NP problem? Can you give a simple explanation to the laymen as to what this means? Additionally, an efficient and constructive solution to an NP-complete problem such as 3-SAT would have dire ramifications for various cryptosystems, including public-key encryption. Let’s say (hypothetically) that you wake up tomorrow to a phone call from the CIA that a solution has been found. What happens? Will people’s bank accounts be frozen or hacked? Would the ramifications be extreme enough to warrant writing a speculative technothriller about it?

Dr Cole: The easiest way I describe this to folks is: “P problems are easily solved by computers.” So something that you can easily give to a computer and it can solve. I mean, you could do something as simple as five plus three, right? And it can solve it pretty quick. NP problems are not easily solvable, but here’s the kicker: With NP problems, it’s not easily solvable; but, if you present a solution to a computer, it’s easy to verify whether it’s correct or not. So that’s really the key thing: that not only can P problems be easily solved and easily verified (NP problems can easily be solved), but they can easily be verified. So once a human comes up with a solution, then they can verify whether it’s correct.

Now, as you alluded in your question, this whole [thing] brings up the idea of cryptography and asymmetric encryption, ‘cause asymmetric encryption—where you have your two keys: public and private—are based on this intractable NP problem. So, yes, if there was a way that those could be broken and basically all of our crypto is now visible and sort of [like] from the movie Sneakers—like that was the whole premise there, that somebody figured out how to crack the NP problem—then basically everything we do, all of our transactions, and everything is now open up and vulnerable, and you say: “What would happen?”.

The part that scares me is I don’t think people really thought through that. I don’t think the government has a plan. I don’t think banks have a plan. I don’t think they really have [a] case there, so would banks shut down? Would transactions shut down? Will all those things shut down? Probably not, because I don’t think they really understand—or most people wouldn’t understand—what [the] real impact of that problem is. And, while it’s not a direct comparison, I sort of use the Equifax [hack] sort of as a pseudo-example, where nobody thought: What if everyone’s social security number was compromised? Because the whole way the US infrastructure and government and taxes and social security is based off the secrecy and protection of those social security numbers. So no one really thought: What if they all get compromised? And then Equifax happens, and now it’s like a month later and no one is talking about it anymore, and everyone is just like: “Oh, business as usual.” I’m, like, I'm raising my hand, “Hello?” My social security number—and most other Americans’ social security number—is out there and vulnerable. What are we going to do about this, right? This is a big problem.

And everyone—the government sort of ignoring and they’re worrying about passing laws and everything else—so I sort of scratch my head, going: “This is a big issue, the Equifax [hack], yet we sort of ignored it, and we’re going to have to deal with the consequences at some point, and I sort of put the crypto issue with the NP problems—sort of in that same barrel—that I think that, if it was broken, it would make a little bit of news. It would go away, and then people would just want to forget, but it would take some time to really understand the repercussions and ramifications of that happening.


Ben: The final question is a two-parter:

i) What is, in your estimation, the greatest risk to America in terms of a non-violent attack (in terms of scale and likeliness); that is, a cyberattack to America’s technological systems? I will include non-nuclear EMP devices.

ii) Is America actively doing anything to mitigate or eradicate this risk factor?

Dr Cole: I guess sort of what I struggle with there is the word ‘non-violent’, or are you saying the attack is non-violent or the results are non-violent? Because if you look at it, you could say somebody hacking in to the water supply, modifying the filtering system, and basically pumping poisonous water to everyone’s sink and everyone’s pipe in the country, the attack itself would be non-violent, but the results would be very, very violent and devastating in terms of that impact. So, I guess it’s—are we talking about things like stealing money that are non-violent and really doesn’t have a violent outcome?

Either way, I would say it is absolutely possible, but it’s not as easy as the movies make it seem. And, as I’ve started off my questions—and I’ll sort of finish the same way—every day, week, and month that passes, it’s becoming easier and easier, because we’re having more and more interconnectivity, and we’re relying a lot more on passwords. And in a lot of cases, those passwords are fairly weak in terms of how they work and operate.

So, it’s not something that’s trivial, and I don’t think it could be completely done only from the internet; you would need some physical access or some insiders if we’re talking about impacting water, electrical, or others, but we have seen cases—I think it was five or six years ago—where there were some updates done to the electrical system; and, if you remember, almost a—I think it was an eighth or a tenth of the country—and some of Canada went dark for four or five hours, but that was an inside job, right? That was somebody on the inside, so I definitely think these attacks for the next two to three years would require an insider cooperating with an agent; I don’t think it could purely, purely be done from the internet. And in terms of, “Is America actively doing anything to mitigate this?” Not a whole lot, and I sort of always say—and I used to say jokingly, but it’s not a joke; it’s serious—the person who cuts my hair has more licensing and regulation than people who do cybersecurity.

I mean, just think about that. Anybody could go and do cybersecurity. So for the bank, for Equifax, for any of those, anyone could basically be hired to be responsible for the security of a 100 million records, and there’s no licensing, there’s no oversight—there’s nothing. But if you want to cut people’s hair, you actually have to get licensing. You have regulation, and if you don’t, you can actually get fired and put in jail for illegally cutting somebody’s hair, but we don’t have any of that on the cybersecurity front, so I'm just sort of going: “Wait a second! You know, I mean, this is sort of way backwards there; so, no, I don’t think we’re doing enough—and not even close to enough—to just get better oversight, better laws, better regulations.

I mean, that’s the other thing: If somebody from another country broke in and did one of these devastating attacks, there’s not a lot we can do, because if they’re not on US soil, then US laws and regulations don’t abide, and we don’t have international laws. We don’t have an international law enforcement entity that, when these cybercrimes are committed, can really take action or do anything.

Now, this is one that I could spend an hour probably on each one of these questions, so I hope this was of value … Thank you so much.

Click here for Part 1.


No discussions yet. Start a discussion below.