Nurturing a Culture of Security: Cyber Deterrence
- December 8, 2014
- 736 views
It is particularly interesting to see the word "deterrence" in relation to cyber security and this should be a primary goal although it must eventually be viewed as only a portion of a larger strategy.
One of the major differences in a cyber sense, particularly at a state level, is that cyber deterrence takes place largely in a defensive posture due to the extreme difficulty in determining positive attribution for a cyberattack. There is also a lack of authority and funding to provide for any real offensive attribution. This can make retaliation extremely difficult and even counterproductive. While any given cyberattack may appear to originate from a known and accessible computer, that device may have been commandeered by a truly guilty third party who actually controls it as part of a botnet. As such, any retribution on just the apparent perpetrator serves little purpose.
Richard Clarke, the earliest Cyberczar and theoretician, defined deterrence in its most basic form by noting that, " It induces adversarial restraint." (We'll revisit Clarke in more detail in a later article.) Both Clarke and I were exposed very early to deterrence in the military sense as it applied to nuclear warfare, where it mostly depended upon having a robust offensive capability.and a somewhat rational enemy. The most basic tenets included: 
1) You must have the means to inflict unacceptable losses upon the enemy.
2) The enemy must know you have that capability.
3) You must have the will to use it.
A cyber defensive posture can be partially adapted and rephrased to read:
1) You must develop a strong, all-parties cybersecurity program reaching every point in the value chain of those involved in grid operations; not just the cybersecurity departments.
2) You must constantly maintain and update that program as part of a overall culture of security much as TQM, Continuing Process Improvement, Kaizen or ISO 9000 inculcates organizations to look at quality in every detail of a business. 
3) The cyber adversary must know you have such a program and that you have invested considerable monetary and human resources into it.
On point 2, above, experts in the security field largely agree on the need for a cultural shift including former IBM Security Lead who is currently with INL, Andy Bochman, who noted the necessity for "an understanding of how security is a part of all business decisions" 
Point 3, above, will require a major change in the mindset of many utilities and must begin with a shift in their mindset that discussion of security is not a breach of security. Confidentiality is important but should not be used as a smokescreen to limit the flow of information vital to determining the status and level of spending required for a vibrant cybersecurity program. While The NARUC paper, Cybersecurity for State Regulators,  says little about creating a culture of security, it does go into some detail on the need for secrecy. But purposeful disclosure of certain information can be valuable as a deterrent to those who may seek to do us harm. Where legal and prudent, a deterrence strategy can also employ the age-old tactics of diversion, deception, distraction and disinformation.
Such a call for greater openness was made at the EnergyBiz March 3-4, 2014, Securing Power Conference speaker Admiral Michael McConnell (USN-ret.). As former Director of National Security and an acknowledged cyber expert, he cautioned that the concept of "need to know" embedded culturally from the WWII era, and cited as a useful policy in the NARUC document (at p. 11), works against us today. In terms of cybersecurity, it can inhibit the free flow of information required to deal with root problems. Admiral McConnell added there is also a need for federal legislation forcing government to provide certain information to the private sector. This latter point is a two way street I have had firsthand experience with some utility personnel using the smokescreen of security to stonewall certain information, which if provided in the right venue and context, might have served some deterrent purposes. In contrast to this attitude, in an interview with Anthony Earley, Chairman and CEO of Pacific Gas & Electric boldly and refreshingly stated: 
It's pretty clear from our discussions with the FBI and others and from our own assessment that it [the physical attack on Metcalf station transformers] was a planned attack. This was a very serious attack. The good news to take away from it was there were no customer outages even though Metcalf is a critical substation on our system. We're going to spend $100 million over the next four years on improving security. But the reality is that you cannot guarantee that someone is not going to be able to take out a substation.
Racheting up the ante even more, James Dimon, CEO of JP Morgan-Chase within months of their being hacked for information on upwards of 83,000,000 clients announced "it was likely to double it's spending on cybersecurity from $250 million annually in 2014." 
Whether it is $100 million over four years for a utility or $500 million annually for a financial services company, in both cases it does make a statement and may act as a partial deterrent. Whether that funding is going for cyber security as well as physical security in PG&E's case remains unknown, but it does offer some deterrent value. That is missing from the stonewall attitude and lack of statements by many utilities -- and possibly reflects on lack of commitment.
In spite of these open admissions and events, a troubling report indicates that: 
Global security budgets fell 4 per cent in 2014 compared with the year before, according to a survey of almost 10,000 executives and IT directors released yesterday.But the number of reported security incidents increased 48 percent to 42.8 million, the equivalent of almost 120,000 per day.'There is a misconception out there that the security spend is this colossal block..but it is really not. A lot of executives don't have that level of awareness.'
In a previous article on grid security (Energy Central, How a Rate Hike Can Threaten Grid Security, 10/20/14) I noted ". we need to think differently and use a "security lens" to examine every action and even the language we use if we are thinking of cyber deterrence and grid resilience." Unfortunately, we do not do this. In fact, there are some glaring and very public examples of anti-deterrence messages embodied in the language of overall energy goals for at least one state. It's official policy proudly trumpets it's aim is to attain energy that is "cheaper, cleaner and more reliable." What is this saying to our adversaries? To understand the subliminal message this gives, a lesson by former Yale professor, Dr. Albert E. Burke, is useful. Dr. Burke observed:
- All men, said Jefferson, have, among other unalienable rights, the right to life, liberty, and the pursuit of happiness..Who does not know that those words are. the most important thing in our Declaration of Independence? Everybody knows that.
- Well, if everybody does know that, everybody happens to be wrong. The most important thing about the Declaration of Independence is not what it says about man's unalienable rights, but the order in which those rights are listed.because Americans of the Twentieth Century do not understand the significance of Jefferson's order of things in Eighteenth Century America.
- What is that order? First came life: this means food in the stomach; the first of all things first. 
And so it is with the message such as "cheaper, cleaner, more reliable" as to what comes first. This oft-repeated mantra that so easily trips off the tongue by politicians and policy makers gives exactly the wrong message of what should be of highest importance to us --and that priority is not security. To be sure, cost must be a consideration, as should environmental excellence, but a secure energy supply is essential for life in today's world. If we are to create a culture of security with credible deterrence it must begin with adequate funding and with how we articulate our messages. Lack of either is to pay merely lip service to this end.
 Note: While every effort has been made to obtain a copy of the ~1964 edition of Air Force Manual 1-1, Basic Doctrine for attribution purposes herein, an extensive search has been unable to access this.
 The April 14th CT PURA document touches on this at the bottom of page 2 onto 3 where it states: "Cybersecurity is not an end state or single accomplishment, but rather, a process of continuous attention, vigilance and innovation."
 Jeff St. John. , GTM. Smart Grid Cybersecurity: Q&A With Andy Bochman. GTM. September 6, 2013.
 Keogh, Miles and Cody, Christina. NARUC/US DOE. February 2013.
 The Future of Energy - As PG&E Sees It. Anthony Earley as interviewed by Marty Rosenberg. Editor-in-chief, EnergyBiz. September 28, 2014.
 Glazer, Emily. Dimon Returns to the Stage. Wall Street Jurnal. October 12, 2014.
 Kuchler, Hannah. Security budgets slide despite 48% increase in cyber attacks. Financial Times. October 1, 2014.
 Burke, Dr. Albert E. Enough Good Men. The World Publishing Company. 1962. pp. 54-55.