As Carbon Black’s national security strategist, Eric O’Neill is a thought leader on a wide range of issues, including counter terrorism and national security matters. He is a practicing attorney who specializes in cyber-security vulnerability assessments, counterintelligence and counter terrorism operations, investigations into economic espionage, internal investigations and security risk assessment consulting.
O’Neill served as an operative for the FBI, where he conducted national security field operations against terrorists and foreign intelligence agents. His role in the investigation and capture of the most notorious spy in U.S. history, Robert Philip Hanssen, became the subject of Universal Studio’s movie Breach, released to critical acclaim in 2007.
Carbon Black’s editorial team asked O’ Neill a few questions in advance of 2017, specifically referencing cyber security as it relates to critical infrastructure:
Are cyber threats as potentially serious as physical threats, especially when it comes to critical infrastructure?
It’s quite possible that in 2017 a major cyber attack will occur in either the United States or another friendly country that will require a response equivalent to a kinetic attack. In other words, a cyber attack will occur that will be looked on as an act of war. To date, despite the fact that cyber attacks can easily surpass kinetic attacks in both scope, magnitude and damage (both in the short and long term) we have not addressed such cyber attacks, planned for them, or developed long and short term response policies.
What would such an attack look like?
Possibly a “lights out” scenario where a carefully orchestrated attack compromises a critical mass of our infrastructure components to such a degree that our power grid is overloaded or shut down for a significant period of time.
We are vulnerable because of the relative lack of security on the patchwork collection of power stations and networks that make up our energy grid. Not only have numerous red-team tests demonstrated that various critical buildings lack the physical security to defeat a infiltration or social engineering attack, the networks themselves are, for the most part, susceptible to a large number of known vulnerabilities due to poor patch management, operate on aged or retired operating systems and do not have the most recent technologies in endpoint security or defense securing them.
Moreover, the United States is one of a few “superpowers” that has not invested in a hardening of our critical infrastructure electrical grid. We are highly vulnerable to an Electromagnetic Pulse (EMP) attack – whether by a low-yield nuclear explosion, or solar flare.
I expect that the “mega security breach of the future” will be a combination of an attack with catastrophic intent in addition to a less obvious, passive attack. This attack will focus on our overwhelming reliance on data. Most of the value we place in business relies on the trust we place on the data that we receive and manipulate through various streams. If an attack were sophisticated enough to pair a catastrophic attack that shuts off power or the telecommunications grid with a passive attack that destroys the integrity and utilization of data, the cyber attack could impact the entire Western world.
Imagine the lights went out, cell phones failed and when the power came back on, our bank accounts, medical records and online e-store account information could not be trusted. There would be chaos.
The subtle and passive manipulation of data could also occur psychologically through fear of an attack. One example is the recent hacks of the DNC and John Podesta’s email, which then led voters to believe that our cyber infrastructure for voting is at risk.
Prior to the election, Carbon Black conducted a study of potential voters and assessed the fear that voting could be compromised by hackers. Despite the fact that the fear is ultimately unfounded, we found that up to 15 million people may not have voted because of fear the voting could be compromised by outside hackers.
Who should we fear the most when it comes to this type of attack?
The nations that hate us the most are our most critical enemies when it comes to cyber attacks. I would go so far as to say we are currently engaged in a cyber war with Iran and North Korea. It’s a war we are fighting on defense and losing. Both countries have made public statements seeking our demise, have strategic reasons to hate us, and have invested heavily in a cyber-attack infrastructure. North Korea, for example, might have an aged and rusted kinetic warfare machine, but has a large number of militarized hackers (as many as 6,000 reported) engaged in cyber attacks full time.
How should we focus on protecting critical infrastructure in the United States?
There are areas that don’t get the same amount of attention and concern over cyber attacks they require. Our transportation system is one such example. An airplane is essentially a large industrial machine, more complex with each generation. An airplane has become a corporate business center, incorporating connectivity, communication and access to the internet. If a single hacker were able to breach the security of an airplane and take control of it for even five minutes, perhaps sending it into a sharp nosedive to prove his point, the aviation industry would immediately ground entire fleets until they could assure that no other plane could be similarly compromised. Imagine a week or more with no planes traveling anywhere.