The U.S. electrical grid could be hacked — and security experts want the Trump administration to make it a lot harder for attackers to turn off America’s lights.
MIT released a report Tuesday calling for an overhaul of infrastructure cybersecurity. The authors — led by Joel Brenner, senior research fellow at MIT and former head of U.S. counterintelligence — want the administration to take more effective action on securing critical systems we use every day.
Crucially, Brenner said, it’s important to move controls for transportation, the electricity grid and gas pipelines off public networks.
“A generation ago, these were all locked up in a room, and only the operating engineers could get into that room,” Brenner told CNNTech. “Today, because we wanted to manage geographically dispersed equipment more cheaply and efficiently, we’ve hooked up all the controls to the internet.”
These networks are accessible to the general public — what most people connect with to watch movies, check email and tweet. Private networks are physically separate from the public internet, meaning that while they can also connect to common operating systems and websites, only select individuals can use them.
It’s much easier for hackers to take down the electric grid if it’s connected to a public network. While moving to private networks won’t make the grid completely unhackable, experts say it would drastically improve security.
In December 2015, a coordinated cyberattack on Ukraine’s electricity grid plunged hundreds of thousands of people into darkness, turning off everything from computers to call centers. The following year, another cyberattack on the state-run power provider in Kiev left people without power for 30 minutes.
U.S. presidents have called for improving infrastructure security for more than two decades. In 1990 President George H.W. Bush issued National Security Directive 42, in which he warned: “Telecommunications and information processing systems are highly susceptible to interception, unauthorized electronic access, and related forms of technical exploitation.” Fast forward to a 2013 executive order from President Obama: “The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.”
Yet the threats remain the same, Brenner said, with not enough done to prevent attacks. The 50-page report released Tuesday is meant to provide a roadmap for prevention.
The key point: For infrastructure to be protected against cyberattacks, companies and the government have to collaborate. The MIT report suggests incentivizing companies to mandate security upgrades, perhaps through tax breaks for improving security or by holding companies liable for damage to consumers caused by hacks.
By contrast, Brenner said, current efforts are short-term “whack-a-mole” solutions.
The Trump administration and Congress are considering what to do about cybersecurity threats. In January, a draft of the president’s cybersecurity executive order leaked, and President Trump is expected to sign an official order soon. On Tuesday, the Senate Committee on Energy and Natural Resources is holding a hearing to examine infrastructure threats and discuss ways to minimize the impact of hacks.
It’s a matter of when, not if, the U.S. will suffer a major attack, Brenner said. And we’ve already experienced a taste of large-scale hacks that disrupt business. For example, a 2016 attack took down major websites by turning consumers’ smart devices into an army of bots that attacked the Domain Name Service provider for companies including Netflix, Twitter and Reddit.
Even if lawmakers take MIT’s report under consideration, secure systems won’t come online overnight. Rather, the document is a five- to seven-year plan detailing further research, questions and solutions the U.S. government and private companies should tackle.
“We’ve been hearing for 25 years how important this is,” Brenner said. “And at the same time, we’ve been walking backwards on cybersecurity.”