“For instance, we used to talk about deterrence, but in the realm of cyber, there are few circumstances where deterrence is an effective policy. The biggest problem is you can’t tell where the cyber attack is coming from, unless the party wants to claim the attack. It is easy to spoof the source of the attack. So we can’t have retaliation as a response if we don’t know where attack is coming from.”
Borg says the public and private sector should focus instead on resilience and robustness.
“We need to engineer systems that are not so vulnerable to these attacks,” Borg said at the recent IAC Executive Leadership Conference in Williamsburg, Va.
“It is not just cybersecurity, but we need to think about how the systems themselves can be made less vulnerable.”
The Homeland Security Department created the U.S. Cyber Consequences Unit in 2004 to help critical infrastructure industries think about how to better secure their networks.
The unit is a non-profit research institute that provides assessments of the strategic and economic consequences of possible cyber attacks and cyber-assisted physical attacks.
Borg says it also communicates with industry to collect and analyze existing and potential threats.
“Many critical infrastructure industries didn’t want to tell the government about their vulnerabilities and what the financial consequences of cyber attacks would be,” he says.
Borg says because the nation’s critical infrastructure is the biggest target of attacks, there needs to be a coordinated approach to protecting networks and industries.
In addition to the unit, DHS runs the Critical Infrastructure Partnership Advisory Council, which provides place to discuss a broad spectrum of activities to support and coordinate critical infrastructure protection.
The government, through the Federal Energy Regulatory Commission and the North American Electric Reliability Corporation, also oversees the electrical and bulk power industries.
Borg says these and other oversight and coordinating councils need to usher in a change of thinking about protecting critical infrastructure.
“The Aurora demonstration at the Idaho National laboratory showed where you could destroy a large generator with a cyber attack,” Borg says.
“Someone could take out 20 — 40 — 60 generators at one time. Generators take a couple of years to replace because most parts made outside of the U.S. If you took out a lot of generators, it would take many, many months to get electric power going again.”
Borg says this demonstration should have been a wake up call to the industries and government about significant damage an attack could have on systems.
“Why if an enemy could do that, why bother with airplanes, missiles or troops?” he says.
“Why bother with conventional military if you can do that with a few dozen or at most a few hundred using cyber?”
Part of that change in thinking must be about the convergence of physical and logical security.
Borg says most physical security is dependent on computers and networks, while cybersecurity is vulnerable if someone could break into a plant and take over a computer or tap into a data cable.
“People doing cyber security need to think more about physical security because the two fields slowly are becoming one,” he says.
There is some recognition from Congress on the dangers a cyber attack could have on the nation’s critical infrastructure.
Rep. Jim Langevin (D-R.I.) held multiple hearings of the Homeland Security Subcommittee on cybersecurity, emerging threats and science and technology about the vulnerabilities of the bulk power system.
The House Energy and Commerce subcommittee on energy and air quality held a hearing about possible legislation to give FERC and NERC more oversight of bulk power systems cybersecurity.
The bill was not introduced, but likely will next session, a Hill aide says.