What you should know from the week of 11/05/21:
- Wastewater Regulations: ICS and security experts call for regulation of critical infrastructure;
- Strategic Intent: the newly-formed Office of the National Cyber Director in the Whitehouse issues its first Strategic Intent Statement;
- Chinese AI: Georgetown University conducts a detailed analysis of Chinese Military AI spending to track Chinese priorities;
- Appalachian Record: 'Nimblewill Nomad' becomes the oldest person to hike the Appalachian Trail.
Amid a heightened threat environment in which U.S. water infrastructure is increasingly vulnerable to cyberattacks, the time to set cybersecurity regulations--and provide funding for state, local, and private organizations to meet them--is now.
This week Selena Larson (an experienced intel analyst with a focus on ICS/OT security) and Lauren Zaberiek (the Executive Director of the Belfer Center's Cyber Project) released an opinion on Water and Wastewater regulation.
They note that intrusions impacting water and wastewater systems are relatively common, and go on to observe that the frequency of these intrusions have not resulted in meaningful security improvements:
...former NPPD Undersecretary Suzanne Spaulding noted, “The purely voluntary approach [to cybersecurity] simply has not gotten us to where we need to be, despite decades of effort. Externalities have long justified regulation and mandates such as with pollution and highway safety."
Larson and Zaberiek propose several recommendations:
- granting the EPA more authority over cybersecurity for water and wastewater entities (perhaps modeled off NERC CIP, which meshes with some recommendations I proposed previously),
- updating America's Water Infrastructure Act of 2018 to not merely require cybersecurity assessments but also fixes for issues found during those assessments,
- maintaining a resilient control system that can be run manually in emergencies,
- incorporating security tools and requiring detection and response plans.
While I agree with the majority of their proposal, I do disagree with some of the comments made by Larson and Zaberiek:
As the Colonial Pipeline cyberattack and the spate of cyberattacks against hospitals and schools prove, threat actors increasingly target critical infrastructure seeking to disrupt those services or at the very least, instill fear in citizens in the United States that their governments cannot provide basic services.
Selena Larson is a thorough and experienced analyst with a sturdy understanding of attacks against critical infrastructure. However, I have not seen reporting suggesting that ransomware attacks against critical infrastructure (like the examples provided in the quote above) have been conducted by threat actors motivated by instilling fear in US citizens.
In particular, in the case of Colonial Pipeline, the disruption to fuel distribution appears to have actually been caused by Colonial ensuring they would not deliver fuel they could not bill for. So far, ransomware attacks against critical infrastructure have been financially-motivated, and while there may be state interests underpinning these financially-motivated crimes, it is a leap to suggest that the intrusions we have publicly observed broadly have a foundational focus on disrupting public trust in the government.
While ransomware attacks on critical infrastructure are clearly bad for the US, other ICS security experts like Joe Slowik have challenged the assumption that ransomware attacks on critical infrastructure support the national interests of US adversaries.
The Office of the National Cyber Director (ONCD) is a recent position in the government, established in NDAA FY21 (the National Defense Authorization Act of Fiscal Year 2021) in response to recommendations from the Cyberspace Solarium Commission.
ONCD recently released a Strategic Intent Statement. I've broken out some key quotes and added inline commentary. Bottom line up front, though: ONCD's Strategic Intent Statement generally expresses worthy desire to establish more corporate responsibility for security. However, the Intent is often overconfident, takes an idealistic, impractical, and voluntary approach to improvement, and appears to promote a future where end users have less control over the technology they use.
ONCD recently released a Strategic Intent Statement. I've broken out some key quotes and added inline commentary. Bottom line up front, though;
Every American should share in the full benefits of our digital ecosystem, including the economic prosperity it enables, the more responsive, responsible democracy and civic engagement it underpins, and the more vibrant and diverse culture it fuels.
This is a broad vision, and will be laudable but challenging to pursue.
It is easy to forget that cyberspace was originally built to enrich our lives. Digital connectivity is not some occasionally-destructive force of nature to be dispassionately tracked and mitigated, but a transformational tool to be wielded in furtherance of our highest ambitions.
This is very utopian, and will require systemic change. Transformational tools are powerful, and therefore have to be used and regulated responsibly to help guide outcomes that support national interests of liberty, freedom, and economic possibilities.
In this [proposed] world, Americans are free to be enriched, empowered, and enlivened by digital connectivity instead of burdened by it.
This appears to suggests more interactions with technology where users are unaware of the technologies at work (like when you drive your car and have no control or understanding of the computers that cause your computer to operate properly). Given the vision proposed here of technology enabling democracy and civic engagement, I don't think this is a good idea. It is critical that technology remain a tool of normal users; otherwise it will only be a tool of influence used by a few oligarchs.
Individual cyber hygiene is important and personally laudable, but systemically inadequate; just as individual households working to reduce their carbon footprints cannot alone address climate change, individual users of the internet working to improve their cybersecurity cannot alone realize systemic reform.
The US/World is not doing a tremendously great job on climate change; unfortunately this may be a grimly appropriate metaphor for the systemic change proposed here by ONCD: pushing a security-first mindset on development will likely require significant changes to liability laws, and will certainly require sea-changes in how law treats technology. This may be good, but may have profound unintended consequences.
Disparate private networks have aggregated into an indispensable public good – but stakeholdership and accountability remain diffuse and opaque. Too many individual Americans are paying the price when this ecosystem fails.
The use of "public good" language is very interesting and may presage a much stronger regulatory stance on technology. I've written more on technology and public goods back in June.
Too many systems are not designed with security in mind, relying on technology end users to keep us safe. It does not have to be this way; if every contributor to our digital ecosystem knew how their part fit into the sum of the whole, and how to contribute responsibly, we could begin building an ecosystem defined by aggregating stability and resilience instead of compounding risk.
Again, I'm not very comfortable with this language. Efforts to improve security and resilience should not result in abstracting control from end users. Instead, technology should be simplified to make it as controllable by users as possible--even at opportunity cost to companies.
Second, the language centered around company responsibility is very fuzzy, idealist, and voluntary: if more responsibly-deployed technology is predicated on companies understanding how they fit into the 'sum of the whole,' and the onus for that understanding is not explicitly placed on companies, the responsibility will fall back on the government or end users.
Achieving this vision will require cooperation across the many public, private, and international stakeholders in the ecosystem, and it will require coordination, so that these efforts are not operating at cross purposes but are instead mutually reinforcing.
This level of cooperation/coordination is extensive, and is beyond the purview of ONCD, a position within the executive branch of government.
First, and above all else, the ONCD will champion federal coherence across U.S. government in cyber policy, action, and doctrine. It will improve public-private collaboration to tackle cyber challenges across sectoral lines. It will align resources to aspirations by ensuring U.S. departments and agencies are resourcing and accounting for the execution of cyber initiatives, assets, and talent entrusted to their care, and considering all possible future such requirements. And it will push forward initiatives across all available avenues in order to increase present and future resilience, ensuring our workforce, technologies, and organizations are fit for purpose today and future-proofed for tomorrow.
The executive branch has exceptionally limited resourcing power. Congress, the legislative branch, has the 'power of the purse' that allocates resources. As a result, ONCD and the executive branch can't promise to "align resources to aspirations."
Researchers (Ryan Fedasiuk, Jennifer Melot, and Ben Murphy) at Georgetown University's Center for Security and Emerging Technology (CSET) produced a ~90pg report on the adoption of Artificial Intelligence by the Chinese Military (the People's Liberation Army or PLA).
This report offers a detailed look at the PLA’s adoption of AI by analyzing 343 AI-related equipment contracts, part of a broader sample of more than 66,000 procurement records published by PLA units and state-owned defense enterprises in 2020. The report identifies key AI defense industry suppliers, highlights gaps in U.S. export control policies, and contextualizes the PLA’s AI investments within China’s broader strategy to compete with the United States.
A few highlights:
Chinese-US AI spending are roughly equivalent
Comparisons between Chinese and U.S. military spending are inherently
complicated...[h]owever [the PLA's] AI spending is likely on par with that of the U.S. military.
This is significant for two key reasons: First, Chinese military spending is still much lower than US military spending, so AI comprises a larger percentage of total Chinese military spending—suggesting a higher prioritization than in the US. Second, the Chinese military has been more efficient in its spending than the US has. As discussed in a previous WYSK, the Chinese are America's "pacing threat," and recently tested a hypersonic missile that shocked US officials who likened it to a "sputnik moment"—being a pacing threat at a lower level of spending demonstrates greater efficiency in military spending.
Weak US Export Controls
Of the 273 known AI equipment suppliers in our dataset, just 8 percent (22) face specific [exort control] limitations set by the U.S. Departments of Commerce, Treasury, or Defense.
Additionally, where export controls did exist:
Some Chinese suppliers make a business out of sourcing foreign data or components and reselling them to sanctioned Chinese defense companies or PLA units.
The US needs to view AI as a critical area of state competition and actively seek to slow the development of our adversaries' capabilities.
Division over Lethal Autonomous Weapons Systems (LAWS)
The Chinese government has famously shown a Janus face to LAWS, publicly calling for a ban on such weapons while privately carving out a legal defense for their development...Some PLA officers appear legitimately disturbed by LAWS, and caution against a future characterized by smart weapons...Others in the PLA are more sanguine about AI’s utility on the battlefield.
CSET notes that Chinese researchers have responded to deployed LAWS (the ones I addressed in a July WYSK) with concern.
This is an item of concern for three main reasons: First, with more efficient spending the PLA may outpace the US (and our allies) in development of LAWS; Second, with a more pragmatic outlook on warfare and national interests, the PLA may have a higher drive to develop these weapons and normalize their use.
Third, just as Russia used Ukraine as a weapons test lab for cyber attacks, China may use Xinjiang or other internal Chinese territories as testbeds for LAWS—this is not merely morally objectionable, but would also complicate an international response to the use of such weapons due to lower levels of transparency as well as the complications of sovereignty issues.
Alright, this one isn't a major news story, but its a fun read and this WYSK is already too long. Enjoy!
The man with flowing locks and an impressive beard actually hiked farther than most who traverse the 2,193-mile trail that runs between Georgia's Springer Mountain and Maine's Katahdin. He started his hike in February at his home in Flagg Mountain, Ala., adding hundreds of extra miles to the route.
Interest piqued? Disagree? Reach out to me at TwelveTablesBlog [at] protonmail.com with your thoughts.