United States Homeland Security Director Kirstjen Nielsen's Sept. 5th comments that the risk from cyber threats to the U.S. is greater than the potential for a physical attack isn't an overstatement, said the leader of a cybersecurity research nonprofit.
Scott Borg, director and chief economist of the U.S. Cyber Consequences Unit, told Rob Ferrett on WPR's "Central Time" that a sophisticated cyber attack on the U.S. would be eclipsed in damage only by a nuclear attack. He pressed that while systems are generally secure now, any advancement by terrorist organizations pose significant risks for the nation's infrastructure systems.
This interview has been edited for brevity and clarity.
RF: I think a lot of people might think of a cyberattack as an abstract thing, but how could it manifest itself in such a serious way?
SB: Pretty much everything these days is run by computers. If you think of any industry that we depend on all the time — electricity, oil and gas, banking and railroads — it's all run by computers. A really sophisticated cyberattack would be like putting an enemy agent in charge of the computers that run all those things.
Imagine the damage you could do if you could control all the railroad switches and signals, direct the trains at any speed you wanted to crash into each other, arrange the crashes to take place on tunnels and bridges, control all the pressures and temperatures at an oil refinery. Pretty much all of these critical infrastructures could be physically destroyed by cyberattacks.
RF: Have we paid enough attention to security when computerizing these key infrastructures?
SB: Actually, the cybersecurity of our critical industries is pretty good, otherwise horrible things like the kind I just described would have already taken place. The problem is we are staying ahead of the attackers, but the margin here isn't all that great. If the attackers suddenly have a surge in creativity and increase their capabilities, or if the capabilities that are currently held by Russia and China and major nation states spread to terrorist organizations, suddenly that safety margin disappears altogether and we become just enormously vulnerable.
RF: Gen. David Petraeus co-wrote an op-ed saying we need a full-scale cyber force. What do you think of that?
SB: We have a military cyber force already. The proposal is to have a separate agency focused on cybersecurity. In principle, that's a very good idea. In fact, in principle, I think that should be a cabinet-level job and that should be an entirely separate major department of government.
In practice, I'm not sure if this is such a good idea because there's so little understanding on the part of politicians and senior people in Washington — so little understanding of cyberattacks.
RF: What should people know about the basic elements of cybersecurity issues?
SB: People, especially politicians, don't appreciate the full range of cyberattacks.
Some years ago, people thought a cyberattack was a mass disruption — a virus shutting down lots of servers. Now they seem to think a cyberattack is stealing personal account information. They're forgetting that any time you're interfering with the proper functioning of systems, that's a cyberattack. That means if you're falsifying IP addresses, if you're making it look like communications are coming from different sources than they are, if you're putting up false identities all over the place and often running them by bots, that's a cyberattack.
The Russians and the Chinese understand this. They're mounting coordinated cyber campaigns that are manipulating our media, manipulating global information flows and coordinating that with criminal cyberattacks all at once. America's mostly functioning like a blind man here like someone with tunnel vision.
RF: One theme I keep reading about is that we have a talent or recruitment problem in brining people into government with in-demand cyber-security skills. Is that something you're seeing?
SB: Yes. People who get degrees in computer science often have never had a course in cybersecurity. They don't know about secure coding. They don't know how to produce software that has basic security features. So this is a real crisis. One of the things that would help is if we could just get the word out how much you're paid if you have a solid degree in computer science and a specialty in cybersecurity.
We really need people who are using this technology all the time to drive things forward because the politicians are mostly not up to it.
One of the big stumbling blocks here is that most politicians don't really know much about cybersecurity or information technology. An ordinary citizen comes home from work and they check their email if they haven't already checked it on their smartphone on the way home. They stream videos, they web surf, they manage their photographs, they know what a JPG is. They manage their music. They know what an MP3 is. Politicians generally don't know what a JPG or an MP3 is. Politicians generally don't even do their own email.
RF: What are you most concerned about in 2018?
SB: I'm most worried about the way the Russians and the Chinese are coordinating cyberattacks at a level that America is mostly oblivious to. Let me give an example. Russian-organized cyber crime is able to survive without being prosecuted or extradited because they keep the Russian government happy. One of the ways they do this is by coordinating their criminal cyberattacks with Russian foreign policy.
Even if an attack is an attempt to steal money using computers, if it's coming out of Russia or China or actually a number of other countries it's part of a national agenda. America isn't even recognizing that this is going on. Nobody's talking about it.