John Bumgarner is research director for secure technology at the US Cyber Consequences unit. Never heard of it? The unit was originally founded in January 2005 with a grant from the Department of Homeland Security. Its purpose was originally to look at the economics around cyber attacks – more specifically, how much various attacks would cost America if they occurred in certain critical industries.
That was in 2005. Now, the US Cyber Consequences Unit – which is independent of the government, and operates as a non-profit 501(c) think-tank – has expanded to look at other projects including vulnerabilities in supply chains; vulnerabilities in manufacturing and shipping architecture; drug markets; cyber conflicts; and political espionage. In addition to the Unit’s work in the US, it has also provided services to The Office of Cyber Security in the UK.
A Smarter Grid?
Part of the discussion at the World Cyber Research Summit in Belfast on March 16th was the impending threat of smart grids in the home. “We were talking about the threat against the average citizen from electrical attacks against their homes. The concept of a smart grid – or smart utilities, because this is about a transformation in all three major utilities: electrical, gas and water – will all be enabled with some type of smart technology.
“The issue with that”, Bumgarner continued, “is that in order to get the full benefit of those technologies, you have to extend it more into the home. So at an individual consumer level, you’re going to see more home area networks rise up in the next decade or two. Your washing machine and HVAC systems will be connected into a home network that would then connect into a larger architecture.”
Due to the lack of standards today, Bumgarner says this is both troublesome and problematic. “If you have 300,000 meters and they are affected by a worm, it requires an entire enterprise of utility workers to go out and replace them.”
This, explained Bumgarner, is “all about the economics associated with certain attacks and risk assessment”. One of the areas that the US Cyber Consequences Unit focuses on is “identifying attacks that haven’t occurred, or identifying pieces of equipment that could be modified to impact someone”.
This, he said, explains the importance of the supply chain. “If you could get in to manipulate some type of drug testing system, you could potentially cause a death, or you could potentially cause some type of damage to the corporation itself.”
A Mixed Bag
The US Cyber Consequences Unit is made up of more than just “cyber security professionals”, Bumgarner advised Infosecurity. “The organisation consists of economists, anthropologists, people that deal with culture, electrical market and military”. They “give many of the projects back to the government” for them to use to develop regulations and policies.
Passing on research to the private sector is a less straight-forward process, as the unit adheres to avoid presenting competitive and economic advantage to a corporation. “Sometimes we do give it to the private sector so they can develop new standards and learn to evaluate risks better. If we do a project on improving anti-virus, for example, we could do that same project for multiple countries and provide the research to help the entire industry.”
Cyber-Assisted Physical Attacks
Bumgarner spoke to Infosecurity about cyber-assisted physical attacks which he calls “very dangerous”. These attacks can cause significant economic loss to a targeted country, he warned. He referred to the Georgian attacks as an example. “When Russia launched the kinetic attack against Georgia, some of the first waves of cyber attacks targeted commanding control architecture for the Georgian government.” This, he said, was a cyber event which supported military operations.
“Let’s take the concept of a cyber-supported exercise or a cyber-assisted physical attack”, continued Bumgarner. “Let’s say Al-Qaeda had the capabilities to launch a cyber attack which could disrupt the 911/999 system in a major city, and then organise a bombing, a suicide bomb or some type of car bomb that would cause the response to that to be slowed”. The result, he said, would be catastrophic.
Having joined the government at 17, Bumgarner is no stranger to such terrifying scenarios. As a result of his lifetime in security, he says that “sleeping at night isn’t a problem at all”.
After 18 years in government, Bumgarner joined the private sector “to do security. Anything from deploying some of the first online banking projects in America, to looking at cell phone and voice over IP vulnerabilities, to looking at large scale credit card processing, to forensics”.
Different Cultures
His experiences in the government and private sectors were remarkably different. “In the government, there are some very strict guidelines around information security – a lot of standards and very stringent processes in place.” In contradiction, he said that “corporate America has a lot of processes in place, but not to the same level”.
The policies and procedures in the government sector “can create a lot of heartburn, because it limits how fast you can get technology deployed”. On the other hand, he said, you can deploy technology at a rapid pace in the private sector, “but if you deploy it too soon, and you’re an early adopter, it may expose your organisation to more security risks.” What is interesting, he concluded, is that “looking at the military, or the government itself, they rely heavily on the private sector for a lot of their critical services.”