The Criticality of Cyber
– the Public Safety Connection
© 2016 FrontLine Security (Vol 11, No 3)

Cyber is a Team Game. Cyber is pervasive. It is a common thread that runs throughout the national security portfolio, defence & foreign policy, public safety’s security strategy, and critical infrastructure protection mandates. These parallel initiatives ought to be harmonized, and cyber be coordinated as a horizontal theme at all levels-of-government (with one entity given primary accountability). Notwithstanding, one must consider that cyber infrastructure is owned and operated commercially and its innovation has principally been foreign-sourced and in response to the threat. It is therefore reasonable that ­government strategies necessarily include: tight collaboration with the private sector to be national, seek cooperation with allies to be relevant globally and be vigilant of our ­adversaries to be successful.

Cyberspace is a complex, hyper-connected, non-linear and chaotic system. Cyber is the nervous system that connects all critical infrastructure sectors. Rapid convergence has created a frictionless state between the Human terrain, the Network and Machines, evolving to the Internet-of-Everything, and yet interdependencies have created unprecedented risk among critical infrastructures (CI).

How Real is the Hype?
The media would have us believe that Cyber terrorists are posed to unleash a catastrophe that would send western civilization back to the stone-age, leaving us with zero “bars” in darkened rooms. Fear and ignorance sell papers and ratings, but is it all hype?

Certainly, our most vital systems (energy, transportation, finance and communications) depend on complex, inter-connected global networks. They’re fast, efficient and uniquely vulnerable to major failure or attack. System Crash, a documentary by Omni films, based on research by Bell Canada, went behind the scenes to look at how critical systems and infrastructures work – and how they can fail in spectacular and devastating ways from a CI attack, accident, or natural event.

A CI attack could come in the context of an emerging crisis in Russia/Ukraine, Japan-China-Senkaku Islands, or the Middle East  Dealing with a deliberate CI attack in the midst of another crisis would overwhelm most governments. Hostile actors could very well take advantage of a natural disaster or malfunction to launch a cyber offensive. The question is, whose responsibility is it then to defend Canada?  

“The responsibility for CI protection related to interdependencies risks rests with the Federal Government as the national guarantor of Peace, Order and Good Government. No other entity in Canada has the mandate or capacity to address the risks to national security and prosperity resulting from the obvious and alternately understated interdependencies that exist among the variously owned and regulated CI sectors,” was an industry response to Public Safety Canada.

In its Strategy and Action Plan for Critical Infrastructure, Public Safety Canada warns that “as the rate and severity of natural disasters increases, so does the possibility that disruptions of critical infrastructure could result in prolonged loss of essential services. The risks and vulnerabilities are heightened by the complex system of interdependencies among critical infrastructure, which can lead to cascading effects expanding across borders and sectors. The implications of these interdependencies are compounded by society’s increasing reliance on information technologies.”

Take a moment to consider the fact that the computational power and interconnectivity of the ‘Internet-of-Things’ will soon exceed that of the human brain. As such, we are entering a period of instability and risk within the system – where social media provides a frictionless state between the Human Terrain, the Network, and Internet-of-Everything, or where an internet meme can precipitate an Infrastructure Collapse that turns off all the lights in a city. Look no further than the Arab Spring, or in 2013, when the Syrian Electronic Army hacked Twitter accounts of The New York Times, Associated Press, and the Guardian, releasing a 140-character story of an attack on White House that caused a stock market plunge.

“The history of strategic surprise has been filled with the failure to predict future discrete events and, more importantly, a failure to detect the nature of emerging threats,” says Tom Quiggin, Senior Researcher at the Canadian Centre of Intelligence and Security Studies at Carleton University.

"Canada’s critical ­infrastructure consists of the physical and information technology facilities, networks, services, and assets essential to the health, safety, security, or economic well-being of Canadians, and the effective functioning of government. The real value is that of the transportation and transformation of information and control telemetry. Cyber-attacks have already had measurable adverse economic effects for Canada, totaling in the billions of dollars. The risks to critical infrastructure and infostructure are increasingly complex and frequent. The telecommunications sector is the nervous system that binds all other critical sectors and upon which other sectors are most dependent. More than $174 B in electronic funds traverse the network core every day. This figure eclipses the physical cross-border shipments of goods, which has garnered so much attention. A miniscule ­disruption in network-throughput results in a direct and measurable financial impact – a 2% loss of network performance is equivalent to Canada’s GNP."
(from the Study on the Analysis of Darknet Space for Predictive Indicators of Cyber Threat Activity – Communication Security)

Anecdotal Evidence
There are plenty of anecdotes of maleficent actors turning lights off in office buildings, remotely opening dams, hacking government servers, denying commercial business operations, interfering with air traffic control, and mounting clever bank heists.

The terrorist attack on the world trade centre on 9/11 took out vital communication hubs and trading centres, and affected the air travel industry ever since. But this was not by design. The terrorists had absolutely no clue as to the ramifications of slamming airplanes into big buildings for shock effect. They could not have even foreseen that the planes would have collapsed the towers.  

The 2003 Canada/U.S. blackout is a good example of how multiple threat vectors can ‘inadvertently’ combine to create perfect storm events in complex infrastructures. Offices were closed when the lights went out downtown, although many people continued to work remotely from alternative locations. The Blaster worm was introduced into enterprise systems through these insecure computers, causing widespread and pronged shut-downs. The worm also contributed to the cascading effect of the blackout – recursive effect. According to the U.S. Department of Energy's Idaho National Engineering and Environmental Laboratory, it degraded the performance of several communications lines linking key data centers used by utility companies to manage the power grid, most certainly affecting the timeliness of the flow-control and load-balancing data that's transmitted over public telecommunications networks also known as supervisory control and data acquisition (SCADA) systems. Although there is no evidence that malcode caused the blackout, the two events became entangled. The original Blaster was created after a Chinese hacking collective called Xfocus reverse engineered the original Microsoft patch. Subsequently a Romanian man was charged with of releasing a variant of the Blaster worm.

Russian and Chinese cyber-espionage has proved a persistent threat to Canadian CI, including the Public Sector. Flame, Shamoon, and Red October spyware have been labeled CI attacks, but in reality these have been targeted cyber espionage campaigns against CI owners rather than the critical infrastructure itself.

Indifference and passivity after repeated Chinese and Russian attacks against Canadian Institutions, military installations and infrastructures have invited more aggressive campaigns and transgressions. It can be argued that indecisiveness has contributed to the collapse of Canada’s Information Communication Technology (ICT) supply chain and, ironically, had led us to become more dependent on our rivals for critical technology.

The New York Times reported that Stuxnet was part of an operation dubbed ‘Olympic Games’ launched against the Iran nuclear weapons program. It affirmed what many suspected; that cyberwar is not a distant theoretical probability. Stuxnet was arguably one of the most sophisticated well-orchestrated targeted attacks.

Cyberspace advances asymmetric and irregular warfare. It is the means whereby a hactivist group, like Anonymous, can mount a successful Distributed Denial of Service (DDOS) assault against one of our Canadian sectors, despite the early warnings and indicators picked up in social media. But this does not require sophisticated understanding of the infrastructure.

Quantitative Evidence
There is incontrovertible documented evidence of a clear aggressive and sophisticated cyber threat, widespread attacks and measurable losses affecting all critical public and private sectors in Canada. Leading with a react-and-recover strategy is unaffordable.

As industry leaders once advised Public Safety Canada, “The current strategy reflects a willingness to wait for disaster to strike – and in so doing invite it.” Cyber threats have evolved from hackers, script kiddies and web defacements into crime cartels operating sophisticated robot network in tandem with hostile foreign intelligence services (HoIS). Attacks are becoming more bodacious, sophisticated, targeted, dangerous and undetectable by traditional means.

An Advanced Persistent Threat (APT) development called Operation High Roller used cyber-collection agents in order to collect PC and smart-phone information to raid bank accounts electronically. The attackers were operating from servers in Russia, Albania and China to carry out electronic fund transfers. According to McAfee, a variant could be re-engineered to target financial services infrastructure and attack the Automated Transfer Systems in Europe and new High Roller-based attacks aimed at manufacturing and import/export firms could target the Automated Clearing House infrastructure, which processes much of the world’s e-commerce transactions. The Iranian government was suspected to be behind the hack of the Root certificate authority Digi­Notar in 2011. In a more recent example, the Swift Payment System attacks have cost banks millions.

Similarly, more than 12% of Internet traffic, including that of 8,000 North American businesses, was deliberately redirected through China for what analysts suspect was a templating effort and a precursor to the targeted attacks against Canadian public and private sectors that followed soon thereafter.

A textbook pattern of unrestricted warfare in Estonia, Georgia, Syria, Iran and now the Ukraine looks something like:

  1. Deny the opposition forces or government their information communications technology (ICT) infrastructure;
  2. Jam the media and outside access to the Internet;
  3. Propagate malware through manufactured hactivism to hide advanced targeted cyber operations;
  4. Attack the confidence in the economy (financial systems);
  5. Launch a disinformation and influence campaign traditional and social media;
  6. Control the message and become the only source of news;
  7. Generate power blackouts where you are mounting operations; and
  8. Roll tanks down the main streets to ‘protect’ the population and ‘restore stability.’

Although these are not the wildly destructive infrastructure attacks we see from the movies, they do chart a path in that direction.

Since the emergence of the Internet and CIP was first discussed, there have been no recorded cases of a successful attack that deliberately caused a cascading unrecoverable state across multiple CIs. Why not?

"In this age, the mouse has proved mightier than the missile in its ability to deliver measured strategic real-world effects. The annual costs of cyber-attacks on Canada rivals the entire defence budget. The innovation cycle is driven by the threat and offensive doctrine. The vector of change will come out of traditional cyber domains. We do not yet have a winning strategy." –  Cyber 2016, Dave McMahon

The Challenge of Complexity
Critical Infrastructures are vastly complex beasts. As way of analogy, tic-tac-toe is a solved game, chess can be mastered with a super-computer, but poker represents a nearly unsolvable game owing to computationally-heavy probabilities, practically infinite possibilities, and human interaction. Gaming the attack and defence of CIs is even more complex, and cannot be done with a working group. You are not going to be able to avoid the theoretical mathematics or big-data processing.

To understand real threats and risks to Canadian critical infrastructures one needs a grasp of: complex systems, chaos and gaming theory. You will also need comprehensive pragmatic experience in CI (energy sectors, telecommunications, financial, and others), presumably from a cross-domain team of experts, access to telemetry & metrics, and a super-computing grid.

Complex systems are described in high-fidelity modeling, technology, processes, and social networking. The relationships between parts give rise to the collective behaviours of a system and its interaction with the larger ecosystem. The equations that model these systems are derived from statistical physics, information chaos theory and non-linear dynamics, and represent unpredictable behaviors of natural systems that are fundamentally complex.

The key problems of CI are the challenge with their formal modeling and simulation. Since all complex systems have many interconnected components, the socio-technological network sciences are critical to the study of CI.

Game theory involves strategic-listening and decision-making, building mathematical models of conflict and cooperation between intelligent entities in contested space.

Cyber Critical Infrastructure Interdependencies by Bell Canada and the RAND Corporation in 2006-2007 quantitatively measured interdependency risk, contagion and multi-order effects between Canadian CIs using network communication flows, and supply chain econometrics. The findings were contrasted with qualitative risk assessment gained through extensive interviews of stakeholders. There was found to be a profound perceptive gap between common beliefs about threat-risk and evidence. “You cannot manage what you don’t measure,” was the conclusion.

Similarly, using the models created by the Bell-RAND study, the 2010 Olympics confirmed that the confluence of targets-of-opportunity represent a greater risk contagion through their complex interdependencies; where risk conductance (volume and velocity) across CIs are a direct function of interdependency.  The Davos Foundation warns of the perils of hyper-connectivity and networks; “a healthy digital space is needed to ensure stability in the world economy and balance of power.”

Hard Problem for the bad actor
Thankfully, not all threat actors are good at math, nor do they have the means or insider knowledge to model and manipulate CIs for effect. Deliberately knocking out a national infrastructure and getting them to stay down is tough. Part of the reason is that they are so resilient.

Components of systems-of-systems fail all the time and this build resiliency through natural selection, evolution and self-organized criticality. Consider that 1.7% to 8.6% of disk drives will fail in a year across the country. Over 98% of email through the core is typically malicious. (“Most malicious traffic is filtered by the ISPs.” Combating Robot Networks and their Controllers PSTP08-0107eSec. 2013) Power and telephone lines are taken down by storms every day. Yet, telecommunications are up 99.9995% of the time.

In the same fashion that complex systems can fail in unforeseen ways, they also heal unexpected ways. Thus, an ‘invisible hand’ frustrates attackers.

Also attacking a CI is dangerous owing globalization of supply chains and interconnectivity, which places the attacker and defender on the same critical infrastructure. Cyber attacks in particular are difficult, because they rely on the same means for intelligence, exploitation and attack.

So, what constitutes a nightmare scenario? In this age, the mouse has proved mightier than the missile in its ability to deliver measured strategic real-world effects. The annual costs of cyber-attacks on Canada rivals the entire defence budget, and the innovation cycle is driven by the threat and offensive doctrine. I believe the vector of change will come out of traditional cyber domains – the problem is, we do not yet have a winning strategy.

The science behind a successful strategic offensive against critical infrastructure is to manufacture the perfect storm of events such that one can precipitate cascading failures, from which it is difficult to recover.

In order to targeting-for-effect, the actor would need to have anticipated what the systems will do, because once the attack is set in motion, it will advance faster the humans can observe-orient-decide-act.

These steps are even more difficult to operationalize because the strategy requires an in-depth understanding of systems-of-systems, within each environment. Thus, telecoms energy and financial systems represent a highly co-dependent ‘iron triangle’ of critical infrastructure.

Traditional tic-tac-toe Solutions
While the fortification system that made up the Maginot Line did prevent a direct attack, it was strategically ineffective. Likewise, traditional security systems can’t deal with strategic assaults. Physically mapping some ‘vital’ facilities is missing the forest for the trees; ignoring root systems and the larger ecosystem.

The calls for more working groups, standards, compliance audits or renewed attempts at redefining cyber are as effective at CIP as “re-arranging deckchairs on the Titanic.” To date, much of the discourse to date has been preoccupied with recovering from natural and accidental disasters and hazards like: the 1996 Saguenay Flood; the 1997 Red River Flood; the 1998 Ice Storm; the 2003 Power Blackout; and the 2003 Severe Acute Respiratory Syndrome outbreak. But these scenarios do not address complex deliberate offensive campaigns across multiple domains particularly ethereal ones like cyber, finance and energy.

One cannot regulate quantum mechanics, chaos and complexity. The beneficial purpose of regulation of CI is to limit degrees of freedom in these systems, to allow for them to self-correct. However, this needs to be done very carefully. Pulling the wrong leaver or cutting the red wire instead of green can lead to dire consequences.

Of course it’s important to developing the best possible defensive capability but, as former National Security Advisor Dick Fadden says, “at some point you have to ask yourself, and ministers will have to consider, whether they should be given the capacity to push back as opposed to just defending.”

"Through convergence, cyber has evolved to a complex ecosystem of information and systems. Information warfare is advanced, particularly in highly-­contested environments and fragile states. Our adversaries are sophisticated and aggressive. Their operations are agile, adaptive, and dispersed.

Deterrence needs to be cross-domain, and cannot exist without a credible offensive capability in which to project both power and influence."
– Cyber 2016 Dave McMahon

"Volatility, uncertainty, ­complexity and ambiguity characterize the strategic [cyber] environment."
– U.S. Army War College

What is “art of the possible” for defence of CI?
We can still win at poker (an unsolvable game) by complex pattern recognition, playing the probabilities, and practical gaming theory. “Foremost, effective Cyber Security begins with a Strategic Understanding of the domain.”

So, for cyber and CIP, one would start with a high-fidelity model based upon interdependencies, contagion and risk conductance. Not just qualitative surveys and workshops. An attack surface analysis using Advanced Open Source Intelligence (A-OSINT) would gather the necessary data to populate the model and complete an organizational security posture assessment from the perspective of a sophisticated cyber adversary. Subject Matter Experts from the CIs would validate and verify the data-model. Operational research could use a synthetic environment (test range) to realistically simulate or ‘war game’ critical infrastructure defence strategies. This is just the beginning.

Dave McMahon is Chief Strategist, Defence and Security at ADGA. Prior to that, he was the Chief Security Officer (CSO) for Bell Security Solutions Inc., and Chief Operating Officer (COO) of the SecDev Cyber Corp. He has a broad-spectrum of experience working at the intersection of cyberspace, social and political change, competition and conflict.