Cyber Risk to Power – Is not just electricity and gas

Utility Regulator Arthur House writes on cyber risks and precautions for utilities in a Hartford Courant Op-ed:  Cyber Defense Requires National Coordination <read>

It does not take an overactive imagination to picture the fallout from a cyber attack on an
American public utility. The consequences of knocking out the generation and/or distribution of
electricity, water, natural gas or communications could ripple so far and wide, it could be
considered an act of war. No wonder that some call the efforts that nations, individuals and
groups make to “test” our systems and conduct intrusions “battlefield preparations.”

Our intelligence community and the Federal Energy Regulatory Commission are rightly concerned about cyber threats to our public utilities. As with air travel and financial services, the relatively open United States is vulnerable to an array of dangers involving computer management.

Intrusions are increasing in frequency and sop histication and reported in the media. Perpetrators  include those with ties to countries that have little commitment to, or even disdain for, cyber security. Individuals and groups can be particularly dangerous, because they do not fear the consequences that might befall a nation.

There is a gap between those at the federal level who are actively engaged against cyber threats and those in states who oversee public utilities and are trying to understand and develop approaches to the problem…

Using federal expertise and experience, the regulators and the utilities can jointly establish cyber security standards — covering modernizing management practices, vetting personnel, establishing cultures of security, implementing software defenses, ensuring physical security and participating in trade association cyber defense programs

We wrote a letter  to the editor, posted online and slightly modified by the Courant, still containing one of our typos: Cyber Risks To Voting As Well <read>

Arthur House’s July 21 op-ed, ” Cyber Attacks Require National Coordination” articulates the cyber risks to our power utilities, as should be expected from a former director of communications for the director of national intelligence.

Yet, voters and the legislature should be concerned beyond physical power. Cyber risks are just as threatening to political power — the power to vote and to choose our government.

Twice the Connecticut legislature has unanimously passed Internet voting. For good reasons the governor vetoed it in 2012, yet inexplicably signed it in 2013. Many computer scientists and security experts oppose Internet voting because in cannot be made safe. Internet voting has been discredited by a Department of Defense study, security experts from the Department of Homeland Security, and the National Institute of Standards and Technology. Thoughtful leaders of all persuasions oppose internet voting, including Secretary of the State Denise Merrill and former Federal Elections Commission member Hans von Spakovsky of the Heritage Foundation.

Mr. House’s central point us that, without federal expertise and assistance, cyber security is beyond the capabilities of state government and utilities. It follows that Internet voting cannot be accomplished safely by the state and each of our 169 municipalities.

Meanwhile, in Utah, they plan wider adoption of Internet voting. The only good thing over Connecticut is that they recognize some of the risks and plan on studying them before they move forward:  State committee studying feasibility of extending online voting to more Utahns <read>

Utah Director of Elections Mark Thomas said making online voting available more widely could be a challenge.

“The lieutenant governor wanted to look at if we were to expand that, what are some of the hurdles,” Thomas said. “It would be nice to have kind of a road map on where to go, what are the landmines we need to be aware of.”

The biggest issue, he said, is security.

“Security is going to be No. 1. Part of the reason security is such a big issue is because you have the issue of a secret ballot. If I cast my ballot online, it can’t be able to be traced back to me. That’s my constitutional protection,” Thomas said.

The hope is that the lieutenant governor’s iVote Advisory Committee that began meeting earlier this month will have identified a half-dozen or so issues associated with statewide online voting before the 2015 Legislature starts in January, he said.

At that point, the next step may be hiring security experts to tackle those issues, Thomas said.

“We certainly aren’t going to, by the end of the year, have this all figured out and put to bed,” he said. “There are some very complicated issues.”

Another member of the new committee, Salt Lake County Clerk Sherrie Swensen, also questions whether Utahns will be voting online anytime soon.

“I hope that sometime in the future it will be something that happens,” Swensen said. “I admire the lieutenant governor’s office for wanting to explore this and be progressive, but I think there’s a lot to overcome before we get to that point.”

Like Thomas, Swensen said she’s not sure how a system can both identify those voting online while maintaining the secrecy of their ballots. Election officials now keep the names of voters separate from their ballots.

“That’s a huge challenge,” Swensen said, along with an online system being hacked. “For all of the clever ways people figure out how to hack into various systems, I think that’s the biggest danger, if they could hack in and skew results.”

The longtime county clerk recalled the controversy over the switch in recent years to electronic voting machines that aren’t connected to the Internet. The public’s concern was eased by the paper trail created by the machines, Swensen said.

The paper records are audited each election and could be used to tabulate the results if the machines were to malfunction.

“We could recreate an entire election,” she said.

FacebooktwitterredditpinterestlinkedintumblrmailFacebooktwitterredditpinterestlinkedintumblrmail

Leave a Reply

You must be logged in to post a comment.