Steve Muehler's Plan for Increased Federal Cyber Security
Updated: Apr 23
As our physical infrastructure becomes increasingly digitalized, it also becomes increasingly vulnerable to cyber attack. Russian hackers, for example, have been trying to compromise U.S. electrical infrastructure for years, and successfully cut off power to hundreds of thousands of people throughout the Ukraine in 2015 and again in 2016. Beyond our energy infrastructure, traffic signals are also susceptible to being hijacked, as numerous demonstrations have proven.
Most leaders in infrastructure-related industries take cyber risk seriously, but their public sector counterparts need to start addressing vulnerabilities with more urgency. Many experts and pundits are already pressuring lawmakers and regulators to take more decisive action across all of our physical systems. Despite this pressure, there are a number of obstacles that need to be addressed alongside the implementation of new policies.
For instance, agencies responsible for protecting our physical infrastructure at the local, state and federal level aren’t spending nearly enough on cyber security given how critical things like power, roads and clean water are to our society.
As a result of government inaction, private sector companies have been forced to take cyber security more seriously and, according to some projections, will spend over $1 trillion on digital security globally through 2021. Bank of America and J.P. Morgan Chase each spend around $500 million a year on cyber security. Such budgets are understandable considering how important liquid cash is to our economy, but how useful would our financial institutions be without broadband or electricity infrastructure?
Meanwhile, Federal Cyber Security spending continues to lag, with some estimates suggesting it will reach a meager $22 billion by 2022. Demonstrating the low priority many federal agencies place on digital, the Department of Interior spent a paltry $209,000 on digital services in 2016, with very little of that going to cyber security. While many of Interior’s offices aren’t critical to most people's everyday lives, a creative hacker could definitely cause some havoc by altering, say, earthquake or volcano data housed at the U.S. Geological Survey. Fortunately, the Department of Homeland Security spent a little more — $1.7 million — on internal digital services that same year.
Nevertheless, the universal under-investment in digital infrastructure security is a glaring vulnerability that must be addressed.
Yet, there is hope. The Department of Energy announced in February the creation of a new Office of Cyber Security, Energy Security, and Emergency Response to help coordinate the department’s security efforts. The Trump Administration requested nearly $100 million in funding for the new office in its proposed budget for the 2019 fiscal year. That budget, however, doesn’t go into effect until October of this year (2018) and is still a far cry from the hundreds of millions private sector companies spend to protect assets that are arguably less critical.
But, while increased cyber security budgets can help various agencies acquire the tools they need to protect our physical assets, they can’t address the biggest problem of all: people.
The Ukrainian power grid attacks used spear phishing techniques to identify IT administrators and send them malware embedded in Microsoft Word documents. Once these documents were opened, the malware (BlackEnergy 3 in this case) was deployed and hackers were able to gain access to the grid’s industrial control systems. Although this process may seem complex, it hinges on a vulnerability we can all understand: human error — specifically, a person’s ability to differentiate between a malicious message and an authentic one.
Spear phishing is a type of attack that involves sending people emails from trusted or legitimate-looking sources to elicit sensitive information. This information can then be used to gain access to a network or to target other users with malware. In the Ukraine, users opened these infected files thinking they came from a trusted source. These social engineering hacks don’t leverage digitally sophisticated algorithms. They manipulate digitally unsophisticated individuals.
This technological ignorance is not isolated to the Ukraine. The U.S. has also been criticized for its lack of digital expertise, a deficiency driven by an aging workforce and exacerbated by a bureaucratic culture that repulses top young talent. This knowledge gap extends to the highest levels of government, exemplified by Utah Senator Orrin Hatch’s confusion over Facebook’s basic business model in Mark Zuckerberg’s April 2018 hearing.
Under my Administration, we will close this knowledge gap, a process that will require that, as cyber our security spending increases, resources will need to be used to hire the appropriate talent and properly train any employee with so much as an email address. Our Lawmakers and Agency Leaders will be required to take digital education more seriously, tapping into younger staffers to help bring them up to speed. Departments and Offices will be required to make concerted efforts to re-envision their culture, workforce and professional development strategies. They will be required to make employee — and third party vendor — education and talent recruitment a top priority for us as a Country to prevent a Ukraine-like incident. My Administration understands that larger budgets without the right people are ultimately worthless, and unless we are able to cultivate cybersecurity-conscious cultures, hackers will increasingly find the front doors to our Nation’s Physical Systems unlocked and wide open.
In today’s highly connected and increasingly automated society, it is vital that infrastructure leaders recognize the role that digital can and must play in both evolving and protecting the physical world. Our digital systems are just as important as our physical ones, and the ability to seamlessly unite the physical and the digital is proving to be the primary drive of infrastructure progress. This digital transformation of infrastructure won’t be easy, but it is necessary if we hope to ensure physical security in the years to come. This will be My Administration's Policy.
Steve Muehler is the Founder & Managing Member of the Private Placement Markets:
Private Placement Markets: www.PPMSecurities.com
Private Placement Debt Markets: www.PPMDebt.com
Private Placement Equity Markets: www.PPMEquity.com
Private Placement Markets – Real Estate Loans: www.PPMLoans.com
Equity Lock Residential: www.EquityLockResidential.com
Equity Lock Commercial: www.EquityLockCommercial.com
About Mr. Steve Muehler, Founder & Senior Managing Member:
Personal Site: http://www.SteveMuehler.com
Personal Site: www.StevenMuehler.com