Cyberattack Culpability

The Federal government is warning States regarding a series of cyber attacks against water distribution networks that have been carried out, and that the primary attackers are the People’s Republic of China and Iran. EPA Administrator Michael Regan and National Security Advisor Jake Sullivan wrote a letter to all of our State Governors, in which they wrote in part,

Threat actors affiliated with the Iranian Government Islamic Revolutionary Guard Corps (IRGC) have carried out malicious cyberattacks against United States critical infrastructure entities, including drinking water systems.

And

The People’s Republic of China (PRC) state-sponsored cyber group known as Volt Typhoon has compromised information technology of multiple critical infrastructure systems, including drinking water, in the United States and its territories. Volt Typhoon’s choice of targets and pattern of behavior are not consistent with traditional cyber espionage. Federal departments and agencies assess with high confidence that Volt Typhoon actors are pre-positioning themselves to disrupt critical infrastructure operations in the event of geopolitical tensions and/or military conflicts.

They added by way of emphasis,

Drinking water and wastewater systems are an attractive target for cyberattacks because they are a lifeline critical infrastructure sector but often lack the resources and technical capacity to adopt rigorous cybersecurity practices.

What particularly drew my eye in their letter, though, was this, which Regan and Sullivan also pointed out as one of the reasons for the IRGC’s choice of targets:

In many cases, even basic cybersecurity precautions—such as resetting default passwords or updating software to address known vulnerabilities—are not in place and can mean the difference between business as usual and a disruptive cyberattack.

Which brings me to my bit about culpability. [A] common type of operational technology used at water facilities where the facility had neglected to change a default manufacturer password. This has to be especially important given the number of lives that depend on reliable potable water. It’s also the case that there is no excuse whatsoever for IT types, or anyone else responsible for maintaining a computer network or any of its subnetworks, being so lazy they can’t even be bothered to do so basic a thing as changing passwords away from factory preset defaults, defaults that are, by design, widely publicized precisely so that those who’ve newly purchased such a device can gain access and change the default password to something else and thereby deny those not authorized easy access.

Thus: it’s time to start holding IT managers whose networks are penetrated because they affirmatively chose not to bother to replace default passwords with very strong passwords not just accountable, but culpable.

Current criminal negligence law centers on offenses that occur

primarily in situations involving the death of an innocent party as a result of the operation of a motor vehicle by a person who is under the influence of Drugs and Narcotics or alcohol.

The key is death of an innocent party, and that innocent party part includes all Americans using our potable water infrastructure or any other critical infrastructure: natural gas distribution, for instance, electricity distribution, heating oil pipelines, and so on. Those primary situations, though, should be easily enough modified to include the potential for death when something so central to life as access to water or to any of the other critical infrastructure deliverables is criminally disrupted. The presence or not of death should only inform the severity of the sanction, not the existence of the criminal negligence.

This criminal negligence culpability with its stern sanctions should apply to IT types responsible for subnet management as well as, not instead of, the overall IT head.

The problem extends beyond mere deaths of users of our water or other infrastructure systems. Prolonged disruption will—not can—severely and negatively impact our national security, our ability to defeat an infrastructure cyber attack or any other attacks done in concert with infrastructure disruption.