The U.S. House of Representative will hold a hearing 10 a.m. Tuesday to listen to testimony from top cyber officials on the impact Stuxnet had on the evolution of threats to critical infrastructure following the discovery 15 years ago of the offensive attack on Iran’s nuclear enrichment facilities.Rep. Andrew Garbarino, R-N.Y., chairman of the Subcommittee on Cybersecurity and Infrastructure Protection, said Stuxnet signaled a new age in the targeting of operational technology (OT), an attack vector that has increased in complexity since 2010.“Given increasing threats to critical infrastructure from actors such as Volt Typhoon, it’s important to examine the legacy of Stuxnet — the world’s first cyber weapon,” said Garbarino in a July 16 press release. “I look forward to hearing valuable insight from industry leaders and experts regarding how Stuxnet has impacted the cybersecurity landscape and U.S. cybersecurity posture.”Tuesday’s hearing will be held in the backdrop of at least three ongoing trends and a busy to-do list for lawmakers around cybersecurity:Morgan Wright, senior fellow at the Center for Digital Government, said Stuxnet and Operation Olympic Games were seminal events, redefining the scope of cyber warfare and its targets. Wright said he liked the idea that’s been reported in the press that the hearing is not a history lesson: It’s about what we do now that Pandora’s Box has been opened and the threat of new malware unleashed.“As someone who has testified before Congress on significant issues like the safety and security of Healthcare.gov, the current crop of members of Congress has become more literate in the domains of cyber and digital warfare than I experienced in November of 2013,” said Wright. “We now have, unfortunately, enough history of attacks and compromises to better understand the battlefield, and with it, the new courses of action we should take. Rather than pining for the old days, this hearing presents an opportunity to launch a new appreciation of the modern threatscape.”Trey Ford, chief information security officer at Bugcrowd, said he expects the discussion Tuesday will be around the defense and resilience vantage point, using Stuxnet as a lens to evaluate the focus of a determined adversary to disrupt and deny critical infrastructure, impacting social stability and safety.“Cyber defense and resilience is best measured through the lens of offensive research and adversary emulation,” said Ford. “Cyber and asymmetric warfare have come a long way. We can't ignore mis/disinformation attacks, and other asymmetric engagement patterns.”Lawrence Pingree, vice president of Dispersive and former Gartner Technology Practice VP, added that Stuxnet is a good example of a nation-state operation, and it's certainly been discussed on many occasions whether relaxing laws surrounding responding to an attacker with offense in return might be warranted. However, Pingree said the can of worms that opens up is one of the reasons we've stayed clear and made that a more select function done by government vs the populace. “In terms of the reporting requirements, one of the challenges is that even under good tools and conditions, some threats that have breached environments aren't discovered entirely (confirmed) since there is sometimes a mountain of data to go through, and often detection data may exist but be normal operating behavioral noise leading to missed detection,” said Piingree. “EDR and modern tools are also known to be bypassed on a regular basis. Having penalties against security practitioners (unless there's real intent to harm) seems counterproductive to the infosec cause. Which is why more moderated policies that encourage but don't discourage participation in cybersecurity are important.”Tim Mackey, head of software supply chain risk strategy at Black Duck, pointed out that what often gets lost in the timeframe discussion is that not that the timeline is unreasonable, but rather that the impacted company, or in this case critical infrastructure provider, doesn’t have processes that scale to meet incident identification, remediation, and reporting requirements.“Adding process to address gaps, even when the process is automatable, implies added cost, but most regulations assume regulatory changes are zero-cost efforts,” said Mackey. “That critical infrastructure implicitly has a long lifespan that complicates adding improved processes implicitly assumes retrofits are possible for systems that were qualified years ago.”The following witnesses are scheduled to testify before the House on Tuesday:
- The Trump administration has long called for the nation to take on a more offensive posture. Security pros expected that the hearing Tuesday could lend some insight into how the nation can best make that happen.
- Under the existing Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) as originally proposed, the Cybersecurity and Infrastructure Security Agency (CISA) is mandated to release it’s final CIRCIA rules this October. The Trump administration and the Republican-led House have made it clear that they want to roll back the proposed 72-hour reporting provision for critical infrastructure cyber incidents, as well as the 24-hour timeframe for ransomware payments, moves that many in the industry support.
- Congress is also due to reauthorize the Cybersecurity Information Sharing Act of 2015 (CISA) this September. CISA 2015 authorized the existing framework for information sharing among the Information Sharing and Analysis Centers (ISACs). While the ISACs have had broad support since first being authorized in 1998, privacy advocates have also expressed many concerns for several years over how the data gets handled by federal agencies once its shared.
- Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition.
- Kim Zetter, cybersecurity journalist and author of "Countdown to Zero Day," a noted authority on Stuxnet.
- Robert Lee, chief executive officer at Dragos, which specializes in industrial OT security.
- Nate Gleason, program leader at Lawrence Livermore National Laboratory.
