Security threats a certainty on energy networks, ex-CIA head says

Computer security breaches are a certainty for energy companies, but the best responses to them are still unclear, a former intelligence director told executives Friday.

Michael Hayden, former director of the Central Intelligence Agency and the National Security Agency, told executives attending the final day of the IHS CERAWeek energy conference in Houston that finding ways to manage the consequences of a network security threat should be a major priority, managed at the highest level of a company.

He compared the Internet to a lawless area in which all businesses are engaged and vulnerable.

The freedom of the Internet, Hayden said, “has this great location looking a little bit less from time to time like the global digital commons and more like Somalia. I mean, this place is ungoverned. In addition to being the digital global commons its a digital free-fire zone.”

All energy companies are exposed to serious threats, particularly in the oil and gas sector, because they rely on automated processes to manage safety and ensure systems are functioning well, Hayden told a ballroom full of executives at the Hilton Americas-Houston in downtown.

But blocking access to those systems is nearly impossible, meaning that after focusing on primary defenses, companies should develop strategies for dealing with the results of an attack, Hayden said.

“They’re getting through,” he said. “They will penetrate your network. You can make it harder. You can make it more expensive. You can make it more robust. But they’re going to penetrate.”

“Manage the consequences,” Hayden added. “Know they’re getting in.”

Hayden also advocated for some sort of offensive governmental response to an attack. He suggested that the United States take economic action against China, thought to be the perpetrator behind many network security breaches, if attacks continue on private companies.

“At some point you’ve got to give serious thought to shooting back,” he said.

A major setback in defending companies is uncertainty over the role of government agencies in defending against network breaches at energy companies. A computer system for an energy company that is made to malfunction can cause serious problems, including the possibility of a grid failure, oil spill, explosion, and lost human lives.

“If the Chinese were coming up the Houston Ship Channel here, creating physical destruction, I’ve got a pretty good idea what we’d all agree we ought to do,” Hayden said. “If they’re coming up that ship channel on a glass cable on the bottom of it, on fiber, we’re not sure. We haven’t worked it out.”

He said that policymakers and the public have yet to agree on the appropriate path forward. There is widespread disagreement over expanded government roles in Internet security, with even typical adversaries like civil rights activists and commercial interests unified in thier opposition to such developments, he said.

“Fundamentally, what we need is policy,” Hayden said. “What we need is a common understanding as to what this issue presents to us.”