- - Tuesday, December 18, 2018


There is a bill in Congress — passed by the House and now in the Senate - that may be our first real step toward a logically effective cyber security system in our mostly open and vulnerable cyber society — especially if the concept is more focused and extended to include the crippling threat from electromagnetic pulse or “EMP”.

The bill, (H.R. 6735), provides that:

(a) The Secretary of Homeland Security shall establish a policy applicable to individuals, organizations, and companies that report security vulnerabilities.

(b) The Secretary of Homeland Security shall develop a process for the Department of Homeland Security to address the mitigation or remediation of the security vulnerabilities reported through the policy developed in subsection (a).

H.R. 6735 recognizes that perhaps the most cost-effective kind of cyber security is to harness proactive Internet users and give them a way to safely report the cyber weaknesses they discover — also, to also enable DHS with the necessary regulatory authority “to address the mitigation or remediation of the security vulnerabilities reported.”

How should this proactive approach actually be implemented? From an earlier piece in The Washington Times, it was suggested that:

“• The DHS secretary … would promulgate a generic list of facilities, activities and industries that were determined to be ‘critical infrastructure.’ This could include, for example, ports, inland waterways, pipelines, railroads, airspace controls, electric power grids and nuclear power plants.

• The DHS secretary would then liaison with these key facilities … to establish a cooperative cyber security relationship with them.

• The DHS secretary could then direct that one or more of these key sectors be placed under ‘managed cyber stress’ to determine exploitable cyber weaknesses.

• Interagency government teams — perhaps with contractor support — would carry out the actual stress testing.

• After the stress testing, there would be a comprehensive technical dialogue with the tested facility, as well as periodic follow-ups to insure that identified weaknesses were corrected.

• Reports on the stress testing …and follow-ups would be made to relevant Congressional oversight committees.”

A key question: Why is this approach so critically important in America? Answer: A very high percentage of American “critical infrastructure” is in the private sector, albeit ostensibly “regulated” by some form of public agency or commission. Examples are our ports, inland waterways, pipelines, railroads, electric power grids and nuclear power plants. Critics of this organizational concept argue that the regulated entity itself too often controls — directly or indirectly — the agency or commission that is supposed to oversee them.

This incestuous relationship is of particular concern when considering its close connection to the threat to our vulnerable critical infrastructure — especially the power grid — posed by the existential EMP or the electromagnetic pulse threat.

We know that “combined-arms warfare” — as planned by Russia, China, North Korea and Iran — includes various combinations of cyber, sabotage, and nuclear EMP-attacks to impair the United States quickly and decisively by blacking out the electric grid and other critical infrastructure for an extended period.

The resulting loss of electricity for many months, even years, is an existential threat to all Americans, this because the consequent loss of our “just-in-time” food and water supply could lead to the death of millions by starvation, disease and societal collapse.

What should we do?

President Trump’s 2017 executive order “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” should be expanded and strengthened.

Because of past demonstrated federal government dysfunctionality in dealing with the EMP treat, the president should appoint a full-time technically competent and experienced executive agent — within the National Security Advisor’s Office — with the authority and resources to manage the various departments and agencies in responding effectively to the existential combined-arms warfare threat, including EMP, to all Americans.

Of additional concern is to assure that Department of Defense “lessons-learned” (from a half century ago) to protect against the EMP threat to our strategic nuclear forces and their supporting command, control and communications are provided to private sector energy generation, transmission and distribution companies — along with the means for those companies to respond to this existential threat.

These recommendations are consistent with those of the of the “Congressional EMP Commission” that served for 17 years — but was largely ignored throughout that period. Illustrative of that lethargy is that clearing the commission’s critical 2017 report for public release took almost a year.

Finally, the approach described above for addressing the cyber threat with consequential stress testing should be extended to counter the complete combined warfare threat spectrum. And as the DoD learned in countering the EMP threat many years ago, such testing is particularly important — during design, deployment and operation of all key components of the electric power system.

This is similar to a recommendation from Government Executive magazine from several years ago: “Let’s honestly assess the gravity of the threats against us and test our critical systems by putting them under closely managed stress. It’s probably the only taste of reality we can give ourselves before someone or some nation or organization with malevolent motives shuts us down and watches us squirm.”

It’s time to end the studies and act.

• Daniel J. Gallington and Henry F. Cooper served in a series of senior national security related positions.

Sign up for Daily Opinion Newsletter

Manage Newsletters

Copyright © 2019 The Washington Times, LLC. Click here for reprint permission.

Please read our comment policy before commenting.


Click to Read More and View Comments

Click to Hide