Meet The Ex-Army Hackers Trying To Save America From Blackouts
Two days before Christmas the lights went out across the Ivano-Frankivsk region of Ukraine. As many as 225,000 customers lost power, the result of coordinated cyberattacks on three power grids.
The hackers tricked utility employees into downloading malware – BlackEnergy – that was linked to Russian spy agencies and that had been used to probe power companies across the world, including those in the U.S. On attack day they remotely shut off current to about 60 substations, inserted new code that blocked staff from reconnecting and even “phone bombed” the companies’ switchboards to discombobulate employees rushing to get power flowing again.
The Ukrainians claimed it was the first time a power grid had been knocked out by hackers and quickly pointed a finger at Russia. Robert M. Lee was skeptical. In the midst of preparing for a Christmas wedding in Alabama, the ex-cyberwarfare Air Force officer needed proof. There had only been two known destructive attacks on critical infrastructure. He and several colleagues in the U.S. cyber community coordinated with contacts inside Ukraine to recover malware from the network. Lee was the first person to report about the malware after reviewing the public information and analyzing the grid’s control systems. It was soon apparent: This was the real deal, though Lee shies away from blaming Russia. “What surprised me is the bold nature of it. … It was so coordinated. All the stuff we’ve seen before looked like intelligence. This looked like military. That’s kind of alarming.”
But at least Lee knew he’d made the right career choice. The summer before the Ukraine attack Lee quit the Air Force to become full-time CEO of Dragos Security, which he cofounded in August 2013. Its software product CyberLens aims to make industrial control-systems operators less ignorant about what or who is on their network. Intruders are all over: A U.S. report in December cited 295 incidents against domestic critical infrastructure (such as airports, tunnels and refineries) between October 2014 and September 2015, up from 245 the year before. The feds believe many more go unreported.
Industrial security is a bit of a blind spot for traditional cybersecurity software. Industrial control systems are vastly different from standard IT, requiring any useful security software to understand myriad commands in antiquated and esoteric communications languages designed by engineers who had no idea they’d need securing from the world’s most talented hackers. CyberLens, deployed at gateways across a customer’s network, can do that. It records what’s happening and detects and flags abnormal activity.
Incidents such as the Ivano-Frankivsk hack are fueling a boomlet in industrial cybersecurity, a market expected to grow from $8 billion this year to $11 billion by 2019. Obama’s $19 billion cyber budget is up 35% from last year and includes plenty for grid and transport network resiliency. Security is also a focus in a $220 million grid modernization plan announced in January by the Department of Energy.
Competing with Dragos and the usual big incumbents is Israeli firm Indegy, formed by three alums of the Israeli army’s elite Talpiot scientific branch and backed by veteran cybersecurity investor Shlomo Kramer. Indegy raised $6 million in 2014 and CEO Barak Perelman says it has between 10 and 20 customers, across a range of verticals: oil and gas, chemical manufacturing, power facilities, to name a few. (Most are concerned about the insider threat, says Perelman, the “employees that didn’t get a raise in the last year”).
Lee turned down six term sheets from VCs, ranging in value from $6 million to $11 million, because the 28-year-old member of the FORBES 30 Under 30 wants the freedom to tell customers the truth about what they need and what they don’t. His 18 customers, whom he cannot name, include a large cybersecurity firm and big utilities and oil and gas companies. Revenue? He’s mum. “We’re very nicely cash positive. It’s kind of weird. We’ve never taken loans, never taken investment. I’ve got zero marketing and sales, and I’m very happy.”
Network monitoring is only one step in protecting critical infrastructure. Operators also need to recognize the behaviors of malicious apps and code and block them. A crowd of players such as Russia’s Kaspersky Lab, Intel-owned McAfee and GE are selling such solutions. Eventually, security software will be able to predict how attacks will happen, but that science is still nascent. The DOE’s Oak Ridge National Laboratory created a tool called Hyperion that detects what a piece of software can do without actually running the code. Oak Ridge last year licensed Hyperion to a private consultancy to get it to market.
Dragos may be small, but Lee has experience beyond his years. He graduated from the Air Force Academy, following his parents into the military. (They’re both retired senior master sergeants.) He was sent to Germany, where he helped work on the security of the Air Force’s drone network. While he was there, a CIA surveillance drone went missing in Iran. Lee can’t offer details on what happened, but it did pique his interest in drone security overall, and he began to do some independent digging. Neither the U.S. nor Iran released an official statement, but some news outlets reported that Iran had used GPS spoofing to trick the drone and landed it on its soil. Other drones may have suffered similar fates. “A number of times we would lose drones,” says Lee. “You don’t really talk about how that happens.”
Lee moved to another intelligence agency in Germany to help the Pentagon understand how state-sponsored hackers were targeting the U.S. Lee figured correctly that our enemies would focus on critical infrastructure. “It was a wild success–we saw all sorts of intrusions” from the most advanced hackers on the planet, he says. “The networks became like labs, which was concerning.” He finished his career under the command of CYBERCOM, the hub of America’s operations on the digital battleground, carrying out offensive work, though he keeps quiet about what attacks he took part in.
“Working with him is a bit like having a small intelligence agency working with you. He’s a force of nature in terms of research,” says Thomas Rid, professor in the department of war studies at King’s College London, where Lee is working on his Ph.D. remotely.
Lee could have stayed in the military, but after meeting fellow intelligence community programmers Justin Cavinee and Jon Lavender in Germany, he corralled them into writing CyberLens. With a marrow-deep concern for protecting his homeland, Lee plans to take the fight for better national security to lawmakers. As a nonresident fellow at think tank New America, another one of the handful of gigs he is juggling, Lee is pushing for creative approaches to get energy firms to shore up their defenses, suggesting that tax credits could provide much-needed encouragement.
Meanwhile, countries have allowed a gray market to spring up in known software vulnerabilities to critical infrastructure networks. Some exploits are sold to governments for as little as $4,000. (An iPhone flaw can go for $1 million.) The utilities buy them for defensive purposes, such as patching broken machines. But critics of the exploit trade, including Lee, say they often get sold for offensive means, too. Of perhaps greater concern, he says, is the lack of any coherent global response to the landmark attack in Ukraine. “You’ve allowed it to be a permissible thing,” says Lee. “That’s dangerous.”
Have an insolent nephew–Goth type, moody, listens to music that sounds like someone jammed the pruning shears into the garbage disposal? We’ve got just the gift to bring a neutral expression to his face: the Viperblack T-shirt from German fashion designer Phoebe Heess ($110; phoebeheess.com), which began life as a Kickstarter project. It’s made of treated cotton that reflects 40% less light than ordinary black. The development of the color was inspired by the Gaboon viper, an African snake whose depthless “velvet black” skin confuses predators by dint of its darkness. Your mopey relation will no doubt enjoy wearing a garment inspired by such a creature. Now shut the bedroom door and go away, will you?
This article was written by Thomas Fox-Brewster from Forbes and was legally licensed through the NewsCred publisher network.
Online Degrees & Certificates In Cybersecurity
American Military University's online cybersecurity programs integrate multiple disciplines to ensure you gain the critical skills and management practices needed to effectively lead cybersecurity missions – from government or private industry. Learn from the leader. American Military University is part of American Public University System, which has been designated by the National Security Agency and the Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Education.