Brad Allenby, Ph.D., Aff.M.ASCE, is the president’s professor of civil, environmental and sustainable engineering, and of law; Lincoln professor of technology and ethics; senior sustainability scientist; and co-chair of the Weaponized Narrative Initiative of the Center for the Future of War at Arizona State University. He entered academia after a 20-year career as senior environmental counsel, research vice president for technology and environment, and environment, health and safety vice president for AT&T.
Mikhail V. Chester, Ph.D., A.M.ASCE, is an associate professor for the School of Sustainable Engineering and the Built Environment, and director of Arizona State University’s Metis Center for Infrastructure and Sustainable Engineering. His work spans climate adaptation, disruptive technologies, innovative financing, transitions to agility and flexibility, and modernization of infrastructure management. He is co-lead of the Urban Resilience to Extremes research network composed of 19 institutions and 250 researchers across the Americas, focused on developing innovative infrastructure solutions for extreme events. He was awarded ASCE’s early career researcher Huber Prize in 2017.
In today’s provocative and important Member Voice article, Allenby and Chester outline the current cybersecurity landscape, as they see it, and recommend where they think civil engineers need to aggressively take the lead.
Change happens fast these days.
Three years ago, the Netflix noir science-fiction anthology series “Black Mirror” debuted an episode called “Nosedive,” where a young lady desperately tries to raise her social media rating number. This rating determined what transportation she could access, her rights and privileges, her ability to borrow money, her socioeconomic status and much else. She failed, of course – after all, the show isn’t called “Pink Mirror with Daisies” – and millions of viewers in America shuddered with relief that such an authoritarian future was only sci-fi.
A year later China was beginning implementation of such a technology, their “social credit system,” across the country – and exporting it to other soft authoritarian countries.
Rapid and unpredictable evolution is occurring not only in the technology domain but also in geopolitical conflict. In particular, in a few short years, the entire framework of war has shifted fundamentally from traditional kinetic warfare, where the United States holds a substantial advantage, to “civilizational conflict,” where the United States and Europe are struggling. In perhaps the most important article on war in the past 20 years, Gen. Valery Gerasimov, chief of the general staff of the Russian Federation, wrote that “[t]he very ‘rules of war’ have changed. The role of nonmilitary means of achieving political and strategic goals has . . . in many cases . . . exceeded the power of force of weapons in their effectiveness.”
This radical proposition was almost immediately validated as Russia successfully invaded Crimea and eastern Ukraine, and undermined critical elections in the U.K. (Brexit) and the United States (the 2016 elections) – and got away with it across the board. The Chinese have moved to a similar strategy, which they call “unrestricted warfare.” Such civilizational warfare strategies explicitly assign a secondary role to traditional conventional military practices and strategies, while emphasizing the use of unconventional weapons such as disinformation warfare and cyberwar methods to engage across the entirety of cultures and civilizations. The entirety of a civilization becomes a battlespace, and battle can be joined in a matter of microseconds, in some cyberattacks, to decades, as infrastructure is systematically compromised and infiltrated.
Again, this is not hypothetical.
NATO analysts have concluded that Russia already regards itself as at war with the United States, and China’s actions in the South and East China Seas, as well as its massive cyberespionage and cybertheft activities, indicate a similar stance to many analysts.
The result is perhaps the most devastating, and successful, assault on American and European infrastructure in the history of warfare. As Andy Greenberg wrote last August in Wired:
Not so long ago, stories about cyberwar started with scary hypotheticals: What if state-sponsored hackers were to launch widespread attacks that blacked out entire cities? Crippled banks and froze ATMs across a country? Shut down shipping firms, oil refineries, and factories? Paralyzed airports and hospitals?
Today, these scenarios are no longer hypotheticals: Every one of those events has now actually occurred. Incident by catastrophic incident, cyberwar has left the pages of overblown science fiction and the tabletops of Pentagon war games to become a reality.
The brilliance of the strategic shift by major adversaries is illustrated by the fact that the publics of the countries under attack, and their engineering professionals and organizations, are essentially clueless. Senior engineers in major infrastructure organizations – city governments, state departments of transportation, water and energy infrastructure firms – pack more cyber capability into their systems on a regular basis in search of greater efficiency and lower costs, without paying more than occasional lip service to the security of their systems.
Thus, for example, in spite of all the public discussion regarding the need for cybersecurity, in March 2018 Atlanta was shut down by a ransomware attack, as was Baltimore last May – and these were relatively unsophisticated attacks. Imagine how much damage a state-scale cyber-attacker, with state-of-the-art AI, could do. Imagine how compromised their existing systems already are.
Of course, academic institutions with their brilliant professorial cadre are not so blind. Oh, really? Speaking recently to a class of more than 100 graduating civil and environmental engineers, many of whom were deep in cyber-enabled technology such as building information modeling systems (BIMs), one of us asked whether any of them had any exposure to cybersecurity issues at all. No one raised their hand. And it is not different anywhere else.
The IoT and supporting infrastructure is the operational and moral equivalent of handing a child a live hand grenade with the pin removed, and walking away. Fast.
No professional engineering association that we are aware of has cybersecurity as a required competence, or as a minimal ethical requirement to practice. Engineering schools today are essentially training professionals in the fine art of making their society completely vulnerable to sophisticated attackers, and neither the professors nor the students even recognize the threat. The IoT and supporting infrastructure is the operational and moral equivalent of handing a child a live hand grenade with the pin removed, and walking away. Fast.
What is to be done?
The most important thing to recognize is that our infrastructure isn’t just old and worn out, it is a massive weapon in the hands of adversaries of the democratic West. On top of that, neither the formal engineering educational process nor the engineering professional organizations, have risen to the challenge of cyberwarfare and civilizational conflict. This challenge is not looming; it is here and has been here for long enough for the security dimension of our infrastructure to be thoroughly compromised.
More specifically, every professional engineering organization in the West – and elsewhere, for it would be naïve to think that, once launched, the weapons of civilizational conflict won’t be widely adopted – should immediately implement a crash course in cybersecurity that should be quickly phased in as mandatory for all members. In addition, the ethical standards each professional engineering organization supports should be updated to require adequate knowledge of cybersecurity issues in professional practice.
Major infrastructure management organizations, such as city and state governments, and major firms in infrastructure activities, should make knowledge of cybersecurity a key competency, especially for anyone having design, maintenance, operational, or regulatory responsibility for infrastructure.
No professional license should be issued until the candidate can demonstrate familiarity with basic cybersecurity principles. Moreover, all relevant professional exams, such as the Principles and Practice of Engineering Examination, and the Fundamentals of Engineering exam, should integrate security considerations both as a separate, required competency, and as an inevitable consideration in design and operation of infrastructure systems at all scales.
Major infrastructure management organizations, such as city and state governments, and major firms in infrastructure activities, should make knowledge of cybersecurity a key competency, especially for anyone having design, maintenance, operational or regulatory responsibility for infrastructure.
Finally, the almost criminal inadequacy of current engineering education when it comes to security issues must be addressed. ABET must immediately update its requirements to include a rigorous introduction to cybersecurity in an age of civilizational conflict for all engineering disciplines. The point would not be to turn every engineer into a security expert but to assure that every engineer who graduated from our schools is able to understand, and appreciate, the cybersecurity implications of their activities, and bring in cybersecurity professionals when appropriate.
These proposals may sound like an overreaction. But if anything, they are merely adequate and far too late.
They are necessary to prevent engineers, a profession dedicated to the safety of the public, from becoming enablers of some of the most sophisticated weapons in the world today.