Trump infrastructure rush risks cybersecurity disaster
Construction work signs are stacked against a fence in Miami-Dade County in 2015. Photo: Joe Raedle / Getty Images
President Trump's infrastructure plan encourages states to "incorporate new and evolving technologies" into their proposals, but does not require any form of cybersecurity for those technologies. Experts say that might set states on the path to disaster.
The bottom line: "These plans are not just about putting down pavement. 21st century infrastructure is networked," said Richard Harknett, a University of Cincinnati professor that recently served as scholar-in-residence at the NSA and U.S. Cyber Command.
Flashback: Criminals have already wreaked havoc on current, less-networked infrastructure. In 2016, an attacker installed ransomware on the San Francisco Municipal Railway. As a result, the public transit system was unable to charge for rides for a weekend.
Details: Trump has touted his $200 billion infrastructure plan as a mechanism to generate more than a trillion dollars in investment. The Trump proposal includes a $100 billion incentive program rewarding proposals "incorporat[ing] new and evolving technologies." There is no requirement to evaluate the cybersecurity of any new technology used.
Advantages of modern infrastructure: The state-of-the-art in infrastructure uses data to become more efficient. Take transit for example:
- Sensors will pick up data on things like congestion or weather, allowing for big data analysis to help optimize traffic by changing traffic light patterns.
- Cars will communicate with traffic lights and signs to help drivers know when to stop.
- There will be benefits to traffic, safety, fuel efficiency, and noise.
Yes, but: "Cities do a lot of functionality testing to make sure things work right, but do very little security testing," said Caesar Cerrudo, chief technology officer for the security firm IOActive. Cerrudo is known for showing how to hack traffic light sensors already in use by many large American cities.
- If hackers are able to tinker with any aspects of a smart system, they can more than negate any safety or efficiency boost.
- Such tinkering could also trick sensors and manipulate traffic flows through intersections.
- A cleverly constructed series of traffic jams, for example, could do serious harm to an economy.
- Toying with weather sensors could cause a system to suggest caution during a perfectly sunny day or, worse, not suggest caution during a freeze.
That doesn't mean it's not worth doing. Businesses have high hopes for replacing crumbling infrastructure that impedes national and international trade. "It's time to invest in a 21st century infrastructure, a system of infrastructures to support and grow a 21st century economy," said Tom Donohue, president of the U.S. Chamber of Commerce, at a speech in January.
But there are concerns to address: Cybersecurity experts say it's much cheaper and effective to address cybersecurity concerns before a major infrastructure project starts. "This is the time to address it, before the shovels hit the ground," said Harknett.