Brad Allenby, Ph.D., Aff.M.ASCE, is the president’s professor of civil, environmental and sustainable engineering, and of law; Lincoln professor of technology and ethics; senior sustainability scientist; and co-chair of the Weaponized Narrative Initiative of the Center for the Future of War at Arizona State University. He entered academia after a 20-year career as senior environmental counsel, research vice president for technology and environment, and environment, health and safety vice president for AT&T.
Mikhail V. Chester, Ph.D., A.M.ASCE, is an associate professor for the School of Sustainable Engineering and the Built Environment, and director of Arizona State University’s Metis Center for Infrastructure and Sustainable Engineering. His work spans climate adaptation, disruptive technologies, innovative financing, transitions to agility and flexibility, and modernization of infrastructure management. He is co-lead of the Urban Resilience to Extremes research network composed of 19 institutions and 250 researchers across the Americas, focused on developing innovative infrastructure solutions for extreme events. He was awarded ASCE’s early career researcher Huber Prize in 2017.
In today’s provocative and important Member Voice article, Allenby and Chester outline the current cybersecurity landscape, as they see it, and recommend where they think civil engineers need to aggressively take the lead.
Change happens fast these days.
Three years ago, the Netflix noir science-fiction anthology series “Black Mirror” debuted an episode called “Nosedive,” where a young lady desperately tries to raise her social media rating number. This rating determined what transportation she could access, her rights and privileges, her ability to borrow money, her socioeconomic status and much else. She failed, of course – after all, the show isn’t called “Pink Mirror with Daisies” – and millions of viewers in America shuddered with relief that such an authoritarian future was only sci-fi.
A year later China was beginning implementation of such a technology, their “social credit system,” across the country – and exporting it to other soft authoritarian countries.
Rapid and unpredictable evolution is occurring not only in the technology domain but also in geopolitical conflict. In particular, in a few short years, the entire framework of war has shifted fundamentally from traditional kinetic warfare, where the United States holds a substantial advantage, to “civilizational conflict,” where the United States and Europe are struggling. In perhaps the most important article on war in the past 20 years, Gen. Valery Gerasimov, chief of the general staff of the Russian Federation, wrote that “[t]he very ‘rules of war’ have changed. The role of nonmilitary means of achieving political and strategic goals has . . . in many cases . . . exceeded the power of force of weapons in their effectiveness.”
This radical proposition was almost immediately validated as Russia successfully invaded Crimea and eastern Ukraine, and undermined critical elections in the U.K. (Brexit) and the United States (the 2016 elections) – and got away with it across the board. The Chinese have moved to a similar strategy, which they call “unrestricted warfare.” Such civilizational warfare strategies explicitly assign a secondary role to traditional conventional military practices and strategies, while emphasizing the use of unconventional weapons such as disinformation warfare and cyberwar methods to engage across the entirety of cultures and civilizations. The entirety of a civilization becomes a battlespace, and battle can be joined in a matter of microseconds, in some cyberattacks, to decades, as infrastructure is systematically compromised and infiltrated.
Again, this is not hypothetical.
NATO analysts have concluded that Russia already regards itself as at war with the United States, and China’s actions in the South and East China Seas, as well as its massive cyberespionage and cybertheft activities, indicate a similar stance to many analysts.
The result is perhaps the most devastating, and successful, assault on American and European infrastructure in the history of warfare. As Andy Greenberg wrote last August in Wired:
Not so long ago, stories about cyberwar started with scary hypotheticals: What if state-sponsored hackers were to launch widespread attacks that blacked out entire cities? Crippled banks and froze ATMs across a country? Shut down shipping firms, oil refineries, and factories? Paralyzed airports and hospitals?
Today, these scenarios are no longer hypotheticals: Every one of those events has now actually occurred. Incident by catastrophic incident, cyberwar has left the pages of overblown science fiction and the tabletops of Pentagon war games to become a reality.
The brilliance of the strategic shift by major adversaries is illustrated by the fact that the publics of the countries under attack, and their engineering professionals and organizations, are essentially clueless. Senior engineers in major infrastructure organizations – city governments, state departments of transportation, water and energy infrastructure firms – pack more cyber capability into their systems on a regular basis in search of greater efficiency and lower costs, without paying more than occasional lip service to the security of their systems.
Thus, for example, in spite of all the public discussion regarding the need for cybersecurity, in March 2018 Atlanta was shut down by a ransomware attack, as was Baltimore last May – and these were relatively unsophisticated attacks. Imagine how much damage a state-scale cyber-attacker, with state-of-the-art AI, could do. Imagine how compromised their existing systems already are.
Of course, academic institutions with their brilliant professorial cadre are not so blind. Oh, really? Speaking recently to a class of more than 100 graduating civil and environmental engineers, many of whom were deep in cyber-enabled technology such as building information modeling systems (BIMs), one of us asked whether any of them had any exposure to cybersecurity issues at all. No one raised their hand. And it is not different anywhere else.
The IoT and supporting infrastructure is the operational and moral equivalent of handing a child a live hand grenade with the pin removed, and walking away. Fast.
No professional engineering association that we are aware of has cybersecurity as a required competence, or as a minimal ethical requirement to practice. Engineering schools today are essentially training professionals in the fine art of making their society completely vulnerable to sophisticated attackers, and neither the professors nor the students even recognize the threat. The IoT and supporting infrastructure is the operational and moral equivalent of handing a child a live hand grenade with the pin removed, and walking away. Fast.
What is to be done?
The most important thing to recognize is that our infrastructure isn’t just old and worn out, it is a massive weapon in the hands of adversaries of the democratic West. On top of that, neither the formal engineering educational process nor the engineering professional organizations, have risen to the challenge of cyberwarfare and civilizational conflict. This challenge is not looming; it is here and has been here for long enough for the security dimension of our infrastructure to be thoroughly compromised.
More specifically, every professional engineering organization in the West – and elsewhere, for it would be naïve to think that, once launched, the weapons of civilizational conflict won’t be widely adopted – should immediately implement a crash course in cybersecurity that should be quickly phased in as mandatory for all members. In addition, the ethical standards each professional engineering organization supports should be updated to require adequate knowledge of cybersecurity issues in professional practice.
Major infrastructure management organizations, such as city and state governments, and major firms in infrastructure activities, should make knowledge of cybersecurity a key competency, especially for anyone having design, maintenance, operational, or regulatory responsibility for infrastructure.
No professional license should be issued until the candidate can demonstrate familiarity with basic cybersecurity principles. Moreover, all relevant professional exams, such as the Principles and Practice of Engineering Examination, and the Fundamentals of Engineering exam, should integrate security considerations both as a separate, required competency, and as an inevitable consideration in design and operation of infrastructure systems at all scales.
Major infrastructure management organizations, such as city and state governments, and major firms in infrastructure activities, should make knowledge of cybersecurity a key competency, especially for anyone having design, maintenance, operational or regulatory responsibility for infrastructure.
Finally, the almost criminal inadequacy of current engineering education when it comes to security issues must be addressed. ABET must immediately update its requirements to include a rigorous introduction to cybersecurity in an age of civilizational conflict for all engineering disciplines. The point would not be to turn every engineer into a security expert but to assure that every engineer who graduated from our schools is able to understand, and appreciate, the cybersecurity implications of their activities, and bring in cybersecurity professionals when appropriate.
These proposals may sound like an overreaction. But if anything, they are merely adequate and far too late.
They are necessary to prevent engineers, a profession dedicated to the safety of the public, from becoming enablers of some of the most sophisticated weapons in the world today.
Brilliant!!!! Thank you so much for raising this awareness. It is what I have always thought.
The argument for Cybersecurity as a front-end loader for the characteristic dictum of professional engineering practice-” protection of Public health safety and welfare”- is infallible.
Justin E. Obinna, P.E. (TX, LA), M.ASCE
TxDOT Safety Rest Area Maintenance Program Lead
Texas Department of Transportation
Maintenance Division,
150 E.Riverside Drive
Austin, TX 78704
Office: (512) 416-3017
E-mail: [email protected]
The issue of cybersecurity is timely and critical. Is the society planning on including this important subject in the PDH offerings? It seems to me that would be an excellent and easy way to expose engineers to the subject as part of their licensing renewal plan. I am involved with a group that is on the cusp of designing and building new cities and we are very concerned about privacy, security, and effective communication. We are schooling ourselves relative to fiber optics vs the proposed new 5G rollout. Thank you for the article. I hope there will be others to follow that will help us in our engineering responsibilities to the project and to the public.
P.S. Speaking of 5G – – that would also be an excellent subject to dissect and educate through PDH offerings.
Completely agree with the contributors point that the cyber threat is already NOW and there is an immediate NEED for ALL licensed Professional Civil Engineers to take accredited Cyber Security courses BEFORE renewal of their PE license. That would wake up members who really aren’t paying attention. ASCE should quickly build and offer a catalog of online cyber security courses. Starting in 2020, every state licensing board SHOULD REQUIRE at least 1/3 of continuing education units be in Cyber Security before approving renewal of any Civil Engineering PE license.
I think it goes beyond civil engineering profession and as a practicing geologist dealing with infrastructure envelopment connected with New York City Water Tunnel # 3, I feel very convinced about including water resource personnel, engineering design, environmental geologist, technocrats, urban designers, hydrogeologist, and geotechnical professional to achieve maximum effectiveness of the proposed understanding of cyber security. An integrated professional network comprising closely-related disciplines pertaining to infrastructure maintenance or build-up will benefit from this narrative described by the authors.
Dreary Sirs,
The article makes a very clear basis argument for the development of cyber security competency, as part of the skill set for running assts/infrastructure by using IT, both autonomously and semi autonomously. As your article states, this is related to a lack of educational strategic development of a learning program, arising from development of technology, then teaching others in the next generation how to run better technology, as it evolves.
Can I ask however, how cyber security competency developed in student engineers/scientists which is later applied professionally, can be developed defensively rather than offensively.? To extend Gen. Gerasimov comment logically out, in combination with Cold War experience and Sun Tzu strategy of warfare, cyber competency, will result in a non optimal outcome for communities, if I can put it politely
Thank you for raising this important issue for more awareness and action. While I am sensitive and concerned about how to manage the scope creep for education and certifications that are proposed here, I heartily agree that we need to competently integrate cyber security factors into the planning, design, construction, operations, maintenance, and support phases of CE projects. If there becomes an effort within ASCE to develop a strategy, strategic roadmap, or exploratory effort to make this happen, please sign me up.
Brett Hoffstadt, PMP, ITIL, EIT
Folsom, CA