Some easy answers to complicate questions
The wise Lesley Carhart asks:
Her wise answer to all three is "it's complicated," that these are in fact not "easy questions." It's the complexity of the answer that makes it the correct answer — even if different techies disagree on the complex parts.
But I'm somebody who gives wrong answers. I'm going to insist that there are easy answers to these questions. Specifically, the easy answers are:
No. The US power grid is too diverse for hackers to seriously threaten as a whole, though localized blackouts are a big threat. The solution isn't to focus on the power grid as a whole, but to diversify things, such as households having battery backups.
No. There is no silver bullet, magic pill solution to security, and AI isn't close to becoming one. AI will change the job of human analysts, but at the same rate their job is always changing.
No. Anti-Microsoft hate is pervasive in the community, but the security features of all major operating systems are roughly the same and can be hardened the same. The best business solution is the one that satisfies business needs, not cybersecurity needs.
The following is a more extensive discussion.
Power Grid
Hackers can't take down the US power grid — at least, as a national policy, it's not something we need to worry about. Solar mass ejections are far more important. That's because the US power grid is really diverse, with over 10,000 companies involved in generation and transmission. It's designed to quickly segment itself. We've addressed the cascade of failures that happened in the 2003 East Coast Blackout..
National policy should instead focus on local blackouts, such as that of a major city. Hackers can break into local grids, or simply bribe a local operator, and cause painful blackouts.
The reason I describe "national policy" is that the threat of a "Cyber 9/11" for the last 30 years, from the likes of Richard Clarke, often results in bad policy. For example, it's pushed "Einstein" intrusion detection sensors everywhere which themselves now become a threat. It's now a single target the hacker can attack that impacts the entire grid, where before the grid was too diverse to attack with a single thing.
The long term path to securing the grid, from hackers or solar mass ejections, is more diversity, such as more home battery storage and solar panels. Solar and wind produce an over-abundance of power for a few hours each day. The grid should just deliver that to households which recharge their backup batteries and cars. Households would have incentive to invest in such infrastructure with current smart-grid technologies that charge more or less depending upon the current production and load on the grid.
In other words, to resist hackers, thinking in terms of "too big to fail" is the wrong approach. We should be thinking in diversifying infrastructure, such that households and businesses have more continuity in the face of a grid attack.
AI Replacing Security Analysts
Well, part of this question has nothing to do with cybersecurity, but is about the current capabilities of AI right now.
AI is "trained" on existing things. It'll certainly become a useful defensive technology, able to easily recognize known attacks in ways that human analysts struggle to.
But on the other hand, cybersecurity always works this way. Defenders address known attacks, and hackers are constantly pivoting to new things.
The reason security analysts are human is so that they can likewise pivot and deal with novel attacks.
In other words, AI isn't going to be the "magic pill" that solves cybersecurity. Nor is it the "magic pill" that's going to automate hacker attacks. Magic pills are the wrong way to conceptualize problems.
Now, AI is certainly going to change the job of cybersecurity analyst, but then, technology has always been changing that job. There are a few chronic problems that remain the same, but most of the job completely changes every decade.
Operating System
There is no secure operating system. All operating systems have roughly the same sort of features that experts can use to harden them, such as removing admin access or removing app privileges.
Classically, there has always been operating-system partisanship in the tech community. Specifically, it's standard for techies to tell you how insecure and unreliable Windows is, because they hate the monopoly dominance Windows has on the desktop. But it's never been technically true — technical experts exploit the trust people have in their expertise in order to pursue partisan anti-Microsoft goals. A classic example is the "Monoculture" paper by Dan Geer — technically vacuous but strokes the prejudices of those who hate Microsoft, so you'll get cheers from the crowd whenever you mention it at a cybersecurity conference.
I'd agree that most organizations are flawed in how they've deployed Microsoft solutions. But replacement is probably just a very different deployment of Microsoft solutions, not switching to macOS or (gasp) Linux on the desktop.
But the biggest flaw here is simply pretending that the best operating system is the most secure one. Even if there was one that was notably more secure, the best business operating system is still the one that best solves business needs, not which solves cybersecurity needs. We in cybersecurity believe that we are gods and everyone should listen to us, that the purpose of the organization is to solve our needs. The chief cause of burnout in the industry is that nobody seems to be listening to us when we stress the importance of cybersecurity. But cybersecurity isn't that important — the business is.
In short, it's our job to secure the business operating system, whichever one they choose. Cybersecurity needs should be considered, but only as one of many needs.
Conclusion
Of course, Lesley has the right answers: the only people you should trust are those who claim the answers are complicated.
But, as a contrarian, I'm still going to reach for the wrong answers. So that's this post.
AI disclaimer: AI will replace copy editors. I can’t help but make stupid mistakes that. I cannot see, so I’m now using AI to copy-edit my crap. Here’s the list of changes claude.ai made to this piece before I posted it. Also, the image at top was created by Grok.ai.
