Former members of the Cyberspace Solarium Commission (CSC) — a recently sunsetted group that proposed cyber policy and strategy — discussed the issue with industry representatives during a March 30 U.S. Chamber of Commerce webinar.
Speakers praised efforts like the Cybersecurity and Infrastructure Security Agency (CISA)’s Joint Cyber Defense Collaborative (JCDC) but said more work remains to prepare the nation against the kind of serious incident that could ripple out across the society and economy.
Tensions are heightened, and the FBI recently reported detecting unusual scanning activity directed at energy sector networks, which appeared to come from Russian IP addresses, per CBS.
The government needs to do more in-depth preparation to recover from a possible major incident that disrupts the economy and society, said Mark Montgomery, former executive director of the CSC and current executive director of its successor nonprofit, CSC 2.0, during the webinar.
Several speakers also called for a more precise definition of which companies count as “critical infrastructure,” what the government expects from them and how it will help their defenses.
And while financial sector representatives asserted that they’re attuned to cyberspace and have been sharing insights among each other for years, not all sectors have such readiness.
“Our weakest link is water,” Montgomery said.
CONTINUITY OF ECONOMY
Montgomery said the government needs to create — and practice enacting — a plan for restoring economic functions and stability should critical infrastructure go down.
A major cyber event could have more expansive impact than a natural disaster, which tends to hit only a couple states a time. But a hack to the power grid could impact a dozen states and ripple out to interrupt the 15 other critical infrastructure sectors, too, Montgomery said, and so the government needs to be ready.
The White House is required to make such a “continuity of economy plan” — thanks to a measure in the National Defense Authorization Act (NDAA) of 2021 — but Montgomery said he worries it’s not on track to do so by its 2023 deadline.
That plan would need to tackle questions such as “how do you prioritize what infrastructures to bring back during a massive critical infrastructure failure?” he said.
“You need to determine what’s the sequencing of electrical power grid, water, financial services, [etc.] so you can get your major exchanges back up and running and preserve not just our national security and our public health and safety, but also our economic viability and development,” he explained.
SYSTEMATICALLY IMPORTANT CRITICAL INFRASTRUCTURE
Public-private cyber defense partnerships hinge on the idea of the federal government working with companies that are important to public health and safety or economic security to keep the sectors safe from cyber threats. The typical vision is of agencies sharing intelligence and resources and the companies being expected to act on information, adopt best practices and report incidents.
More needs to be done to specify what exactly counts as a “critical infrastructure” company and what they and the government should expect from each other, however, said speakers Rep. Jim Langevin, D-R.I., who co-chairs the Congressional Cybersecurity Caucus, and Rob Morgus, a senior adviser at both CSC 2.0 and at Berkshire Hathaway Energy.
“The critical infrastructure framework is maybe a little bit too broad,” Morgus said. “You can pigeonhole just about any company in the United States into the critical infrastructure designation.”
Federal legislation passed in March will force CISA to hammer out such definitions. The policy requires critical infrastructure companies to report cyber incidents and ransom payments, and CISA has three years to finalize the details before it goes into effect.
Speakers praised a new government mindset toward collaborating with critical partners. Morgus and Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security and former CSC member, said the federal government’s increasing efforts to declassify and quickly share information has helped get ahead of many Russian disinformation efforts.
Morgus also called for additional intelligence sharing, saying critical infrastructure operators not only want to know about threats but also — where possible — get advance notice about political decisions by the U.S. and allied nations that could prompt retaliation against their sectors.
“It’s helpful for us to have 48 hours warning when you’re about to announce that you’re issuing sanctions,” Morgus said. “It goes a long way in helping us batten down the hatches.”
CYBER SOCIAL CONTRACT VS. “WILLFUL AMBIVALENCE”
National Cyber Director Chris Inglis projected a holistic view of cyber defense.
Getting ahead of threats in a meaningful way, rather than constantly reacting to the latest incident, requires all members of society — government, corporate and residents — to take proactive roles in defense, an idea he has referred to as a “cyber social contract.”
“What I really worry about is the willful ambivalence of so many people looking at the space saying, ‘Clearly, we now see that there’s a problem’… but we imagine that it’s somebody else’s job, that somebody else will stand in and do something about that,” Inglis said.
Technology and system developers have particularly big roles to play and should design cybersecurity and resilience into their offerings from the get-go, so that the tools can be safely used by nonexperts, Inglis said. It’s a similar idea to building cars with safety features, so regular people can use them.
Such steps could avoid another incident like the one that impacted Colonial Pipeline, in which one mistake disrupted daily life for wide swathes of people. In that incident, a former employee reusing a password gave hackers the access point needed for an attack that culminated in the disruption of fuel supplies to several states — and which could’ve been much worse.
WATER AS THE “WEAKEST LINK”
The water sector’s high cyber vulnerability has been a recurring topic of concern and the focus of a January 2022 federal action plan aimed at boosting information sharing and threat detection technology adoption in the sector.
Damage from a successful attack could disrupt access to safe drinking water and quickly ripple out to other arenas, such as the electric grid, which relies on water for cooling.
Water system operators facing competing priorities can be tempted to put cybersecurity on the backburner and focus instead on other pressing issues like droughts, rising sea levels and impacts of climate change, Montgomery said. Making a change on cyber therefore means giving these operators funds specifically dedicated for that purpose, whether through grants or State Revolving Funds, he said.
He recommended heightened oversight of the sector’s cyber posture, by creating an “industry-led” regulatory framework and providing more funding to support Environmental Protection Agency (EPA) enforcement.
