With distance from the 2016 presidential and Congressional races, we are beginning to gain perspective on the challenges that lie ahead, including the cybersecurity of our nation’s critical infrastructure.
Just last month, D.C.’s police surveillance cameras were temporarily disabled due to a ransomware attack. From unsecured cameras on the Internet of Things, to our nation’s vulnerable power grid, to the 29 million electronic health records breached from 2010 to 2013, we consistently underestimate and under-resource the cybersecurity challenges our nation faces.
We propose three actions that address the critical cyber vulnerabilities our nation faces:
1. Honestly evaluate our strengths and weaknesses
The first thing we must do is take an apolitical and objective approach to evaluating the cybersecurity of our nation’s critical infrastructure sectors, and identify those with relatively strong defenses, as well as those in dire need of enhanced capabilities.
Our nation’s cybersecurity posture will only be as strong as our weakest links, particularly given the increasingly-interconnected nature of electronic systems.
Assessment of critical infrastructure sectors must also emphasize clear metrics for success and failure. These metrics must also be comparable across sectors so that — once achieved — a capability baseline can be used to assess the efficacy of solutions deployed in different critical infrastructures and jurisdictions.
One example, the healthcare sector has been significantly under-resourced with respect to cybersecurity. The sector contains extremely critical information and IoT devices that could be used for a wide range of attacks against individuals (e.g., assassination, medical fraud, blackmail, identity theft, etc.).
These threats come in equal part from insiders and external attackers, and a detailed profile of how to combat each type of threat in a sector-specific context is essential.
2. Empower the private sector
All too often, a maintenance of the “status quo” is the norm in information security, as budgets decrease or remain flat, and incentives for change are minimal within institutions.
The federal government has an opportunity to incentivize the rapid development and deployment of new and needed technologies, such as those that use artificial intelligence and machine learning, to augment the capabilities of security and privacy teams.
Our significant cybersecurity workforce shortage can be partially offset by increasing productivity, a source of much of the wealth generated by America in last 50 years, leaving more advanced and high-value investigations and remediations to human experts.
In addition, it’s important for all sectors to be made aware of the significant improvements that have occurred in sectors other than their own.
Security professionals in some industries are often unaware of advances that have occurred in other fields, with distinct and non-interoperable “silos” and standards forming in each industry. Harmonizing sectors to national standards, driven by private-sector expertise, and public-sector funding of research, will help establish an objective baseline for all industries.
Forums for cross-pollination of techniques and technologies across industries are important. For example, detailed analysis of user behavior to look for abnormal behavior is much more common in financial services and national security than it is within the energy or healthcare sectors.
It’s time to be audacious — the federal government can put its money where its mouth is, devoting a part of the one trillion dollars being currently discussed to our cyber infrastructure, in addition to our physical infrastructure.
3. Facilitate continuous information-sharing
We need the ability to safely, securely, and anonymously share information about the threats that institutions face, without fear of reprisal or competitive detriment. Right now, information-sharing between sectors is patchy, and in many areas, nearly non-existent.
To facilitate cooperation, we need more flexible institutions like the Information Sharing and Analysis Centers (ISACs), that provide two-way sharing of information between private and public sector actors. It is important to note, however, that these efforts have often focused exclusively on external threats, rather than patterns of criminal or malicious activity within enterprises that oftentimes present the most personal threats to American citizens.
By broadening the scope of information-sharing, as well as creating coordinating bodies that direct the flow of information as appropriate, public-private partnerships can continue this positive trend of greater transparency and more effective response.
The way forward
Whether we like it or not, we are all in this cybersecurity effort together.
Like Eisenhower’s push to create the interstate highway system, which both fueled innovation and provided new national security capabilities, today’s cyberspace underpins everything from our nation’s energy transmission and national defense, to our individual citizens’ financial and physical wellbeing.
In a world where organized crime and adversarial nation-states may have all-too-easy access to our nuclear plants or our patients’ pacemakers, we must foster the public/private partnerships that keep America one step ahead.
Robert Lord is a fellow at the Institute of Critical Infrastructure Technology, a next-generation cybersecurity think tank. He is also the Co-Founder and CEO of Protenus, the world’s leading proactive patient privacy analytics platform. Protenus provides a patient data cybersecurity platform to our nation’s top healthcare systems.
David Mussington is a Senior Fellow at the Center for International Governance Innovation (CIGI) and is also the Director, Center for Public Policy and Private Enterprise, University of Maryland. He is an expert on issues centered around cybersecurity, cyber-defense and cybercrime.
The views of contributors are their own and not the views of The Hill.