Let experts prioritize threats to nation's critical infrastructure

Let experts prioritize threats to nation's critical infrastructure
© Getty Images

Recently, President TrumpDonald John TrumpThe Hill's Morning Report - Sponsored by AdvaMed - House panel expected to approve impeachment articles Thursday Democrats worried by Jeremy Corbyn's UK rise amid anti-Semitism Warren, Buttigieg duke it out in sprint to 2020 MORE signed an executive order, requiring the federal government to take steps to protect the nation’s critical infrastructure from the threat of an electromagnetic pulse attack, or EMP. To most Americans, this decision probably sounded like a good use of government resources — after all, who wouldn’t want our nation protected from an EMP, which could destroy anything with a circuit board, including computers and our electrical grid?

However, most professionals who work to protect our critical infrastructure, understood that this was at best an empty gesture, since we don’t have the financial resources to harden huge networks like our national electrical grid against very low probability events, like EMPs. Or, at worst, the announcement was a wasteful order that would divert limited resources away from more realistic security threats.  

ADVERTISEMENT

Keep in mind, a devastating EMP attack would be caused by a large nuclear device being detonated miles above the earth. Only a handful of countries — and no non-state actors — have access to intercontinental ballistic missiles and nuclear devices capable of launching an EMP attack. If they did launch an EMP strike, it would almost certainly be part of a massive nuclear exchange, meaning our electrical grid would be the least of our worries.

And, again, there are real and present threats to our electrical grid — happening right now in the form of cyber-attacks.

The sheer range and potential impact of different cyber-attacks should be a concern for all Americans. Seemingly every week, a new vulnerability is discovered or espionage incident revealed, which prompts government agencies and businesses to freshly examine their cyber risk exposure.

While we all must stay vigilant and continually monitor new threats, let’s start with what legitimately keeps cybersecurity experts up at night. For example, the NotPetya wiper ransomware event in July 2017, was a game-changer by demonstrating the devastating financial impact of a business interruption cyber event, particularly in terms of lost revenue and the extra expense incurred in recovering from the attack.

The more recent “LockerGoga” ransomware that shut down Norsk Hydro, a prominent aluminum and energy manufacturer, is another costly example. Similarly, increasingly, sophisticated malware targeting critical infrastructure providers are a real concern.

Professionals charged with protecting America’s critical infrastructure are faced with the daunting challenge of hardening key assets against both known vulnerabilities, as well as new risks, threat actors and malware variants that will inevitably be developed. Properly balancing these priorities can be done, but if we don’t dedicate resources to the most realistic threats, it runs the risk of becoming an unbearable tax on America’s economy.

To responsibly manage this threat, while also living in the real-world of limited resources, companies that manage America’s critical infrastructure need to rely on trained experts to prioritize cyber threats and avoid undue focus on doomsday threats like an EMP event that simply cannot be prevented.

Also, not all cyber threats are equal, and companies need to build and maintain resiliency plans that offer a risk-reward that best protect their operations and bottom line. By planning, testing, patching, quantifying their risk exposure, purchasing cyber insurance, and identifying key outside vendors to engage in the event of a cyber-attack (such as forensic experts and a breach coach), there is much that companies can proactively do to lessen their cyber risk exposure to legitimate threats and increase resiliency. 

By contrast, there is virtually nothing businesses can do to mitigate an EMP strike’s impact. Spending billions of dollars to protect against such a black swan event would be a gross mismanagement of funds that companies dedicate to combat cyber threats. In actuality, allocating limited financial resources to the least probable of cyber risks, as opposed to more likely ones, may make companies employing these misguided strategies notably less safe.

Private sector security experts can best serve their companies and communities by tuning out the hype and, instead, focusing their limited resources on steps that will legitimately optimize our cyber resiliency for the here and now. 

Jeffrey Batt advises companies on cyber risk and related insurance solutions. Jeffrey also teaches as an adjunct on cybersecurity governance for a business school in Washington, DC, and was a national security lawyer at the U.S. Department of Defense from 2010 to 2016. The views expressed are his own.