What can the US learn from our allies on protecting critical infrastructure?
As the Senate Intelligence Committee and the White House begin to publicly address the SolarWinds compromise, it is essential to think about how to improve cyber defense and resilience of critical infrastructure as part of a holistic effort to improve our national cybersecurity posture. Many of us are familiar with attacks on critical infrastructure in Estonia, Taiwan, and the recent attempts to poison a Tampa Bay area water supply, but over 50 percent of gas, wind, water and solar utilities around the world have experienced at least one cyberattack within the previous year that caused a shutdown or loss of operation data. We are underprepared.
The myriad of past efforts by the Feds have moved the needle on cybersecurity but have proven insufficient, in part because of the scale of the U.S. economy and relative lack of coordination capacity with private industry; the absence of mandated cybersecurity and breach reporting standards; a lack of investment in coordination and technical agencies relative to the large number of industries and systems considered ‘critical’; and the ineffectiveness of current cyber deterrence methods.
These barriers are not insurmountable. Protecting U.S. critical infrastructure from harm will be one of the biggest mandates and opportunities for the Biden-Harris administration. As key cyber appointments are named at the White House and Department of Homeland Security (DHS), the primary agency for cybersecurity and for supporting critical infrastructure resilience, the focus on defending critical infrastructure and building resilience demands a clear and ‘whole of society’ approach that brings to bear the authorities and strengths of the federal government as well as industry.
Germany, the EU, and Australia have shown that while there are no simple answers to improving the cyber resilience of critical infrastructure, there are practical steps that may prove instructive for the incoming administration as they work to build a strategy.
To make our limited resources go further and ensure smooth coordination across the world’s largest economy, DHS must narrow its current expansive view of what it should consider ‘critical’ — or at very least reprioritize efforts to address the current threat landscape. Should every hospital network, data center, or power plant be considered critical to the nation? Should that determination be made based on a matrix of factors like scale of impact to human life, resilience, connectedness to other infrastructure, etc.?
Germany was able to prioritize effectively by setting high thresholds for when a company should be considered important enough to be critical infrastructure (Critical Threshold Value) based on the size of their customer base, industry type, and exposure to cyber risk. They also invested time and effort in identifying the most critical components of the designated sectors. As COVID-19 lockdowns have shown, our society and certain portions of ‘critical’ sectors are more resilient to smaller disruptions to services than we might have previously imagined.
The U.S. should learn from the cautionary tale of Australia’s approach, which ignored this prioritization principle and — to capture the breadth of potentially “critical” services — scoped in groceries, education and traffic management. By doing so, Australia has invited harsh criticism from its industry associations which have already called the proposed regulations “unnecessarily broad and unclear” for scoping in “a wide range of firms, many of which are small and pose no security risk.” That coupled with the U.S.’s size and connected infrastructure makes this kind of broad definition of “critical infrastructure” difficult to scale and execute against.
Mandated cybersecurity standards drive prioritization, and as the EU’s experience has shown, are important for driving cybersecurity and breach reporting as a compliance risk mitigation tactic. DHS, in coordination with sector specific agencies and industry associations, must arrive at mandatory baseline cybersecurity requirements for each sector. While some sectors have cybersecurity requirements, a review beginning with the most critical sectors — including large data centers, telcos, banks, utilities, critical government contractors and suppliers, and electoral systems — may reveal opportunities for cross-cutting compliance and reporting opportunities that can feed the kind of information and signal sharing across industries and sectors that experts are suggesting, for example the National Transportation Safety Board-like organization Alex Stamos is suggesting. Ideally, that organization would be part of CISA to feed the ongoing critical infrastructure and cybersecurity work the agency leads for the private sector and federal infrastructure.
Such mandates for cybersecurity measures in the U.S. would be incredibly hard to develop and enforce, but the U.S. could leverage the breach reporting requirements already in place for the Defense Industrial Base. A breach reporting system, at a minimum, would be a win-win for all involved as it would improve collective security for society.
In addition to the large funding packet for improving cybersecurity standards within the U.S. government and its suppliers, the U.S. could create a program modeled after Germany’s Hospital Futures Act and require a small percentage of future grant funding for critical infrastructure sectors be allocated for cybersecurity upgrades and compliance efforts.
While these suggestions aren’t exhaustive, a comprehensive review of critical infrastructure support — leveraging lessons learned from allies and past events — would provide the Biden administration an opportunity to improve cyber defense and mitigate the impact of threats to U.S. critical infrastructure. Through a multipronged approach, including cybersecurity mandates, industry partnerships, rapid coordination, and threat deterrence, the Biden-Harris administration can make tremendous progress towards a more robust cyber defense.
Camille Stewart is a Cyber Fellow at Harvard Kennedy School’s Belfer Center for Science and International Affairs. She served as senior policy adviser for cyber infrastructure & resilience policy at the Department of Homeland Security under President Obama. Follow her on Twitter @CamilleEsq
Arjun Bisen is a Fulbright scholar, technology policy advisor, former Australian diplomat, and affiliate of the Technology and Public Purpose Project at Harvard Kennedy School’s Belfer Center for Science and International Affairs. Follow him on Twitter @ArjunBisen1