Private companies need federal support to protect our critical infrastructure
Securing the nation’s critical infrastructure is a Herculean task, one where failure can lead to massive economic disruption beyond the most recent indignity of runs on gas stations, or now the potential for meat shortages. Because of these stakes — and the ever-increasing sophistication of adversaries — we must and can take decisive action to shore up defenses.
Cyber attacks are hitting hospitals, municipal governments and manufacturers — and, as has been in the news more recently, our food supply and our pipelines. These attacks often operate across borders with encouragement, if not outright support, from adversaries such as Russia and China.
During my tenure leading the U.S. Attorney’s Office in Pittsburgh during the Obama administration, we disrupted the global Gameover Zeus Botnet and the Cryptolocker ransomware scheme that had stolen millions of dollars from people and businesses, and we brought charges against the administrator of the enterprise. We did other ransomware cases, as well. The threat has only continued to escalate.
The U.S. too often has left protection of critical infrastructure to the private sector, but those companies need more decisive support from the federal government to ensure the public’s safety.
The case for action is strong: We have seen countless cyber attacks in recent years. Attacks such as those on JBS, Colonial Pipeline, and the 2020 breach involving SolarWinds and others highlight the risks to sensitive supply chains and government systems. The general decay and disrepair of American infrastructure adds another layer of concern.
Past approaches too frequently relied on the private sector as the frontline of cybersecurity defenses without imposing commonsense, mandatory standards. Take Colonial Pipeline: An outside 2018 audit of the company found “glaring deficiencies and big problems,” including with its data theft prevention. Despite these findings, Colonial was free to decide on its own whether to improve its systems because the pipeline industry has not faced mandatory federal cybersecurity standards.
Nor have other elements of our critical infrastructure (such as dams, health care and wastewater plants) faced such standards. Election systems, which are essential to the functioning of our democracy, and the vendors who provide them face scant federal regulation and only voluntary federal standards for voting machines; other elements such as electronic poll books and voter registration databases escape federal oversight.
We need government leadership here, just as we need private sector action alongside public efforts. For those working with the federal government, they should meet cybersecurity best practices: robust incident reporting, compliance with strong cybersecurity guidelines, and more. President Biden’s recent executive order is precisely the kind of decisive action needed to protect federal cybersecurity, and I applaud the creation of the Cyber Safety Review Board that will review cyber events much like the National Transportation Safety Board (NTSB) has done for transportation. Yesterday’s news from the Department of Justice that much of the ransom paid by Colonial Pipeline has been traced and recovered is welcomed progress in the effort and need to impose costs upon hackers.
So much of our infrastructure is run by private vendors, and our supply chains rely extensively on private (often foreign) companies. We should subject such entities to rigorous cybersecurity reviews before they earn our trust — security is only as strong as the weakest link. For those involved in critical infrastructure, we must craft and implement mandatory federal requirements to ensure a baseline of cybersecurity and readiness. As of May 28, the Transportation Security Administration is now doing exactly that for pipelines, something we ought to see across sectors, leveraging existing oversight expertise and aiming for consistency with existing requirements. We also would be wise to rein in outsourcing and bolster our domestic manufacturing base to reduce national security threats while building back good manufacturing jobs.
To be sure, some may balk at any added costs of federal requirements. But those objections are short-sighted. We cannot afford to shortchange cybersecurity and risk another disruption to our energy supply or a compromise of federal systems. And we can look to infrastructure sectors such as defense, nuclear and bulk electric power to learn from existing federal requirements.
Our country cannot afford inaction. We know the risks and costs of cyber attacks, and we must be willing to act now. The Biden administration is energized to beef up our cybersecurity, but they must be met with support from the Congress and the private sector — and a commitment to do what is necessary to protect the American people and our economy.
David Hickton is the former U.S. Attorney for the Western District of Pennsylvania (2010-2016), the former staff director and senior counsel to the House Select Subcommittee on the Coronavirus Crisis (2020-2021), and professor of law and founding director of The University of Pittsburgh Institute for Cyber Law, Policy, and Security (2017-present).