In February 2012, the first significant attempt to set mandatory cybersecurity requirements and response plans for critical infrastructure was introduced in Congress. Unfortunately, it was watered down to voluntary standards and failed in the Senate. Opponents of the bill cited fears of overburdening regulations on companies and warnings of over-simplistic box-checking and minimum compliance. Business groups championed the narrative of big government to ensure the bill’s demise — and that narrative persists to this day.
Since then, the threat landscape has continued to evolve, so much so that our nation has suffered disruptive and deadly cyberattacks, signaling that the system is stressed and the warning lights are blinking. As a result, the Biden administration has issued emergency security directives for pipelines and launched an initiative to address water and wastewater cybersecurity, both of which are expected to garner significant pushback from their respective industries. Still, we’ve come no closer to mandating cybersecurity standards for the breadth of our critical infrastructure by Congress.
As the COVID-19 pandemic and climate change portend, we no longer find ourselves in a time of rare or infrequent disasters. Rather, we must expect and plan for these disasters, including living with them. Cyberattacks will continue and grow in intensity, frequency, and sophistication. To deal with them, we must reframe the debate on regulation legislation from discussions about burdens on the private sector and the reach of big government to one that demands pragmatic protections and consequence planning regardless of the likelihood of a breach.
WHERE WE’RE STUCK
Our nation is currently stuck in a debate about how to protect the public from cyberattacks. This stems from the design of US legal and economic systems and ownership and use of the networks that comprise the Internet. More resources are freeing up to help secure our critical infrastructure, especially at the state and local levels. But in the absence of mandates, the market hasn’t forced security adoption or preparedness across the board as hoped. While the private sector arguably has equities regarding market competition and corporate liability (which are genuine issues to consider), does such a chasm exist when considering the public safety consequences of a breach?
We have to break out of the old narrative that cybersecurity regulations and disaster planning are hallmarks of big government overreach.
Our cybersecurity focus has traditionally centered on “left of boom” efforts: those that seek to buttress protections against an intrusion and our responses to such an action. While these “left of boom” activities are vital, we must also assume the breach and make the “right of boom” investments about how a company will respond, lead, communicate, and protect physical assets. The “boom” could be any type of cyber breach: insider, ransomware, or a sophisticated nation-state actor.
The ransomware attack on Colonial Pipeline, which happened one year ago last month, is illustrative in this regard. Colonial Pipeline was the victim of an attack by a relatively new group — one that probably was done without the intended impact — and after paying the ransomware, found that the attackers did not provide workable fixes. At some stage, Colonial’s only solution — since its operations were tied to the hacked network — was to close down its energy distribution for nearly a week. While it may have done much to try to stop an attack, such as paying to mitigate its consequences, no system that the public is so dependent on can be called sophisticated if its only response plan is an on/off switch.
Instead of aligning with one side or the other — either pro-government or pro-business — cybersecurity stakeholders in the public and private sectors must take a different approach: to shift the narrative to public safety and disaster prevention and response. Shifting the narrative and its ensuing activities brings everyone to the table to work together and figure out how to tackle the problem instead of driving them into their separate corners. It will also help broker trust on both sides to allay concerns of government overreach and address private sector needs. Since the Biden administration and Congress have a renewed focus on cybersecurity, now is the right time to revisit this debate.
LUCK ISN’T ENOUGH
In a decade, the United States has witnessed a surge in the number of cyberattacks (to the tune of thousands per day that we know about) where nation-states and criminal organizations have impacted our public safety and essential systems through breaches and disruptions. For those keeping count, these breaches include the espionage campaign against the software company Solarwinds by Russia’s intelligence arm that gave them access to the National Nuclear Security Administration networks; ransomware attacks on the nation’s food supply; the theft of billions of dollars in US intellectual property and the personal data of 80% of American adults by China; and an attempt to shut down a dam in New York; and Boston Children’s hospital by the Iranians.
Yet, the United States has been relatively very lucky so far, especially considering constant ransomware attacks on companies, schools, and state governments and ongoing warnings to critical infrastructure to stay vigilant against the threat of destructive cyber operations during Russia’s war on Ukraine. Most recently, the cybersecurity industry discovered two new malware families designed to attack industrial control systems — the systems and devices that translate computer commands into physical action to monitor, control, and safeguard things like water treatment plants, energy power stations, and gas pipeline pumping — before they had a chance to infect machines within the United States. Thanks to the tireless efforts of people who defend our networks in the private sector and the government, the discovery was made before infection.
Unfortunately, we don’t know everything that may lurk inside our networks — cyberspace offers some stealth and reach — and we cannot always rely on the last line of defense to ensure public safety. Moreover, disruption can have major impacts on people: sowing chaos or panic, limiting access to information and assets, and cutting off services and supplies. We must make adversary and criminal cyber operations and the resulting impact less harmful for Americans. Therefore, we must require greater protections on one end and better preparations for the breach on the other — and we need to work together instead of at odds with each other.
A CALL FOR CHANGE
Most US critical infrastructure is owned and operated by the private sector or at the state and local level, which means those organizations are responsible for the security and continuity of essential services. Put differently, the US government — composed of the intelligence community, the military, the FBI, and even the Cyber and Infrastructure Security Agency — do not and cannot stand guard on those networks. Instead, we rely on small, understaffed, and under-resourced organizations to secure our public safety systems — our towns and our data, the things that underpin our daily lives and well-being.
Instead of aligning with one side or the other — either pro-government or pro-business — cybersecurity stakeholders in the public and private sectors must take a different approach: to shift the narrative to public safety and disaster prevention and response.
Moreover, we often fail to realize that critical infrastructure is often interrelated. For example, the financial sector is often cited to be the most resourced and guarded against cyber threats, but the sector relies on energy to power it. And the energy sector relies on the water sector to operate its plants. And the water sector is shockingly insecure. In 2021 the Water Information Sharing and Analysis Center released its annual Water and Wastewater Systems State of the Sector report. Among other jarring statistics, the Water Information Sharing and Analysis Center reports that 59% of respondents performed cyber risk assessments less than annually or not at all. Still, 25% of respondents had no plans to conduct cybersecurity protection efforts. We cannot allow the security of our critical infrastructure to be addressed unevenly and in silos.
The nation’s top cyber leaders, including the National Cyber Director Chris Inglis, note that public safety simply cannot depend upon market forces. And more than that, safety has always been a requirement, not a request. And that’s what we should expect in cybersecurity. However, we must not fall into the one-size-fits-all trap and meet the minimum standard box-checking. Congress could, for instance, pass a law authorizing the Cybersecurity and Infrastructure Security Agency to set the standard for cybersecurity definitions and allow the agency to update them as the threat landscape and business models evolve. A law could also authorize each Sector Risk Management Agency to create and enforce sector-specific rules on security and cyber disaster response with industry input using the Administrative Procedure Act framework, which is the standard process by which federal agencies can develop and issue regulations. Moreover, each Sector Risk Management Agency could create its unique advisory boards with ample participation from private industry. Doing so would help ensure that regulations keep up with the pace of technology and threats and are tailored to each sector’s unique needs.
RECREATING THE CYBER NARRATIVE
The additional focus on right-of-boom efforts will require deepened collaboration and trust between the government and the private sector. As part of the Infrastructure Investment and Jobs Act passed in 2021, Cybersecurity and Infrastructure Security Agency will receive $20 million over the next six years for the Cyber Response and Recovery Fund, which would not only provide funding in the event of a major cyber incident but would also empower the agency to coordinate response efforts — a crucial development. Using its existing regional office framework, the Cybersecurity and Infrastructure Security Agency can ramp up its outreach to the private sector and the states in those regions to ensure the relationships and trust are in place now.
At the strategic level, the 2021 National Defense Authorization Act (NDAA) stipulated that the president must create a Continuity of Economy plan detailing how elements of our economy — especially our critical infrastructure — will recover from a “significant cyberattack that would potentially harm the national security interests, foreign relations, or economy of the United States or the public confidence, civil liberties, or public health and safety of the American people” within two years. Unfortunately, there hasn’t been much progress (though this may be a task for the newly-created and still-being-staffed Office of the National Cyber Director). While some states have or are working on plans and regularly exercise them, this is by no means a guarantee across the nation. There is much work to be done in this regard and will require all states and critical infrastructure operators to come to the proverbial table with the federal government to create comprehensive cybersecurity, business continuity, and disaster response plans and exercise them regularly at all levels.
We have to break out of the old narrative that cybersecurity regulations and disaster planning are hallmarks of big government overreach. Even conservative cybersecurity leaders agree that we must make a paradigm shift. Let’s not wait for “the big one” to rally around the mission, looking back and thinking, “if only we had done more” to save lives and ensure public safety and economic resilience. As experts on Continuity of Economy write, our adversaries “must believe — because they know we have planned for such an occurrence — that we will quickly recover and impose consequences. That is the hallmark of real deterrence.” And deterrence is a never-ending necessity because the devil never sleeps.
Juliette Kayyem served as an assistant secretary for homeland security under President Barack Obama, is a senior lecturer and the faculty chair of the homeland security program at the Harvard Kennedy School, and is a national security analyst for CNN. She is the author of “The Devil Never Sleeps: Learning to Live in an Age of Disasters.”
Lauren Zabierek is the Executive Director for the Cyber Project at the Harvard Kennedy School’s Belfer Center for Science and International Affairs. She is a veteran and former civilian intelligence analyst and has completed multiple warzone deployments. She is also the co-founder of #ShareTheMicInCyber, an online movement dedicated to dismantling systemic racism in cybersecurity.