The United States is reeling from yet another major cyber attack, this time on the Colonial Pipeline — a key piece of our critical infrastructure — by a ransomware gang from Eastern Europe. Much ink has been spilled on the specifics of the attack and the attackers, but unlike the SolarWinds operation discovered earlier this year, this attack was felt acutely by everyday people, with gas shortages causing travel delays and frenzy at the gas pumps.
The ransomware attack underscores our vulnerability to cyber attacks not only in our utility systems, but also in our schools, governments, and hospitals. President Joe Biden’s recent Executive Order on Improving the Nation’s Cybersecurity promised to “make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” He should make good on that promise by adding cybersecurity requirements and incentives to his infrastructure bill.
THE THREAT AND OPERATING ENVIRONMENT
For years, security experts have sounded alarm bells over vulnerabilities in our critical infrastructure — the information and operational systems that, among other things, keep our energy on, oil and gas flowing, and our water running. To understand why we’re so vulnerable, we have to look at the threat environment and the operating environment. The threat environment continues to worsen with cyberattacks numbering in the millions every day — by nation states, criminals, and malicious hackers with increasing sophistication and scale.
The operating environment is poised for enhancements. The energy sector — just one of the 16 critical infrastructure sectors — is working to meet stricter cybersecurity standards. However, the high cost of cybersecurity, coupled with different state regulations and federal oversight, and a patchwork of technology upgrades among legacy systems, have made our utilities and critical infrastructure especially susceptible to cyber attacks. For example, in a recent Government Accountability Office (GAO) report, public utility commissioners from three states reported three different legal mechanisms to incorporate cybersecurity into their oversight responsibilities, which were increased authorities ensure best practices, management of audits, or review of utilities’ response to incidents.
SETTING THE RIGHT PRIORITIES
Most critical infrastructure is owned and operated by the private sector, which can’t change the threat environment, which is actually the federal government’s job. But change can be made within the operating environment with the private sector’s help. The question therefore becomes, how do you get companies to make security a greater priority?
Part of the answer must come from the federal government in the form of regulations. As security expert and Belfer Center Cyber Project fellow Bruce Schneier recently wrote, “There is no good reason to underspend on security other than to save money.” We need to make strong cybersecurity programs cheaper than the alternative — namely litigation and/or the costs of remediation. Rather than navigate the myriad state and federal regulatory requirements that result in an uneven security landscape, let’s raise the bar across the country, develop frameworks for safety and security that can evolve with changing threats, and create a body that can consolidate, certify, and enforce standards for — at the very least — what we identify as systemically important critical infrastructure. The chairman of the Federal Energy Regulatory Commission has called for mandatory standards, and according to a recent survey, many utility operators would welcome strengthened cybersecurity requirements.
This isn’t foreign; the federal Consumer Product Safety and Federal Trade Commissions set and enforce consumer safety and protection frameworks. Over time, Americans have become safer from fraudulent and deceptive products as a result. We should expand those protections to increase Americans’ safety as consumers of energy, gas, and water from disruptions from breaches and cyber attacks in the critical infrastructure operating environment.
Rather than navigate the myriad state and federal regulatory requirements that result in an uneven security landscape, let’s develop frameworks for safety and security across the country that can evolve with changing threats, and create a body that can consolidate, certify, and enforce standards for critical infrastructure.
But along with regulation must come incentives to help to offset the costs of cybersecurity programs and address liability. While the Biden administration has launched a 100 day review of electric grid cybersecurity, the review should be expanded to cover all utilities to better understand the operating environment. It should also examine how sector security agencies (like the Transportation Security Administration which is responsible for pipeline security) can be better resourced to work with their private sector constituents.
The Cyber Solarium Commission noted that private and publicly owned utilities fear liability in working with the government during a cyber emergency and subsequently recommended legislation to protect them from liability when taking action as directed by the federal government. Moreover, many states allow utility companies to request reimbursement for investments in security, adding extra burden to an already complex process. Incentives like tax credits or direct funding, much like Congresswoman Yvette Clarke’s State and Local Cybersecurity Improvement Act that would make $500 million available in grants to state and local entities that submit cybersecurity plans to the Department of Homeland Security would help greatly. But the federal government needs to create provisions to ensure that the grant distribution process to critical infrastructure operators is quicker and easier, otherwise delays and red tape could blunt the grants’ effectiveness.
Requiring security-by-design as the foundation to companies’ operations — not just in the utilities and energy sectors — will lead to long-term financial success and increased collective security. A great place to start is the Biden administration’s proposed infrastructure bill, which recommends over $2 trillion dollars in capital improvements to transportation, the supply chain, the environment, and the energy sector, which are vitally important to our nation’s resilience.
Currently there is no mention of cybersecurity in the plan, which is surprising, given the cyber risks to critical infrastructure. Indeed, the plan recommends revitalizing the nation’s digital and power infrastructure — by expanding broadband access and building resilient electrical grids — and securing supply chains. These provisions are important, but cybersecurity requirements as part of these systems’ design and implementation must be added in before the bill goes to the floor so that we can secure this new infrastructure and improve our nation’s resilience.
DUTY OF CARE
The Colonial Pipeline attack is yet another symptom of a broader, more insidious problem facing our nation. As former Department of Energy senior cybersecurity official Sean Plankey recently remarked, “the federal government has a ‘duty of care’ to its citizens,” which means that the government must address both the threat and operating environment, in which the private sector is a key stakeholder. Certainly regulations and incentives are not a panacea; more action must be taken to get more people hired, improve information sharing and collaborative defense, and address the threat environment through military, diplomatic, and intelligence activities. But part of that duty of care is raising the standard of security among our critical infrastructure sectors, incentivizing companies to make security a priority, and requiring cybersecurity by design as a foundational part of this infrastructure.
If we don’t, we’re failing our nation.
Lauren Zabierek is the Executive Director of the Cyber Project at Harvard Kennedy School’s Belfer Center.