Just over six months ago, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act (CISA), created to better protect the nation’s critical infrastructure from physical and cyber threats – a mission requiring coordination and collaboration among a broad spectrum of government and private companies.
It’s still early, but not too soon to pose the question of whether CISA will amount to much. I prefer not to be a pessimist, but I don’t see an alternative in this case. I doubt we’ll see much in the way of tangible results. The federal government’s track record regarding cybersecurity is poor, particularly when speed is of the essence. Too often, legislation and other mandates prove ineffective, and the amount of authorized spending is inadequate.
The Cybersecurity Act of 2015 – the first major piece of Congressional cybersecurity legislation – called upon businesses, government agencies and other organizations to share information about cybersecurity threats in the belief that this would help players better identify and defend against cyber attacks. It was a bust. In the end, little information was shared and most technology companies, fearful of insufficient protection of consumer identities, declined to participate.
President Trump’s Cybersecurity EO also underwhelming
More recently – roughly two years ago – the President engendered enthusiasm in some quarters when he signed a cybersecurity executive order (EO), in large part to better protect critical infrastructure nationwide, such as energy plants, the electric grid, airports, and banking and finance. The upshot has been much the same. (According to a March story in The Washington Post,) More than three-fourths of digital security experts recently surveyed by The Cybersecurity 202 said the nation’s critical infrastructure is no safer from cyberattacks today than when Trump signed the EO. Federal agencies have moved at a snail’s pace in supporting the mandate, still mired in their early stages.
As for CISA, its “creation” is somewhat exaggerated. It fundamentally represents a rebranding and reorganization of a predecessor agency called the National Protection and Programs Directorate (NPPD). The missions are about the same but CISA, now empowered as a federal agency, has more funding and supposedly more authority to impose directives. Theoretically, this should make a difference, albeit funding remains constrained.
Such desultory progress and the relative lack of government support has become increasingly dangerous as our physical infrastructure becomes increasingly digitized and hence vulnerable to cyber attack. Russian hackers, for instance, have for years tried undermining U.S. electrical infrastructure and successfully cut off power to hundreds of thousands of Ukrainians in 2015 and again in 2016.
Cybersecurity infrastructure mostly in the hands of private companies
About 85 percent of critical infrastructure in the U.S. is owned by the private sector, forced to take on most of the financial burden of cybersecurity. Unfortunately, companies have not been particularly successful in curbing attacks. A recent survey of professionals in the industrial control systems industry by Ponemon Institute found that 90 percent of respondents have been victimized by cyber attacks in the last two years. Many have been victimized twice.
The upshot is obvious: Critical infrastructure is the core of our nation’s prosperity and is being threatened, increasingly because the need for a public/ private sector cybersecurity partnership is not being realized.
To be sure, private companies share part of the blame. A year ago, a Kaspersky Lab report on the state of industrial cybersecurity found that only 23 percent of companies using industrial control systems complied with mandatory industry or government guidance and regulations. Many companies did not even detect or track attacks.
Nonetheless, government inaction has increasingly forced companies to take infrastructure protection and other types of cybersecurity more seriously, laying out hundreds of billions of dollars in recent years. Bank of America and JP Morgan Chase each spend about $500 million annually. Meanwhile, federal cybersecurity outlays continue to lag, with some estimates projecting it will reach only a meager $22 billion by 2022.
How to begin fixing things
A big reason why companies need more financial help is that much of our national infrastructure was designed to be functional but only minimally secure against cyber attacks. So cyber defenses often must be built from scratch.
In my view, a five-pronged strategy – in addition to a greater outlay of government funds -- can begin fixing things.
It includes these steps:
1) The government should define a level of expected cyber resiliency and produce a methodology to protect it.
2) The government should also help to create a clearing center for the implementation of best practices in grid security.
3) In tandem with this, the feds should begin building a private/public sector partnership, initially by persuading the private sector to proactively innovate cybersecurity measures in concert with the government. In one step along these lines, the government has been awarding nearly $30 million in private sector grants to foment innovation and greater cybersecurity to protect the nation’s power grid, oil pipelines and other energy infrastructure.
4) The government should also set standards of performance and hold industry accountable.
5) Lastly, the government needs to form an industrial bank to provide long-term financing to utilities that need it. Many smaller utilities today have neither the financial nor technical resources to become secure without substantial help.
Another positive step – one already in place – is growing awareness of the imperative to not only improve infrastructure cyber defense but to do so expansively. This means better securing not just, say, airports and the energy grid, but also our elections.
To this end, scholars from Stanford University this month released a comprehensive strategy to protect the integrity and independence of U.S. elections.
Election Security also needs improvement
The report, “Securing American Elections,” draws in part on findings from Special Counsel Robert Mueller’s investigation into Russian government efforts to influence the 2016 presidential election, arguing that this was an attack on fundamental American values. The authors of the 108-page report, including former Facebook chief security officer Alex Stamos and Michael McFaul, U.S. ambassador to Russia during the Obama administration, have created 45 recommendations, ranging from securing voting systems and combating online disinformation campaigns to negotiating major election security standards.
In an ecosystem of both physical and digital connectivity, there will always be vulnerabilities. Breach or failure could be catastrophic. So successfully stifling breaches is essential. We need to do more via a public/private partnership because there is little room for error, threats are rising and heightened financial wherewithal is required. Let’s get moving once and for all.