The views expressed by contributors are their own and not the view of The Hill

The cybersecurity of the infrastructure – A challenge and an opportunity

Getty Images

Twenty years ago, the notion of national infrastructures enabled and endangered by the internet would have been hard to imagine. Today, it’s hard to remember a world without Internet-Protocol (IP) enabled banking, health care, entertainment, even our increasingly “smart” energy and transportation systems. IP technology surrounds us, and while we have grown more capable in developing that technology into infrastructures, we continue to fall behind in protecting our work.

Our adversaries have noticed. The use of offensive computer operations tools against the Ukrainian power grid, the explosion of a German steel mill’s blast furnace, and ransomware unleashed against San Francisco’s public transportation system show how vulnerable critical infrastructures have become.  A 2016 attack against France’s TV5 shut down the network’s 12 channels.  A cyber attack against Aramco destroyed the hard drives of 75 percent of that company’s computers. Suspected malware on the laptop belonging to an electric utility employee demonstrated how vulnerable critical infrastructure like electric power is to even the most basic cyber attacks.

{mosads}Why this is happening?  Cybersecurity exploits and attacks are within reach of many countries, and some armed movements that cannot realistically mount physical attacks against the United States and its allies. The theft of information, or damage to information systems, represents behavior short of war, not always likely to be subject to retaliation. The challenge of attribution complicates significantly a decision to retaliate, while giving the aggressor significant freedom of action. We may not be seeing “cyberwar,” but we’re certainly seeing a rising level of cyber conflict and normalization of cyber weapons as instruments of statecraft–pursuit of a country’s national interests without armed conflict.

What we need:  We must place as much emphasis as possible on the cybersecurity of the IP-enabled critical infrastructures. We should increase research and development to understand the cyber vulnerabilities of these infrastructures and develop tools and techniques that make them more secure and resilient.  Infrastructure investments should include analysis of current, emerging, and prospective cyber vulnerabilities and account for the resources necessary to manage those threats.  While such vulnerabilities and threats can never be eliminated completely, we can, through astute risk management, achieve a level of confidence that allows us to know that our infrastructures will endure, and that they will be sufficiently resilient to maintain their capacity to serve us.

Getting there:  Some steps are underway. Companies such as ABB are conducting research and analysis on the cybersecurity vulnerabilities and features of the power grid.  A “smart grid consortium” among the U.S. Department of Energy’s National Laboratories is conducting research on ways to build a new, more secure national electricity infrastructure.  Some experts have even called for a separate, secure, Internet-like infrastructure to serve the nation’s critical infrastructure.

All of these steps are necessary, but they’re not yet sufficient. Now, at the advent of a new federal administration focused on large-scale change and significant infrastructure investment, there is a real opportunity to alter the narrative. Consider the following:

  • Cyber Investment Tax Credit. Congress routinely creates economic incentives for corporations to pursue certain beneficial activities, a measure overdue for investments in cybersecurity and resilience, especially those in direct alignment with government and industry standards.
  • Cyber Qualification for Infrastructure Investment. As the incoming administration evaluates infrastructure investments, it should enforce cyber standards for every project. Anything that connects to a network must include a comprehensive plan for protection.
  • Dedicated Budget Allocations. Those making investments to rebuild our national infrastructures, and those who represent the public interest in approving such investments, should consider steps that embed cybersecurity.  For example, if we plan to spend $1 trillion dollars on infrastructure, the cost of embedding the cybersecurity necessary for greater resilience might range from three to five billion dollars. If ten percent of the infrastructure investment is used for information technology, then three to five percent of the information technology investment would be used for cybersecurity, following the rough rule of thumb used in industry to allocate cybersecurity resources within IT investments. 

It should be possible for the world’s greatest country to develop a national infrastructure investment scheme that ensures enough funds are made available to harden and make more resilient the country’s critical infrastructures. Congress, the White House, and the private sector must work together to make possible this investment in critical infrastructure cybersecurity and resilience.  Indeed, the failure to do so would represent a negligent regard for our national interest and a boon to our adversaries. Let’s not let that happen.

The author is Senior Vice President and General Manager, Cybersecurity and Resilience, ICF, and former Chief of Signals Intelligence Programs, National Security Agency.


The views expressed by this author are their own and are not the views of The Hill.

Tags

Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. Regular the hill posts

Main Area Bottom ↴

Top Stories

See All

Most Popular

Load more