Paying attention to critical infrastructure can combat sophisticated cyberattacks

Times used to be simpler. Before iPhones, Google or cloud computing, the most prevalent use of the internet 25 years ago was email. Modern cyberattacks quickly followed, as the General Accounting Office recorded 250,000 attempts to hack into computer files at the Department of Defense, which were successful about 65 percent of the time. Fast forward 25 years to the 4th Industrial Revolution: As our technology has exponentially evolved, so, too, have the attacks on our nation’s critical infrastructure.

Today, 25 years after President Clinton signed an executive order on critical infrastructure protection, our nation’s critical infrastructure is at even higher risk. The first-of-its-kind legislation was bold, albeit necessary. Today, we have a new opportunity to be bold and proactive in our approach as the systemic risks to our country’s critical infrastructure rise each day, with our growing reliance on technology combined with increasingly successful attacks. At no other time has it been more pressing to combat them — we find ourselves in a global advanced technology race with China and others.  

Critical infrastructure — made up of companies in 17 business sectors, including finance, transportation, energy and health — is routinely the target of cyberattacks with increasing veracity. The systemic risk of its failure could shut down entire swaths of American life, as we saw three months ago when Russians hacked one of the biggest gas pipelines in the United States and created dire shortages along the East Coast. 

Advanced attacks at this level are a regular occurrence. Adversarial nation-states and bad actors around the world have access to sophisticated cyber tools to carry out these criminal acts, aiming to cripple or level the playing field against us. China boasts that Western democracies are outdated and not effective compared to its rapidly evolving autocratic-capitalism society. The current acting director of the Cybersecurity and Infrastructure Security Agency, Brandon Wales, said in a recent interview that these incidents have real-world consequences and “while today those attacks have impacted Americans at the gas pump and at the supermarkets, our concern is where could this go next.”

As a whole, critical infrastructure is in a reactive mode to major cybersecurity events. It’s been this way for 25 years, but as the ongoing attacks on our critical infrastructure companies become more frequent and more impactful, we must collectively adopt a “whole of nation” stance in which we pivot to being proactive, rather than reactive. We need to act immediately and strategically to partner with all critical stakeholders to much more efficiently and effectively bring technical innovation and solutions to market. 

The White House under Presidents Trump and Biden took bold steps to begin to leverage technology innovation, education, policy and funding for cyber defenses. Their initiatives in artificial intelligence, quantum and 5G security — as called for in the White House’s National Cyber Moonshot and Congress’s Cyberspace Solarium Commission reports — further aim to defend against cyberattacks. In Congress, the bipartisan Endless Frontier Act, sponsored by Sens. Chuck Schumer (D-N.Y.) and  Todd Young (R-Ind.), is a strategic, collaborative bill that provides for rapid development and commercialization of technologies to protect and defend our critical infrastructure. 

While the federal government can lay out a strategy and put incentives, protections and policies in place to allow the private sector the freedom to innovate, it cannot be the only one with skin in the game. It is incumbent upon private-sector board members and executives to know and understand the risks to their companies — and the potential catastrophic risks to America and its consumers. Institutional investors also must weigh these corporate cyber risks, as they are starting to do with environmental, social and governance (ESG) criteria. 

It is no longer enough to direct our anger toward an adversary. Companies must be willing to adapt, to change while working with their government partners, and to bring solutions to the table unbidden and, more importantly, to see them through to implementation. We have been slowly reacting to the global cyber threats and marketplace for decades. When we all come together, as a true “whole of nation,” we can succeed by innovating for the sake of protecting critical infrastructure. 

The Critical Infrastructure Protection Act marked the beginning of this movement. Now, 25 years since the fight began, let’s commit to taking control of our collective future by protecting and defending our nation and its people.

Norman Willox is the CEO of Bluewater International, an intelligence, risk information and cyber risk investment firm, and an executive board member of Freedom House. 

Tom Patterson is the chief trust officer for Unisys and a senior fellow at Auburn University’s McCrary Institute for Critical Infrastructure Security.