October 17, 2018
On October 17, 2018, the Atlantic Council’s Cyber Statecraft Initiative hosted a public panel discussion on the security of US critical infrastructure as a part of its Cyber Risk Wednesday event series, underwritten by Raytheon. The vital nature of critical infrastructure to the nation’s security, prosperity, and well-being render it a key target to malicious actors in cyberspace. As the sophistication of attack technology grows, the US and its strategic partners must ensure a resilient critical infrastructure system or will be outpaced by threat actors.

The panel, moderated by Cyber Statecraft Initiative Director Klara Jordan, disagreed on whether there needs to be a reconceptualization of how the US views critical infrastructure. Ms. Spaulding, Senior Adviser for the Homeland Security Program and International Security Program at the Center for Strategic and International Studies, argued that it was necessary to move towards a “functional approach,” as “what we care about is not the computers, it’s not the IT networks, it is what they enable. It is the functions that are dependent upon those systems and networks.” Such an approach would allow agencies such as the Department of Homeland Security (DHS) to, firstly, prioritize those of the 16 critical infrastructure sectors that, if compromised, would lead to the most severe consequences, and secondly, expand their thinking of how to manage those consequences. On the other hand, Mr. Costello, Director for Strategy, Policy, and Plans within the National Protection and Programs Directorate at the US Department of Homeland Security; felt that movements to a functional approach weren’t a “reinvention or reconceptualization of the 16-sector model,” rather it was about zeroing in on where those sectors overlap.

Nevertheless, panelists agreed that shoring up US critical infrastructure was not a job for the government alone. Actions by DHS, such as creating the National Risk Management Center, were seen as a positive step in establishing the cross-sector relationships and encourage collaboration between the government and private sector. A further recommendation was for the agency to create a strategic infrastructure executive committee to bring together CEOs from across various industries. As critical infrastructure becomes increasingly interdependent, and vulnerabilities are shared across sectors, leveraging private sector knowledge and information-sharing capabilities will be a valuable tool. Additionally, Ms. Frye, Director for Cyber Integration at MITRE Corporation, noted that DHS would play a part in securing the supply chain vulnerabilities that plagued the private sector as DHS can assist smaller companies in making better procurement decisions. However, Ms. Spaulding cautioned that unless the US has a way of “assessing individual supply chains’ security,” policies that are good faith in character may “wind up looking like… protectionist policies because [the US] will have to use much blunter instruments.”

An ongoing issue is the intersection between critical infrastructure and technology development, especially 5G and quantum computing. Mr. Daly, Chief Technology Officer for Cybersecurity and Special Missions at Raytheon Company, noted improvements in internet infrastructure will make a more secure network environment. At the moment, when one connects to the Internet they’re “exposed to the entire planet Earth, and anyone anywhere can attack [them].” By “leveraging new software-defined networking capabilities” providers will have the capability to enable completely new protocols and authentication mechanisms which will boost internet security. Mr. Daly continued that the importance of these developments means that “we will likely have to accelerate our deployment of 5G” as it has software-defined networking capabilities and other strong security features. Yet, adoption of 5G is also a security risk as the lower latency of the network means that a threat can move through the network faster, making it more difficult to detect before it has gained critical access. Regarding quantum computing, Mr. Daly noted the field offers the opportunity for communications that can’t be intercepted and are not dependent on latency. However, there needs to be increased funding before any of the successes can be realized.