October 17, 2018
Our Critical Infrastructure is More Vulnerable Than Ever. Here's What We Can Do About It.
By Michael K. Daly
When the US Department of Homeland Security (DHS) released its cybersecurity strategy in May, it laid out seven goals to help the government better defend the United States and its infrastructure against the constant onslaught of sophisticated cyber threats.
- Assessing and understanding systemic cybersecurity risks
- Protecting critical infrastructure
- Responding effectively to cyber incidents
Although these are similar to prior strategic goals, there is a new keyword: systemic. Putting this cybersecurity strategy into action requires three aggressive steps be taken across people, technology, and process. These are:
- Build deeper partnerships with industry to foster an aligned cybersecurity ecosystem
- Accelerate the use of innovative and emerging technologies such as artificial intelligence and machine learning
- Produce comprehensive playbooks to unify government actions across homeland security, law enforcement, intelligence, and state.
In September, the US Department of Defense (DoD) delivered its own cybersecurity strategy in which it laid out how the department will implement the priorities outlined in the DoD National Defense Strategy. A few key objectives include:
- Deterring, preempting, or defeating malicious cyber activity that targets critical infrastructure in the United States
- Securing DoD information and systems, including on non-DoD-owned networks, against cyber espionage and malicious cyber activity
- Expanding DoD cyber cooperation with allies, partners, and private sector entities.
The intersection of these two strategies—addressing critical infrastructure and calling for public-private partnership—opens the door to a powerful community of interested parties who are grappling with cybersecurity challenges. This is the foundation that will be required for a cybersecurity “moonshot” referenced by US Vice President Mike Pence in his speech at the DHS Cybersecurity Summit in July. At that summit, DHS unveiled its new National Risk Management Center. This hub will help drive toward the goal of managing systemic risk to critical national infrastructure.
Cybersecurity is a shared responsibility for DoD, DHS, federal agencies, and the corporate world. Cyber criminals now target the commercial sector with as much force and skill as they do the government. Many attacks against the corporate world have national security consequences, a reality not yet fully appreciated by all businesses and citizens. As just a few examples: ransomware payoffs fund terrorists and nation states seeking to evade sanctions; compromised computers act as relays to disguise attacks on critical infrastructure and steal secrets; stolen intellectual property accelerates the build-out of competitive enterprises weakening our economy and influence.
DHS and the DoD understand domain expertise is key and will involve individuals who have experience protecting and hardening systems at a federal level, or those who know how to bring together people and systems. Additionally, partners will need to have an understanding of the geopolitical implications around protecting national infrastructure.
While it is not likely that an attack will create widescale impacts like shutting down the power grid, disrupting mass transit systems, or massively altering election results across the nation, if hackers could infect relatively few computers they could prevent effective emergency response in the midst of a crisis or sow seeds of doubt about the legitimacy of these systems.
The United States, like many of its allies, is at a tipping point. We must step up and make it more difficult for our adversaries to breach our critical infrastructure. These breaches not only erode trust, but also impact our safety and lives.
Of the sixteen critical infrastructure sectors as defined by DHS, election systems present a unique challenge to security professionals. US elections are managed through a hodgepodge of systems that vary from state to state, including paper ballots, electronic screens, Internet messaging, and even some Internet voting. As we move into midterm elections in November and with an eye to the 2020 presidential election, the following steps can help build confidence and combat threats to critical electoral systems:
- Election officials and cybersecurity staff should review the importance of cybersecurity controls, the threat vectors that are known to have been exploited in systems, and the long history of election tampering that has been occurring since World War II. Improperly informed stakeholders are our greatest vulnerability.
- Document the end-to-end election process with all of its systems, dependencies, and interfaces. Every community is different and faces somewhat different threat vectors. Engaging technology vendors and IT organizations (across the end-to-end chain) to conduct technical testing to ensure systems are secured should be a regular occurrence.
- As with any technology that you deploy in your homes or offices, patching, segmentation, monitoring, wireless configurations, hardening to remove unnecessary applications, and ensuring there are multiple redundancies and methods of validation are components of good cyber hygiene routines.
- Implement integrity features for electoral rolls, vote casting, counting, and communications systems, including redundant records and backups that guarantee every vote is counted and verified.
We live in an interconnected world full of cyber threats and vulnerabilities. Our national security depends on the resilience of implementing effective security controls across all sectors of our critical infrastructure. Our strength in addressing these evolving threats will require a much more collaborative effort with far more active engagement by the private sector in matters of systemic risk and national security. Collectively, we have the people, processes, and technology needed to combat this threat and remain safe.
Michael K. Daly is the chief technology officer, cybersecurity and special missions, at Raytheon Company. You can follow Raytheon on Twitter @RaytheonCyber.