Security 101: Protecting Critical Infrastructure in the Digital Age
An event summary for the August 3, 2020 event, "What's Critical? Evolving the Security Playbook for Managing Ones, Zeroes, and Everything in Between" highlighting critical infrastructure considerations in cybersecurity.
Navigating an Unprecedented Digital Domain
Over the past several years, there has been a large shift in how the critical infrastructure community is managing risks. Expert panelists from the Cybersecurity and Infrastructure Security Agency (CISA), CenturyLink, and HudsonAnalytix weighed in on the vulnerabilities of U.S. critical infrastructure that have been brought to light by COVID-19 as well as how to mitigate risk in an increasingly borderless domain that thrives off of innovation, interoperability, and international cooperation.
“If you look at what's happening in the world today, we're dealing with greater levels of complexity, whether it's the scale of the scope or the novel virus we haven't dealt with before,” says Thad Allen, Senior Executive Advisor at HudsonAnalytix and Booz Allen Hamilton. “The increasing scale of complexity itself becomes a risk aggravator. And when I talk about complexity, I'm talking about complexity that starts to break down legal frameworks, standard operating procedures, training, tactics, procedures, any structure that's been created to model how we're going to respond to these things. We're finding that they don't scale very well sometimes when we’re dealing with a very large event.”
Despite our best efforts, the irrefutable reality of today is that the growing complexity of risk has been exacerbated by the fact that technology is accelerating much faster than can be kept up with or effectively regulated. We are in the midst of transitioning into a digital world that must work in symbiosis with both existing critical infrastructures and the electromagnetic spectrum through which the Wi-Fi signals or IOT passes. As noted by Allen, “[Cybersecurity] is a new domain that touches everything and we're going to have to manage it as a domain.”
Critical Infrastructure Risks in the U.S.
To successfully navigate the uncharted waters of this “new domain” -- one might even call it unlicensed spectrum -- Chris Krebs, Director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, listed five key shifts in how the U.S. critical infrastructure community has been adapting to manage risk. These “key shifts” in critical infrastructure risk management framed the discussion for the remainder of the panel. The first point addressed was that risk is shared across all sectors, rather than being confined to one industry or within one country’s borders. For example, all users of industrial automation systems are susceptible to cyber-attacks, whether or not their respective facilities may be the deliberate target of an attack. When industries are party to a common technology monoculture, they effectively share the pool of vulnerabilities associated with it. The second critical infrastructure consideration is managing vulnerability (whether it be in the supply chain and managing risk throughout the entire course of our existing systems) or ensuring the continued resilience of these systems. The final piece is creating an environment of enterprise level understanding of cybersecurity and risk management, where industry leadership plays a key role in conversations around regulation to generate investment and capability development.
The panelists agreed that successfully addressing these security concerns will require partnership and information sharing across sectors and our The Five Eyes allies to ultimately establish best practices through both industry-wide and international standards setting bodies. As noted by Bob Kolasky, Assistant Director of the National Risk Management Center at CISA, these focus areas work to protect the very functions “that are so critical to national security, national economic security, national economic competitiveness, community well-being that if they break, we're in trouble.”
“What Does it Mean to Be Critical?”
In order to dissect the above mentioned points, the panelists first had to address the elephant in the room, “What does it mean to be critical?” According to Kathryn Condello, Senior Director of National Security and Emergency Preparedness at CenturyLink, “If it's important to your customer, you are critical.”
Naturally, if a customer views a good or service as critical, the business has an incentive to retain the customer’s trust in order to remain in their value chain. “And then for those who really need more,” Condello added, “the best way that certainly the government and other businesses have done it is to incent [those] behaviors through writing a contract and getting a service level agreement...I think that, for instance, the power of the government and frankly, the power of large enterprises to not impose but to motivate and to incent higher levels of care through contracts is a standard success story that the U.S. government and all nation states have employed.”
Operationalizing Security into Shared Best Practices
Throughout the event, the panelists agreed that the way towards an optimally secure critical infrastructure community was through co-producing successful outcomes. This “unity of effort,” as was often referred to by the panelists, is manifested in, as Kolasky argued, “the partnerships, the structure, and the trust that's been built in terms of our ability for industry and government and across government to work together on challenging risk issues.” Adding to his point, Kolasky suggested, “The area where I think we need to make more progress is, you know, actually continuing to blend those capabilities together to more quickly solve problems....We've got the sort of problem-identification, problem-solution. But can we actually come together more quickly to field things that are going to make the country more secure, to pull blended authorities, to stimulate innovation, to allow industry into the conversation?”
Allowing industry into the conversation serves as a catalyst for opportunity and innovation. When you “give them a room and yield solutions,” suggested Kolasky, these conversations where information is shared leads to standards, particularly open standards. In an effort to avoid being locked into a “compliance culture”, as implied by Kolasky, industry generated standards must preside over government generated standards. Standards, which are essentially mutually agreed upon requirements, “only make sense if they’re the right requirements -- if they’re smart, if they enable innovation,” according to Kolasky. Condello notably added that when people, namely industry experts, write the rules, “there's a lot of visibility.” Allowing space for these conversations around standards further enables a culture of promoting technological interoperability which is necessary for the longevity, continuity, and resilience of critical systems -- and consequentially, our national security. “We're definitely seeking sort of an interoperability on the standards side so that I can swap out Bob's box for Richard’s software for Jane’s peripherals so that [we] can make the best decision,” stated Condello.
“Interoperability gives us the place to not only be competitive, but also make sure that we're building what we want for our customers,” explained Condello. “The most important point about these two aspects, though, is that by having the standards and making them interoperable makes things highly transparent in terms of what is the standard.”
Looking to the Future
The last couple of years have shown that foreign actors -- particularly Russia, China and a few others -- don't necessarily come knocking on the front door when attempting to destabilize our essential systems. Rather, these great powers are deeply aware of the dependencies between U.S. organizations and will look to exploit trusted relationships between the private and public sectors, particularly in the hacking or disinfo[rmation] space.
On the topic of the U.S.’s policies towards foreign actors and their technological developments, namely 5G, the panelists discussed the potential security risk of allowing China to lead the 5G market. In the words of Director Krebs, “Why on earth would we put a control plane for that infrastructure in the hands of an adversary that time and time again reminds us of who they are and what they think of liberal democracies?”
Even though there may only be a few players building out core 5G networks, such as Ericsson, Nokia, Huawei, and ZTE to name a few, there is an abundance of opportunity for innovation. It is with leadership in technological innovation that the U.S. plans to tackle simultaneously strengthening its national security and stimulating economic growth. “We really have the national security and the economic parts and agencies sitting next to each other to try to figure out the right mix so that we are not in a position where a subsidized player dominates the market -- particularly when that subsidized player has demonstrated that their vulnerability management, security practices and foreign government influence make them less trustworthy,” concluded Director Krebs.
Ultimately, Krebs stated, “We are trying to figure out ways that we can enable a sort of suite of like-minded countries to enable innovation to scale around that. And we have to do that. This bungees opportunity more than risk. Let's take advantage of the opportunity while thinking about the risk that will be out there if it doesn't roll out in a way that will ultimately be secure.”
See our newest content first.
Subscribe for updates about new events, articles, videos, and more.
About the Author
Science and Technology Innovation Program
The Science and Technology Innovation Program (STIP) brings foresight to the frontier. Our experts explore emerging technologies through vital conversations, making science policy accessible to everyone. Read more
Digital Futures Project
Less and less of life, war and business takes place offline. More and more, policy is transacted in a space poorly understood by traditional legal and political authorities. The Digital Futures Project is a map to constraints and opportunities generated by the innovations around the corner - a resource for policymakers navigating a world they didn’t build. Read more