What's Critical? Evolving the Security Playbook for Managing Ones, Zeroes, and Everything in Between
Refresh your browser window if stream does not start automatically.
Over the past decade, a steady and significant shift has occurred in the governance, resources, frameworks, and approaches to managing cyber, physical and other risks to America’s critical infrastructure. How have our tools and techniques evolved? Are we better equipped to tackle the threats of tomorrow?
“We also know in looking at the pandemic that there were many failures of the supply chain and many concerns whether it was kind of what you needed to make a respirator or even just vials for saline in hospitals and there are many kind of shortages and also some real limitations and security concerns there.”
Christopher C. Krebs
“Over the last several years, we’ve identified five key shifts in the way the critical infrastructure community is managing risks. The first aspect is that it’s becoming quite clear that risk is shared across all sectors. The second is supply chain risk management is critically important. The third piece is vulnerability management is also evolving and becoming more effective. The fourth is what used to be a security practice is now evolved into a more resilient approach to critical infrastructure risk management…And lastly, we’re seeing organizations take a much more enterprised level understanding of cybersecurity risk management.”
“There’s absolutely a night and day difference between the security awareness and posture of state and local election networks, and the resilience measures that have been built in. We have intrusion detection systems deployed across all 50 states, and state election directors, secretary state networks. In some states, we’ve got them in all counties.”
“Post 9/11, it was like we have to put the guns, guards, and gates around the building or around …but it's actually, in my mind, an academic reach. It's an intellectual reach that we're now starting to focus again on sort of the functions and the services because decoupling, if you will, whether it's not being able to decouple this is able to make us think differently about what is it we rely on. And whether or not we rely on it not, I think also helps us make the plans make the arrangements so that you know what you do need to focus on.”
“We're moving into an environment where the 5G will in essence change sort of the overarching architecture of all of the aspects. I mean, 5G is supposed to be access agnostic, whether it's the wireless thing that everybody's all excited about—it's pretty exciting—or it's going to be the WiFi or the cable guys or the wireline guys or the satellite guys or the broadcasters. Everybody, all the segments that we've been operating with in, you know, sort of the traditional telecom space, has also been part of the 5G environment.”
“I think it's fair to say that we do have a fairly long-standing relationship, certainly, with government dealing with security risk resilience kind of issues. I think it was understood decades ago that you can't weather a storm if you can't communicate, you can't weather a storm if you don't have power, and so I think power and comms in particular have a deep, deep relationship.”
“If you look at what’s happening in the world today, we’re dealing with increasing levels of complexity… Increasing scale of complexity, where the complexity itself becomes a risk aggravator. I think it’s important to understand as it’s becoming more well-known to everybody. When I talk about complexity, I’m talking about complexity that starts to break down legal frameworks, standing operating procedures, training tactic procedures, any structure that’s been created to model how we’re going to respond to these things. We’re finding that they don’t scale very well sometimes.”
“But in my view, starting with the NIST standards for cyber security, these things almost evolve to a standard of care and defensive liability and tort law, so what you're doing is you're having this negotiation that results in a framework or a standard that becomes a rebuttal presumption on a standard of care, and I think that's a good evolution; the right way to do it right now.”
“The partnerships, and the structure and the trust that's been built in terms of our ability for industry and government and cross-government to work together on challenging risk issues is in the consistency of the framework and the authorities, and how we know how to work together and the structures we've been put in place, and then using them consistently over a period of time in a voluntary fashion has just built a lot of trust into the system.”
“What we’re trying to do, it says in the National Risk Management Center, is identify the delta where risk isn't being managed up to the level of national security interest and try to close that gap in partnership with industry and partnership across the sectors. But not [by] saying, you know … let me put a bunch of different rules on that demands on you that don't make sense from a market and innovation perspective.”
Science and Technology Innovation Program
Subscribe for updates about new events, articles, videos, and more on science and technology.
Admiral Thad Allen
Science and Technology Innovation Program
The Science and Technology Innovation Program (STIP) brings foresight to the frontier. Our experts explore emerging technologies through vital conversations, making science policy accessible to everyone. Read more
Digital Futures Project
Less and less of life, war and business takes place offline. More and more, policy is transacted in a space poorly understood by traditional legal and political authorities. The Digital Futures Project is a map to constraints and opportunities generated by the innovations around the corner - a resource for policymakers navigating a world they didn’t build. Read more