Time’s Running Out to Prevent a Massive Cyberattack on Critical Infrastructure, Advisory Group Says

U.S. infrastructure is in “a pre-9/11 moment” when it comes to cybersecurity and time is running short to shore up its cyber defenses, an industry advisory committee warned Tuesday.

If government and industry don’t dramatically boost their efforts to protect critical infrastructure, such as the financial system or electric grids, they risk missing a “narrow and fleeting window of opportunity before a watershed, 9/11-level cyberattack,” according to a report approved by the Homeland Security Department’s National Infrastructure Advisory Council.

To stave off and prepare for such an attack, government and industry must create segregated and highly secure communication networks that are used solely for critical command and control systems, the NIAC report authors said.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The government should also dramatically ease the process for sharing cyber threat information between industry and government, the report said.

That includes more rapidly declassifying cyber threat information gathered by intelligence agencies so it can be shared broadly throughout critical infrastructure sectors and speeding up the process for granting security clearances to industry cyber leaders so they can review cyber threat information classified at the secret and top-secret levels.

Ideally, each critical infrastructure facility should have at least two employees cleared at the top level, said NIAC member Robert Carr, chief executive of Heartland Payment Systems and a co-chair of the report.

The report was based on reviewing hundreds of previous studies plus interviews with 38 cyber experts, who were mostly in the financial services and electricity sectors.

NIAC, which was formed shortly after the Sept. 11, 2001, terrorist attacks, is currently charged with advising DHS on the security of U.S. critical infrastructure against any form of attack, whether cyber or physical.  

Critical infrastructure is an official DHS designation referring to 16 sectors deemed vital for the country to function efficiently. In addition to electricity and finance, it includes transportation hubs, such as airports, chemical plants, oil and gas facilities and water treatment plants, among other sectors.

Most of the NIAC report’s 11 recommendations are not new, the authors acknowledged. Thus far, however, government and industry have both fallen short on raising defenses.

In order to spark that action—and unlike previous NIAC reports—Tuesday’s report lists agencies and individuals who should be ultimately responsible for carrying out its recommendations.

That includes directing National Security Adviser H.R. McMaster to lead a meeting of top government officials focused on fulfilling the report’s objectives and identifying barriers to fulfillment within six months.

“We all know how accountability works,” said former Constellation Energy Vice Chairman Michael Wallace, who co-chaired the report with Carr. “If you know you’re going to be held accountable, you tend to get things moving.”

White House Cybersecurity Coordinator Rob Joyce urged NIAC members to make Homeland Security Adviser Tom Bossert ultimately responsible for organizing that meeting rather than McMaster because of Bossert’s greater role in cybersecurity. Wallace defended the choice of McMaster by saying the report authors wanted to stress that a cyberattack against critical infrastructure is a national security concern.  

Wallace also urged DHS to task NIAC with conducting a one-year review to examine how well the executive branch and industry have complied with the report’s recommendations.

“I don’t think any of us have the naïve view that we’ll have 100 percent implementation of all the recommendations,” he said, “but we’re at a point where critical items and important progress need to be made.”

Other report recommendations include:

• Creating market incentives, including tax breaks, to help infrastructure companies upgrade cyber protections.
• Boosting the cyber workforce through worker exchange programs between government and industry.
• Reorganizing cyber authorities in government and the private sector so there’s a clearer set of responsibilities and chain of command during a cyberattack.
• Using the Gridex exercise, a biennial cyber wargame that simulates an attack against the electric grid, to test government’s top-level cyber decision making and develop further recommendations.
• Facilitating an industry-led pilot of machine to machine cyber threat information sharing.

Concerns about a 9/11-style cyberattack are not new. They began soon after the 9/11 attack itself in 2001.

Former Director of National Intelligence James Clapper downplayed the likelihood of such a catastrophic cyberattack in his 2015 and 2016 annual worldwide threats reports to Congress. U.S. infrastructure is more likely to be degraded by a series of low-to-moderate level cyberattacks, Clapper said.

The public record of cyber meddling with U.S. critical infrastructure is relatively slim, though it’s possible that many minor attacks—or preparations for attacks—have gone either unreported or unnoticed.

Most prominently, the U.S. indicted an Iranian citizen linked to that nation’s Islamic Revolutionary Guard for digital meddling with the control system of a dam in upstate New York in 2016.

There have also been numerous critical infrastructure attacks outside the U.S., including a Russia-linked attack on the Ukrainian power grid in 2016, an Iranian-linked attack on the Saudi state oil company in 2012 and the 2010 Stuxnet attack on Iran’s nuclear facility, widely believed to have been launched by the U.S. and Israel.

The Obama administration labeled U.S. election systems critical infrastructure during its final weeks in office but only after a Russian campaign of digital meddling in the 2016 campaign that reportedly included probing voting and other election systems in 39 states.