The federal government must lead on infrastructure cybersecurity

Since the earliest days of our nation, information security has been paramount to keeping the nation secure and substantial progress has been made to secure federal and defense networks and create a strong cybersecurity posture. While that work is far from over (for it will never be over), federal cybersecurity today is the strongest it has ever been.

Federal agencies have reduced their risk through smart management, investments in new technology and stronger training and awareness programs, but another great cyber threat to the country has emerged: large portions of the critical infrastructure sector are more vulnerable than ever. 

These threats are not just theoretical. In 2021, two notable cyberattacks occurred which affected drinking water supply and fuel access in different parts of the nation and recent Government Accountability Office's Cybersecurity High Risk Series reports have been highlighting this fact, as has the new White House National Cybersecurity Strategy. 

Factors such as technology advancement, a global pandemic spurring a need for remote work and the increasing desire to use real-time data for business decision making have driven a sharp convergence of operational technology and information technology systems. 

While this convergence has brought many benefits to businesses and consumers alike —  improved efficiency, better user experiences and greater operational insight — it has also substantially increased the attack surface and the scale of potential harm. Threat actors are now able to target the previously air-gapped technologies that control much of our physical world. 

Federal agencies have been working for years to overcome the same set of challenges critical infrastructure providers now face, including funding, chronic cybersecurity skills shortages and lack of common policies across sectors. Thanks to strong leadership, education, awareness and a focus on technology modernization, federal agencies have built an impressive expertise around protecting networks and mission-critical systems. Now, the federal government must take those lessons learned and create programs and pathways to share and empower state and local governments and critical infrastructure operators to do the same. 

Such programs could take many forms. Here are four ways federal agencies can help build cyber resiliency across the nation’s critical infrastructure. 

1. Increase funding via grants and provide tax incentives. One of the biggest challenges with implementing strong cybersecurity is the investment and cost associated with procuring and implementing the right technologies—not to mention hiring a workforce trained to run these systems. Unfortunately, security is all too often overlooked as a cost center until it is too late. Given the importance of securing critical infrastructure, federal legislation that prioritizes grant funding and tax incentives for security initiatives can alleviate the costs and incentivize cybersecurity investments.

2. Continue providing research and frameworks for addressing risk. Agencies like the Defense Advanced Projects Research Agency, the National Institute of Standards and Technology, the Department of Energy, CISA and many others are constantly evaluating potential threat avenues and responses, along with new technologies that could play a role in cybersecurity stance. An excellent example of this is DARPAs Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program on Plum Island. Federal agencies should continue prioritizing projects such as these and expand them to include other critical infrastructure sectors as well. 

3. Share hard-won best practices for securing human capital. Federal agencies collectively hold one of the largest repositories of cyber know-how in the nation. In addition to research and frameworks on technical challenges and solutions, federal agencies should also share best management practices, policies and procedures that are necessary for effective cybersecurity. This includes how to implement zero-trust frameworks, enforce security policies, and other ways to secure the “human element” of a cybersecurity strategy.

4. Foster private-public collaboration and forums for information exchange. Of course, research and risk assessment frameworks, and best practices mean little if not communicated and shared. We as a nation have always been at our best when we work together in common cause. Accordingly, federal agencies can play an important coordinating role between the many sectors and industries that otherwise do not talk. Has an energy utility in California identified a risk in OT systems that are also in use in other states? 

As private sector organizations take more responsibility for cyber risks in the systems they build, ensuring open communication between public agencies and private sector industry will become even more important. CISA is facilitating this exchange through their Cybersecurity Advisors.  CSAs act as liaisons between government and industry to create a more unified and effective cybersecurity approach across all sectors.  There are more examples of course, but there can never be too many Federal agencies helping bridge the gap for these organizations.

The new reality we face is that cybersecurity is a very real threat to national security. In the wake of the 9/11 attacks, new federal agencies and programs were created to secure airports, a critical infrastructure sector often operated locally as semi-public/semi-private entities. Air travel in and out of this country has never been safer. It is time we take a similar approach to critical infrastructure cybersecurity — a much larger challenge with even greater potential risk to the nation.