When if comes to the Cybersecurity and Infrastructure Security Agency (CISA), people sometimes forget that "I" word.
When if comes to the Cybersecurity and Infrastructure Security Agency (CISA), people sometimes forget that “I” word. Cyber topics seem to consume all of the oxygen these days. But physical infrastructure threats are also real and often connected to the cyber side. For more, the Federal Drive Host Tom Temin spoke with CISA’s Executive Assistant Director for Infrastructure Security, David Mussington.
Interview Transcript:
Tom Temin I want to go back to your title, executive assistant director for infrastructure security. That’s a wide sounding type of portfolio that you have. And, you know, at the beginning of DHS, in the post 9/11 era, people worried about physical infrastructure, bridges, roads, and in fact, that’s something they should worry about. But the cyber piece in that component is increasingly part of the physical infrastructure process industries and so on, and vice versa, because even the cyber infrastructure has towers and wires and data centers and so forth. So how do you look at that? How do you really separate cyber and infrastructure in terms of the day-to-day oversight that you do?
David Mussington So, you know, increasingly and I should say that obviously it’s a team sport and there’s a cyber security, executive assistant director as well, Eric Goldstein. You know, the agency name really tells you how we do it. The Cybersecurity and Infrastructure Security Agency encompasses all hazards, risks to infrastructure function. That means physical threats, the terrorism, and counter-terrorism risks that you elaborated on at the beginning. And cyber threats, which are newer, which are due to the network nature of, physical systems. And the physical infrastructures that have a cyber layer attached to them. Think about a water and wastewater treatment system that is connected to the public internet, for example. And what would happen if you disrupt that cyber connectivity? Most of our critical infrastructure that way, from airports to pipelines to government facilities and government services. So, while human beings may live in physical buildings, they can make it over wires and over frequencies that are subject to disruption at the cyber part of it. The communications part of it, the physical part of it is still here. And we worry about bomb threats and, physical attacks and risks to physical facilities like churches and schools. All of that encompasses into the critical infrastructure risk challenge.
Tom Temin And from CISA and in dealing with CISA the cyber side gets all of the publicity. That’s all the releases coming out.
David Mussington Of the city. Not all, but much of it.
Tom Temin Yeah, maybe review for us what’s happening on the physical infrastructure protection side. And I’ll give you an example. Just from my own experience, I used to do a lot of running around the big reservoir in Central Park in New York City, and that was fenced off because it was a reservoir, the Jackie Onassis Reservoir. But I was always thinking somebody could come there in the night with a bucket of poison, get over that little fence and dump it in there or something like that. Physical security, or somebody climbing under the George Washington Bridge and doing something nefarious. What is CISA’s approach on that end of things?
David Mussington So what we do is we collaborate with the people who own those infrastructures, the assets themselves, and that’s mostly state and local governments. And to the extent the private sector, and we advise them and collaborate with them to make sure that the best protection is available or deployed to those locations. And that means fencing in the example you gave to keep people away from particularly vulnerable areas. It means advising them on the level of threat. So, if we have Intel information and we tell you that information about threats and challenges risks in the field, we collaborate and tell them about it. And we tell them about best practices that they can adopt to add layers of protection. We also make available our assessments of risk because we have a risk assessment program on the physical side where we were we assess dams, tunnels, bridges, etc., against categories of threat from explosive devices through physical threat from domestic violent extremists, for example. And we provide guidance on how best to protect and certainly out to liaise with first responders to make sure that if an incident should take place, that those assets can be protected as quickly and as viably as possible. So, its best practices advice, it’s assessments and it is engagement through our field force we have 1010 regions. And we take your security advisors. We provide security advice for how to secure particular facilities and critical infrastructure.
Tom Temin And some of the critical infrastructure a fair amount is privately owned.
David Mussington Most commonly articulated statistic is over 80%. The great majority that’s, I think, a safe generalization.
Tom Temin And do you find that there are differing levels of willingness to cooperate across different sectors.
David Mussington So over the 20 years or more that I’ve worked on this topic, I think that I’ve seen it go from grudging collaboration to a much more acceptance of the shared risk between the public and the private sector, and a level of trust between CISA and private critical infrastructure operators that they recognize the threat and they’re willing to collaborate with us to lower the risk. In at least attempt to talk about the risk in a way that wasn’t true a decade ago. So, I’m pretty optimistic when it comes to that.
Tom Temin We’re speaking with Dr David Mussington. He’s executive assistant director for infrastructure security at the Cybersecurity and Infrastructure Security Agency. Just out of curiosity, tell us about how you came to this type of work. You’ve taught it, you’ve practiced it, and now you, I guess, practice and oversee it.
David Mussington All right. So, I’ve been here since the beginning of this administration, I was appointed in February of 2021. Prior to that, I was the university professor at the University of Maryland, College Park, where I taught on homeland security and critical infrastructure resilience. Long career from Rand Corporation to doing post-doctoral work at Harvard on national security threats. And this is just sort of the domain area where I specialized for a while on the cyber and the physical side of the house.
Tom Temin And getting back to risks to physical infrastructure. One of them is lack of maintenance. And we’ve seen that often. Well, both public and private bridges do fall once in a while in the United States, land on the highway below this kind of thing. And I think of like radio towers, which are privately owned, that are really tall. If they ever flipped over, lord knows what they would hit on the way down. Does CISA mission bridge over into best practices and shared information on keeping things just in good repair as a part of security.
David Mussington A couple of things about that. First, it’s mostly about how those vulnerabilities can be exploited to negative to negative effect. So as an all-hazards agency, we focus on the fragility of infrastructure, of course. And if infrastructure fails then there can be security and risk consequences. So that’s probably one of the oldest focus points of CISA. A different focus is when weak or vulnerable infrastructure can be exploited by bad actors, and those bad actors can know where vulnerabilities are less likely to be remediated and can choose those times and places of their choosing to back down. And we worry about a lot about that to the extent of strengthening weaker infrastructure. You know, we leverage things like the Infrastructure Investment and Jobs Act of 2021 that programed billions of dollars to improve the physical shape of infrastructure. That infrastructure can be rebuilt, internalizing standards of best practice and protection that are new to protect against older risks. So, we’ll provide advice on how to rebuild infrastructure to make it stronger and more resilient. That’s our principal injection point into this.
Tom Temin And does this work extend even further back, say, into the engineering and construction of new infrastructure that could be done differently.
David Mussington Because, we have principles like secure by design and secure by default, where we try and make sure the security standards and best practices for construction on the cyber and physical side are included in the design of newer infrastructure. So, the newer infrastructure will be more resilient than the infrastructure it replaces. So that’s what that’s part of it.
Tom Temin And having a broad overview of this, is there any particular sector. And I know you love them all equally, but one that you feel this is the one I’d like to see have the most advancement in.
David Mussington I will defer picking on a particular infrastructure, but I will say that everyone can improve. And I think that, IIJA that infrastructure investment, jobs that I mentioned, programs, potential improvements across a myriad of infrastructures, all of which, are venues where security standards and practices can be deployed, and we can end up with a much stronger set of resilient infrastructure than we have right now.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED