With the signing of the Cybersecurity and Infrastructure Security Agency (CISA) Act earlier this month, the Department of Homeland Security (DHS) is now moving out quickly on this important reorganization and rebranding of the former National Protection and Programs Directorate. The new federal agency will benefit from an increased budget and more authority in imposing its directives. This reorganization has positive implications for our growing cybersecurity challenges, but also for the 16 identified sectors of our critical infrastructure, which includes energy, healthcare, financial services and transportation, all of which need to be defended from internal and external threats.
Understanding the degrees of risk
For executives in cybersecurity, cyber-risk is top of mind, as a recent survey showed that 60 percent of chief information security officers believe nation state attacks against government and the commercial sector will worsen and potentially lead to cyber war. However, beyond these executives, awareness of the risks varies depending on the industry. For example, the defense industrial base developed a healthy respect for the scope of the threat landscape and deployed tactics, procedures and tools, in collaboration with peers and governments, to thwart breaches. Having experienced serious security risks for decades, this summer DHS unveiled its new National Risk Management Center, a hub that will help drive the goal of managing systemic risk to critical national infrastructure.
Despite these advances, other industries like transportation and energy have not had the level of integration to make cybersecurity a priority. And yet, transportation can now be impacted by cyber threats in many ways, like shutting down shipping ports or borders through crypto-ransomware or disrupting air traffic control. The energy sector is a highly-regulated industry and faces challenges due to that regulation and fragmentation, but improvements are underway. This month, the Department of Energy invested $28 million to support the research and development of next-generation technologies to improve the cyber resiliency of the electric grid as well as oil and natural gas infrastructure.
While these investments are a positive sign, we need to recognize that the threats go well beyond these sectors to include water, pharmaceuticals, critical manufacturing and more. The reality is this: All of these interconnected systems are vulnerable, and we need to work together to develop protections at every level.
So how can DHS and other federal agencies lead by example through security policy, and what can industry and the corporate world do to follow suit? Educating the public remains a hurdle. On the individual level, stronger, two-factor authentication is no longer a “nice-to-have” security measure, but an essential protective layer that all individuals and businesses need to employ.
At the industry level, we need to understand the systemic risks to those industries, and model the cyber and real-world indicators that can warn of an attack. DHS has led the charge in this initiative with its National Risk Management Center, enabling the power of our government to be brought to bear on our adversaries. This not only empowers us to limit the damage of an attack, but deter one altogether. In addition, the creation of CISA will likely serve as a major asset for DHS in promoting these public-private partnerships, as an increase in funding and autonomy will enable the agency to continue its partnerships with technology companies that can help speed up the department’s efforts to protect our nation’s critical infrastructure. DHS already has important partnerships in place, like the Silicon Valley Innovation Program (SVIP), which finds new technologies that strengthen national security with the goal of reshaping how government, entrepreneurs and industry work together to find cutting-edge solutions. As cyber hardening our critical infrastructure will involve a collaborative effort, programs like the DHS InnoPrize, which uses crowdsourcing to quickly find solutions to security issues, and the Small Business Innovation Research (SBIR) Program, which helps U.S. small businesses to develop solutions to homeland security needs, need to be expanded to continue to incentivize private sector action.
On a national scale, the idea of a Cybersecurity Moonshot — a national initiative to shift the balance of cyber-power from attackers to defenders and regain trust in cyberspace — is gaining traction. In fact, the National Security Telecommunications Advisory Committee (NSTAC) recently presented a Cybersecurity Moonshot report to the White House, in an effort to make the U.S. a key player in making the internet safe in the next ten years. As government officials advance this initiative to make a fundamental change in cyberspace, they will address six key pillars to achieve a more secure internet within the next 10 years. One of the pillars is human behavior, which remains a hurdle as user, provider and employer actions continue to be one of the top causes of data breaches today. Another critical pillar the government seeks to address is education. The lack of cybersecurity awareness and regular education continues to be a challenge for businesses, organizations and consumers alike. The need to increase the availability, quality and diversity of cybersecurity talent is paramount to ensuring proper protection for years to come. Additionally, together with tech companies and other partners, organizations like DHS and the Defense Department (DoD) can develop compelling, minimally technical messaging to citizens to demonstrate that good cybersecurity practices are a part of our national security.
The time for collaboration is now
These strategies aside, we know this: Critical infrastructure security is not a problem that falls to one organization or branch of government; it is a shared responsibility. There is an immediate need for closer partnerships between industry and government organizations to foster an aligned infrastructure security ecosystem. By leveraging the domain expertise of DHS and DoD, agencies that have experience protecting and hardening systems at a federal level, and the speed and technology that Silicon Valley cybersecurity companies provide, we can develop comprehensive playbooks to unify government security decision-making across homeland security, law enforcement, intelligence and state. These playbooks could include standard cyber breach reporting protocols so that agencies, companies and individuals understand what to do and who to reach out to when their information has been accessed, and what steps need to be taken based on the information stolen. The time is now to close the awareness gap and unite government and industry to focus on action in order to make our most essential infrastructure resilient against attack.
Michael Daly is the CTO for cybersecurity at Raytheon and Russ Schrader is the executive director of the National Cyber Security Alliance.