We’ve Spent Billions on Cyber: How Are We Doing?
This commentary originally appeared in Homeland Security Today, January 30, 2019.
Protecting America’s critical infrastructure — essential to our everyday life — from cyber attacks remains one of our nation’s most important missions. How are we doing?
Not so good, by some accounts. In 2017, a major MIT report concluded that after spending billions of dollars over the past few decades, our infrastructure is somehow less secure than we were 30 years ago. Its authors conclude that “the vulnerability of the systems that power our nation is a national disgrace.”
And this is not merely a theoretical risk. Last April, the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation issued an alert regarding the worldwide cyber exploitation of network infrastructure devices by Russian state-sponsored cyber actors. In May, the U.S. Department of Justice announced they had stopped a network of more than half a million worldwide web-connected infected devices or “botnets.” And the Office of the Director of National Intelligence has concluded that they “expect that Russia will conduct bolder and more disruptive cyber operations” against our critical infrastructure in 2019.
Despite the recent re-opening of the federal government, Washington will likely remain gridlocked with no consensus plan to protect our critical infrastructure. Without the federal government acting, we will likely end up with a patchwork of potentially confusing and conflicting state and local regulations, which would create a nightmare landscape for business.
Progress, however, is possible and achievable. The same MIT report that paints such a grim picture also concludes that “the pathway to higher ground has been charted.” In addition, a new law was passed in October that formally creates a new federal agency at DHS, the Cybersecurity and Infrastructure Security Agency (CISA), which will become the federal government’s focal point to more strategically catalogue national critical functions and better advise on risk. And while properly organizing and planning is necessary to taking action, so is process. Fortunately, embedded in CISA is a cross-sector, collaborative approach to improving cybersecurity. DHS calls it providing for a collective defense.
So, where do we go from here? Such a process could lead to more widespread adoption of voluntary best practice standards, like the CIS Controls, the set of internationally recognized prioritized actions that form the foundation of basic cyber hygiene — cyber network defense that is demonstrated to prevent 80-90 percent of all known pervasive and dangerous cyber attacks. The Controls, compiled by cybersecurity experts around the world, help implement the goals of the NIST Cybersecurity Framework by providing a blueprint for network operators to improve cybersecurity by identifying specific actions to be done in priority order.
In the oil and natural gas industry – obviously a key sector – most companies already adhere to the NIST framework, and other voluntary standards. For example, a majority of the natural gas pipeline companies that operate about 200,000 miles of pipelines have committed to implementing the updated Transportation and Security Administration (TSA) voluntary pipeline cybersecurity guidelines, further demonstrating the success of public-private collaboration. But not all sectors possess the same resources. Greater adoption of the Controls would further boost critical infrastructure by increasing their ability to defend against common attacks.
There will be no single, silver bullet that magically protects our critical infrastructure from cyber harm. But the CIS Controls and other voluntary best practices are known pathways to stronger cybersecurity. We should redouble our efforts to implement them today.
Brian de Vallance, a former Assistant Secretary for Legislative Affairs at the U.S. Department of Homeland Security, is a senior fellow at the Center for Cyber and Homeland Security at the George Washington University.