Originally published COLUMN: Securing Our Critical Infrastructure Lifelines on by https://www.hstoday.us/featured/column-securing-our-critical-infrastructure-lifelines/?utm_source=rss&utm_medium=rss&utm_campaign=column-securing-our-critical-infrastructure-lifelines at Homeland Security
In a time where bipartisanship is in short order, cyber strategy remains an area of general agreement across party lines. One of the common pillars across multiple National Cyber Strategies, signed by presidents from both parties, is that we must defend critical infrastructure and strive to make attacking it off limits to our adversaries.
Most recently this has played out in the calls to respond dramatically to the Chinese-government led campaigns against telecommunications and other infrastructure – Salt and Volt Typhoon. Salt Typhoon is massive cyber espionage campaign against telecom networks, while Volt Typhoon is an effort to intrude critical infrastructure systems to “pre-position” attacks as a form of deterrence against U.S. defense efforts against Chinese aggression in Taiwan and elsewhere.
By all accounts, senior officials have said following the incidents that protecting these systems is a national priority. As SANS has noted, “These specific attacks … demonstrate a significant shift in the playbook of state-sponsored cyber threats, where targeting internet service providers isn’t solely about data theft but instead includes undermining the very infrastructure that enables digital communication and commerce.” (Securing the Grid: Lessons from China’s Cyberattacks on U.S. Providers | SANS Institute)
In particular, the Volt Typhoon incident has raised the specter of critical functions in communities and national defense being shut down by the Chinese government via cyber means.
When it comes to protecting critical infrastructure, these campaigns point to a clear type of incident that should be prioritized. Unfortunately, U.S. policy implementation has taken a broader view of critical infrastructure which has diminished the ability to focus on those things that are most crucial to national security.
One reason for that is because an inconvenient truth exists: there is not a consistent and well-understood understanding of what critical infrastructure is and how broadly the term should be applied. Moreover, it is easy to see that in the last 30 years, the United States has broadened the use of that term, diminishing the ability for effective prioritization. This fundamentally weakens the strategic value of deeming anything as “critical infrastructure.”
The statutory definition of critical infrastructure is “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”. From that definition, policy documents have typically defined critical infrastructure as systems, assets, and networks within a sector structure. While that has had a useful effect of providing general parameters, it does not function effectively in narrowing what is critical and what is not. For example, Education is considered a critical infrastructure subsector. Does that make every school critical infrastructure? What about the Commercial Facilities sector, where there are hundreds of thousands of buildings for which the term could apply? How do you define critical infrastructure in the context of an IT sector with tens of thousands of hardware and software providers that could be considered critical?
It is time for a change of focus and a commitment to elevating the meaning of what critical infrastructure should be as part of national security and resilience efforts. Given the risk environment, we can no longer afford an approach where there is not risk-based prioritization focused on criticality of functions.
To meet the strategic need for risk-based security and resilience, there should be a new prioritization approach. It should rely on prioritizing the critical infrastructure that supports Critical “Lifeline Functions,” which can be defined as functions in which “reliable operations are so critical that a disruption or loss of one of these functions will directly affect the security and resilience of critical infrastructure within and across numerous sectors.”
The National Infrastructure Protection Plan defines four lifeline functions as Communications, Energy, Transportation, and Water. To that list, I would add: Cloud Computing and Data Management. (https://www.hstoday.us/featured/column-a-new-lifeline-to-prioritize-in-infrastructure-protection/) and critical Health and Financial systems. The reason for prioritizing these lifeline functions is that these infrastructure systems are necessary for national defense, continuity of government, and continuity of operations for Americans’ daily lives. Any significant degradation to those systems is likely to have the most immediate and broadest impact, and if they are resilient the scale of harm will be limited.
It is important to note that the seven lifeline functions listed above are not simply synonyms for the current critical infrastructure sectors, but, instead, are the end state of what multiple sectors produce and what we rely on for the operations of the economy, community well-being, and national security and defense. Each of the sixteen critical infrastructure sectors named in U.S. policy contribute to Lifeline Functions, as well as other important critical infrastructure, such as space systems. But the major distinction is that it is not everything in those sectors that should be prioritized but those that contribute most significantly to lifelines.
To operationalize this approach, there should be an immediate effort to strengthen and resource the seven associated Sector Risk Management Agencies within the Dept of Energy, the Environmental Protection Agency, CISA, the Department of Treasury and the Department of Transportation and DHS.
There should also be a shared analytic agenda, coordinated by DHS/CISA, to document the nodes that are most critical in each of these seven Lifeline Functions, based on the scale and scope of the infrastructure within functions. This is a manageable exercise because each of the functions has “use” or “volume” metrics which relate to their criticality to U.S. society. As a starting point, use and volume metrics help define the most critical infrastructure across the five proposed functions. Identifying the companies/entities (even if not publicly) that are responsible for the most significant portion of that volume will be important; as, too, will be identifying those systems and assets for key nodes that should form the basis for critical infrastructure asset prioritization.
There should be an intentional effort to learn the most critical and ubiquitous hardware and software – both operational technology and information technology – that enable those functions, because those serve as the basis of needed cyber security enhancements. Important to this will be the identification of materials necessary to produce such functions and identifying the supply chains and supply base that needs to be maintained.
The implementation work called for in President Trump’s Executive Order on “Achieving Efficiency Through State and Local Preparedness” can set the groundwork for adopting this approach. The Order calls for an enhanced “risk informed approach” to National Critical Infrastructure Policy within 180 days. This should be developed in partnership with the private sector that own and operate much of critical lifelines and also be followed up with a clearly articulated statement of roles and responsibilities in managing critical infrastructure risk.
The cyber risk from adversaries is not diminishing. Many of those potential adversaries, most prominently the Chinese government, are likely to be strategic in their efforts to cause harm via cyber and hybrid attacks. The United States has to be equally strategic in its approach to defense. While efforts have been tried in the past, there needs to be renewed work to focus on what is most critical and prioritize that in security and resilience efforts. Building off the current approach, while driving toward a meaningful definition of what is most critical is a needed advancement. Focusing on Lifeline Functions allows for that.
The post COLUMN: Securing Our Critical Infrastructure Lifelines appeared first on HSToday.
Originally published COLUMN: Securing Our Critical Infrastructure Lifelines on by https://www.hstoday.us/featured/column-securing-our-critical-infrastructure-lifelines/?utm_source=rss&utm_medium=rss&utm_campaign=column-securing-our-critical-infrastructure-lifelines at Homeland Security
Originally published Homeland Security
