The actions in Iraq and Iran over these past few days have caused a renewed attention on the protection of America’s critical infrastructure. We have an adversary that lacks the ability to send missiles to our homeland now making violent proclamations of an intent to harm America and Americans. And while we have an understanding that while we have assets in the region that could be targets, experienced threat analysts naturally turn to Iran’s capability to use the Internet to project harm on our homeland via the Internet.
Over the past decade as the internet has grown more dominant in our daily lives, it too has grown dominant in the operations of our nation’s critical infrastructure. Our communications, transportation, finance, healthcare, energy, manufacturing and more are all now inexorably linked with the internet and other computing technology. While this has made these services vastly more efficient, it has also opened up a new vulnerability to America. And because the companies that build and operate many of these systems that we count on every day are not part of the government, there has existed a gap between their fiduciary and national security responsibilities. It is precisely that gap that adversaries like Iran may seek to exploit in today’s times of trouble.
Contrary to some histrionics on social media, this is not a new revelation and in fact there is a lot of good going on now in the cyber defense of our nation. Not to say that attacks won’t happen and won’t have an effect, but it’s important to understand some of the good things underway that have been put in place to protect all Americans and our way of life. Here are six that are worthy of report:
In November of 2018, President Trump signed into law the creation of the nation’s first cybersecurity and Infrastructure Security Agency to lead the collective efforts of the Government in the defense of our homeland’s critical infrastructure. CISA is being led by Director Chris Krebs, a tireless advocate of these goals who has put in place a strong leadership team that is charged with defending the nation's critical infrastructure from physical and cyberthreats. Together, they are making a difference where it counts by both defending today and securing tomorrow.
Ever since the terrorist strikes of 9/11 in 2001, the Government has worked closely with the 16 critical infrastructure sectors through the operation of Information Sharing and Analysis Centers (ISACs) specific to each sector. The membership of each of these sector-specific ISACs are made up by leaders of the companies that make up that sector. For instance, in the Financial Services ISAC (FS/ISAC), the members come from the banks and processors that actually operate our banking system. These members are integrated with experts from Government agencies including the FBI, Secret Service, Department of Homeland Security, and more, all toward the common goal of making the companies in that sector more secure and resilient in the face of attack. Currently, there are robust ISACs in full service in sectors including the defense industrial base, financial services, health, multi-state, energy, manufacturing, and more.
In addition to the FBI’s vaunted Cyber Division which maintains a team of highly-skilled cyber experts that not only take an oath but carry a badge and gun, the FBI began an outreach to the companies that make up our critical infrastructure over 10 years ago with their domain program, which in 2011 added support from DHS and was formally elevated to the level of the FBI Director’s Office as the Domestic Security Alliance Council (DSAC). The mission of the DSAC is networking for security on a broad base, and focuses on preemptive education, communication, industry threats and a senior advisory that helps speak in a single trusted voice directly to the CEOs and board members of the critical industry companies. This group gathers regularly and shares both threat and countermeasure information in real time toward their common defense.
Cyberspace Solarium Commission
The U.S. Congress is leading the development of a consensus strategic approach to protecting the crucial advantages of the United States in cyberspace. The Commission’s membership, led by leaders from both parties, DoD, the intelligence community, and key experts is right now finalizing a year-long report (expected early 2020) that will outline changes and enhancements both necessary and possible toward the defense of our critical infrastructure and economic well-being. Truly living up to the statement that ‘national security is non-partisan,’ this group is inspirational in their effort and focus on making America safer from cyber-attacks.
National Cybersecurity Moonshot
In February 2019 the White House’s National Security Telecommunications Advisory Committee (NSTAC) presented its seminal report to the President outlining its recommendations to make “Critical Infrastructure on the Internet Safe and Secure by 2028.” The NSTAC advisory group of private sector executives was originated by President Reagan and has directly advised every President since. This report established six pillars to build out a resilient infrastructure which are:
- Changing risky behaviors.
- Building trusted ecosystems.
- Improving cyber education.
- Adjusting policies.
- Enhancing privacy.
- Leveraging key new technologies that are quickly coming into our lives, including artificial intelligence, 5G communications, biometric identities, and quantum resistant encryption.
Collectively, it was the recommendation to the president that with a whole of nation effort along these six pillars, the U.S. could have a trusted and resilient infrastructure this decade.
Like the NSTAC, the White House’s National Infrastructure Advisory Committee (NIAC) is managed under the Federal Advisory Committee Act (FACA). Established in 2001, the NIAC also reports directly to the President, and is focused on the security and resilience of the Nation’s critical infrastructure sectors. Also like the NSTAC’s Moonshot, the NIAC has gone beyond report writing and into the domain of specific recommendations to the President. The NIAC delivered in December 2019 its report on “Transforming the U.S. Cyber Threat Partnership” that outlines specific plans on both urgent actions today, as well outlining a comprehensive solution for tomorrow. This strong report to the President will be a bellwether for a strong public/private actionable stance as a nation.
Within hours of the news from Baghdad Airport breaking, I received multiple sector specific alerts chocked full of trusted information and actionable steps to dial up defenses, each having also gone out to hundreds of trained security professionals in their sector’s companies. I also received updates from CISA, DSAC and others that tied together the interconnectedness of the cyber component of our national defense. The common thread among all of these programs is combining short term urgent actions with long term strategic goals. We have a saying in our business—your risk is my risk—and the foresight and good work of so many women and men in both Government and the private sector is to be both noted and appreciated. Working together with the private sector, academia, and the governments at the federal, state and local levels, this truly will be a whole of nation defense.