A Taste of Reality Puts the Focus on Critical Infrastructure
As I write this, we are experiencing some nearly unprecedented oppressive weather in the Washington area. About one week ago, we had a series of violent thunderstorms that caused extensive damage and knocked out power to more than 1.5 million electrical customers—comprising millions of people—in Washington, D.C., Maryland and Virginia. Many communications systems also failed, either because of damaged infrastructure or loss of power. This includes telephone, cable and cellular systems along with their accompanying processing and switching facilities. Credit and debit cards, along with ATM cards, were useless in many places just when people needed them to buy vital goods for surviving the blackout. More seriously, the 911 emergency call system ceased to function in areas where it was needed the most. And, in some locations, potable water was a problem because power was lacking for pumps and water treatment.
All of these factors led to school and work closings, road problems from downed trees and dark traffic signals, lost business, government disruptions and a lot of uncomfortable people, as the region experienced 11 straight days of temperatures above 95 degrees Fahrenheit. These sustained high temperatures amid the blackout caused effects ranging from spoiled food to dangerously unhealthy conditions for many individuals.
Why the weather report? The situation in the Washington area shows the dependence everyone has on critical infrastructure. We often fail to think about the importance of our infrastructure until we lose it. In this instance, loss of infrastructure was because of nature. But what if similar consequences were triggered by a cyber attack? Similar disruption could be achieved by a cyber attack that took down a significant piece of the power grid, disrupted communications systems or shut down water processing. How prepared are we to prevent or mitigate such attacks?
The U.S. Department of Homeland Security and other federal, state and local agencies work with companies in the critical infrastructure industries to share intelligence and coordinate defense of resources. Cyberthreats are real and are growing in number and sophistication. They are driven by simple hackers, hacktivists, cybercriminals, terrorists and state-sponsored actors. These threats are not unique to the United States. The overall cyberthreat is growing in every part of the world. Al-Qaida recently has issued communications encouraging its followers to leverage the cyber domain to disrupt economies and daily life. In the current European Union Internal Security Plan, the EU describes cybercrime and terrorism as the number one internal security threat to Europe.
The good news is that more resources are being applied to cybersecurity globally. The bad news is that the majority of the effort is being applied to protecting data and networks, and much less to the widely distributed and diverse critical infrastructure. Most of the critical infrastructure is owned by private industry, which requires a massive effort to coordinate information sharing and preventive action to protect these valuable resources. Standards are in place along with guidance to industry on how to protect these infrastructure resources, but implementation is inconsistent.
It has been said repeatedly that government systems and networks could be protected more effectively if they were fully integrated. Government systems and networks are complex, with many domains that are not transparent. System and security architectures are varied, with enclaves not visible at the enterprise level. As a result, surveillance and situational awareness at the enterprise level is difficult. Yet, it is not difficult to envision how much harder it is to comprehensively protect critical infrastructure when that infrastructure is owned and operated by many companies with widely varying operational and security architectures and tenuous communication among the companies. In many cases, these same infrastructures are dependent on one another, and effects can cascade through networks or grids. Because these infrastructures have no central control across enterprise boundaries, a failure in one part of the grid or network can impact others before they can react to protect their systems.
So what can we all do to address these issues? Government can redouble efforts to bring together the companies in critical infrastructure industries to share information, lessons learned, and protection methods and tools. We in nonprofit organizations can help with this, as many of these companies are our members and we can promote sharing and collaboration without violating antitrust laws. Industry can improve understanding of the threat, participate in sharing with other companies in their own and adjacent industries, and apply the necessary resources to protect their systems adequately.
I have seen enough in the past week in the Washington area to make me appreciate the criticality of the infrastructure we all take for granted. I would prefer to avoid going through this repeatedly because we are not protecting our assets from cyber attack.