Incoming: Keeping America Strong, Safe and Free
Now that Donald Trump has become the 45th president of the United States, he will be exposed to the nation’s soft underbelly: cybersecurity. Given rapid advancements in information and communication technologies, continued coupling of the digital domain with the physical world and advanced persistent threats, critical infrastructure protection poses a major challenge for the United States.
This is where the president should focus his efforts. But is either the Department of Homeland Security or the Defense Department the right agency for cyber protection?
Federal, state and local governments rely on critical infrastructure to provide vital services to citizens. We have seen the news reports—when critical infrastructures fail, the consequences can be severe. The lack of electrical power, telecommunications, financial services, running water or health care during an emergency could cause mass chaos that stresses the fabric of trust between citizens and their government. In fact, if physical attacks were accompanied by cyber attacks on the nation’s critical infrastructure, hundreds of thousands of lives could be lost.
The persistent threat stems from a growing number of increasingly sophisticated Internet users. In 1985, roughly 2,000 people used the Internet, which then supported a broad community of researchers and developers. Today, more than 3.5 billion people use the technology. And critical infrastructure is increasingly caught in the crosshairs. Last year, a Kaspersky Lab report noted that hacker group BlackEnergy APT attacked power companies in Ukraine, and a separate SANS Institute report on industrial control systems indicated that Dragonfly, also referred to as Energetic Bear, had targeted hundreds of energy companies in North America and Europe.
These industrial control systems often rely on aging applications that run on outdated hardware and infrastructure, creating challenges that are difficult and costly to defend against. Further, Kaspersky pointed out that the vast majority, or 92 percent, of remotely available control systems’ hosts have vulnerabilities, and 87 percent of these hosts contain moderate-risk vulnerabilities.
The American Society of Civil Engineers, which rates U.S. infrastructure systems every four years, reported a near-failing overall grade of D+ in 2013. Today’s leading challenge is that the systems fail to keep pace with current and expanding needs, and investment in infrastructure is faltering. Although funding for homeland security is up 11.5 percent over 2016, an increase of $5.2 billion, current funding falls significantly short of the estimated $3.6 trillion needed to shore up the nation’s critical infrastructure by 2020. Considering the country’s vulnerabilities and lack of resources, as the engineering association reports, we must proceed with caution. We do not need to throw a match if we are covered in gasoline!
In his October remarks to the armed services, then-candidate Trump said it correctly when addressing the need to crush cyber crime: “We should not let this be like the history of the Mafia, which was allowed to grow into a nationwide organization that infiltrated and corrupted so many areas of society for such a long time. We can learn from this history that when the Department of Justice, the FBI, the DEA and state and local police and prosecutors were combined in task forces directed at the Mafia, they were able to have great success in prosecuting them, seizing their business interests and removing their infiltration from legitimate areas of society.”
Beyond a cyber task force approach, perhaps the first step for the administration is to elevate U.S. Cyber Command (CYBERCOM) to a unified combatant command, separate from the National Security Agency (NSA). The current NSA/CYBERCOM arrangement was created in 2010, which when viewed through the lens of Bezos’, Moore’s and Metcalfe’s laws, is eons ago. It makes sense to split the NSA director and the CYBERCOM commander roles to create a span of control that is manageable and aligned with each organization’s mission. The NSA and the Defense Information Systems Agency (DISA) then would become component commands. In this new, elevated organization, CYBERCOM, not the Department of Homeland Security, would be better positioned to defend U.S. critical infrastructure.
If the separation happens, CYBERCOM faces the key issue of funding to develop required capabilities while building up its force structure. The challenge will be choosing the right time and the right processes to enable both organizations to accomplish their missions while diminishing risk to the nation.
Fragmented governance, insufficient policy and a shortage of skilled cybersecurity professionals add to the challenges the next administration must address. However, as Albert Einstein said, “In the middle of difficulty lies opportunity.” The Trump administration must ensure that future budget cycles reflect the national need for critical infrastructure protection, including investments in strategy, design and skills acquisition. In doing so, we can contribute to America’s strength, safety and freedom.
Maj. Gen. Earl D. Matthews, USAF (Ret.), the former director of cyberspace operations in the Air Force’s Office of Information Dominance and Chief Information Officer, is vice president of Hewlett Packard Enterprise’s Enterprise Security Solutions Group for HPE Enterprise Services, U.S. Public Sector. The views expressed are his alone.