President's Commentary: When Everything Is Critical, Nothing Is Critical
The United States cannot adequately secure its entire critical infrastructure. The infrastructure is too broad and complex. Much of it consists of highly vulnerable legacy software running older supervisory control and data acquisition (SCADA) systems. But the nation can take steps to address vulnerabilities in key areas and mitigate losses in others.
This will require an increased national dialogue on responsibility and accountability. When everything is critical, nothing is critical. Because there is not enough money to provide the security necessary to protect all the critical infrastructure, the first step is to establish priorities. The priority list should be topped by the three most important infrastructures: power, telecommunications and financial services.
These three areas rise above the other elements of the critical infrastructure, and their security must be paramount. Adversaries are already within our networks, lying in wait for the right opportunity to strike to their geopolitical benefit. In addition, the burgeoning Internet of Things is establishing new vulnerabilities for enemies to exploit.
The critical infrastructure must be cleansed.
Attackers intent on exploiting the weaknesses in these systems could do great damage at all levels. Without electricity, little operates. Access to necessities and protection from the elements disappear. Deny the power grid, even in a small area, and a cascading effect cripples all aspects of society. Similarly, telecommunications has become so ubiquitous that its sudden removal would bring activity in almost all aspects of daily life to a halt. Much of the economy, as well as the ability to coordinate emergency, important and regular activities, depends on a robust telecommunications infrastructure.
The financial services sector is the engine that carries the U.S. economy. If the public loses confidence in that sector, then the economic underpinning of the United States is severely damaged, if not lost. The Great Depression gives us an example of the catastrophic damage wrought by the collapse of the finance sector from a loss of confidence. The effect of such a failure today would be far greater and wider, severely affecting the global economy.
Attacks on other critical infrastructures would be harmful, but likely not as devastating on a national scale. Their effects could be partially mitigated.
The nation must determine the main courses of action: Which parts of the infrastructure still need to be secured and to what degree, and how can government and industry work together to achieve the best security possible?
Choosing which infrastructure elements to secure will require developing a number of generally agreed-upon metrics. For example, what level of security does each sector need, and how costly will securing each one be? How do we manage risk within and across the sectors? How can we provide necessary resiliency? What is the level of effort required? These and other factors must be weighed for the nation to develop a cogent plan for securing the infrastructure.
Much of the critical infrastructure is owned and operated by the private sector, but government is a key part of any security effort. Collectively, the private sector and government must identify the respective mission-critical areas they advocate and support in the name of national security. A trusting partnership, perhaps the most difficult objective, must be created and nurtured. Government must work concurrently with industry to eliminate gaps and seams in the implementation of any strategy by establishing appropriate standards, among other aims.
One important step is to improve vital information sharing among industry, government, academia and other infrastructure partners so that a relationship of trust can be developed. Barriers such as slow information sharing and overclassification of information must be minimized. This was enunciated in the National Security Strategy released in December. Lowering the classification level on threat data has been a long-standing issue. Industry often is already aware of much of the threat information government provides. The government must be a better partner by sharing timely and truly actionable information.
We can debate the issue of securing the critical infrastructure to death or we can act. There is too much rhetoric and not enough action. Adversaries are not waiting. They are planning and executing new types of disruptions: Witness Russia’s attacks on Ukraine or the WannaCry attacks attributed to North Korea. We must extend our imaginations to provide insights into potential effects and plan accordingly.
An effective domestic risk management strategy will help us more than any international agreements that can be, and usually are, violated by terrorists and nation-states. Feel-good legislation and policy are not the solutions, but government and industry activity, accountability and responsibility are.