President's Commentary: Critical Infrastructure Protection Is a Work in Progress

The topic of critical infrastructure protection has been around for decades. In May 1998, President Bill Clinton issued Presidential Decision Directive (PDD)-63 on the subject of critical infrastructure protection. This represented a decision formally recognizing that key elements of our national infrastructure were critical to national security, the economic vibrancy of the United States and the general well-being of our citizenry. The PDD further highlighted the necessary actions to preserve and ensure the continuity of these critical infrastructures. In the wake of the terrorist attacks of September 11, 2001, President George W. Bush published Homeland Security Presidential Directive (HSPD)-7 for Critical Infrastructure Identification, Prioritization and Protection, superseding PDD-63 and adding agriculture and food to the list. HSPD-7 in turn was superseded two years ago by Presidential Policy Directive (PPD)-21, Critical Infrastructure Security and Resilience, which calls for “advancing a national unity of effort to strengthen and maintain secure, functioning and resilient critical infrastructure.”

On February 13 at Stanford University, President Barack Obama issued an executive order promoting private sector cybersecurity information sharing. The executive order stated, “Organizations engaged in the sharing of information related to cybersecurity risks and incidents play an invaluable role in the collective cybersecurity of the United States. The purpose of this order is to encourage the voluntary formation of such organizations, to better establish mechanisms to continually improve the capabilities and functions of these organizations and to better allow these organizations to partner with the Federal Government on a voluntary basis.”

This is a welcome and much-needed step in protecting the nation’s 16 critical infrastructure sectors, all of which have a significant information technology base. The accumulated and evolving body of knowledge and evidence on the topic of critical infrastructure protection strongly points to a need to redouble our efforts in this area and to move smartly from the study phase into coordination, planning, resourcing and implementation. Whether desired or not, critical infrastructure protection policy development and implementation is a shared responsibility among the private sector, government and interested parties in academia. This requires a concerted effort between all the parties, none of whom can “carry the day” on their own.

While cyber events and attacks on critical infrastructure are relatively new to the general public, the history of cyber events can be tracked back to the early 1980s. We have been on borrowed time—literally for decades—when it comes to a major debilitating critical infrastructure attack. The viability of cyber attacks and cyber attack simulations against our national infrastructure has been common knowledge for years. Events such as Titan Rain, Operation Aurora, Stuxnet and Saudi Aramco are just a few examples. More recently, one only need look to a recent report released by Kaspersky Lab to highlight the risks facing portions of the banking and e-commerce industry. The report states that one gang alone stole more than $1 billion from 100 financial institutions worldwide over a period of two years.

Over the years, the topic of critical infrastructure protection has been studied extensively, yet broad concrete actions resulting from these studies are less apparent. It is heartening to see that government soon will begin increased sharing of classified and unclassified information regarding cyberthreats. Understanding vulnerabilities and threats to our infrastructure is critical, especially as technology evolves and new concepts are introduced, such as the Internet of Things, where the attack surface expands. More is to be gained from a greater public understanding of the threats and vulnerabilities facing our critical infrastructure than can be achieved by limiting its exposure. Without the education and understanding that is derived from information sharing, we are less inclined to apply the necessary resources to adequately address the challenge.

Despite everyone’s best intentions, developing a solid critical infrastructure protection policy and plan must take into account the cultural differences, privacy and the respective needs of a diverse society, coupled with a disciplined, systematic approach to critical infrastructure protection. It calls for a thoughtful understanding of the elements of cyber risk management. None of these are easy tasks. However, this is an opportunity and a period of time that we cannot let pass.

Critical infrastructure protection is a topic of immense interest to all Americans, Europeans and other members of the industrialized Free World. AFCEA is uniquely positioned to help facilitate the “ethical exchange of information,” as defined in our mission statement, in the area of critical infrastructure. Opportunities abound; now is the time for AFCEANs to seize them—for everyone’s benefit.