Chris Wysopal is Chief Technology Officer at Veracode.
As someone who has been speaking out about the cyberthreats to our critical infrastructure for almost two decades now, it’s uncommon to report on positive outcomes. Our company’s recent State of Software Security report found the government sector to be lacking in cybersecurity hygiene (scanning its applications for security vulnerabilities just one to two times a year or less), so the federal government’s new policies that recognize security protection for critical infrastructure goes beyond physical security are encouraging.
It’s important to share what exactly is ongoing when it comes to cyberattacks and our nation’s infrastructure system.
The Insecurity Of Critical Infrastructure
The Department of Homeland Security designates 16 infrastructure sectors as critical (Presidential Policy Directive 21) — including energy, nuclear and transportation. They are considered so vital that any intrusion, downtime or damage could “have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
Our country’s critical infrastructure, by design, upholds the society we live in. Breakdowns in or disruptions to this infrastructure lead to lost productivity at best or catastrophic failures that could have much more dire consequences. These power plants, bridges, airports, electrical grids, nuclear plants, ports and waterways are part of the lifeblood that fuels the economy as well.
Crippling them would cause confusion, chaos and fear — and cyber actors know it. Ukraine, unfortunately, has experienced this. In 2015, hackers successfully compromised energy distributors and temporarily shut off the power for 230,000 people. It was the first known and documented successful cyberattack on a power grid. (Ukraine had another major outage in 2016). Aviation, trains, communications systems and manufacturing are all at risk. Last year, cranes were successfully hacked in Europe with a prepared attack code.
Protection Beyond Physical Security
With the arrival of the internet, operational technologies were kept separate — or air-gapped — from information technology, which manages the flow of digital information. Now, IoT, AI and big data are changing how critical infrastructure is run and increasing efficiency.
In the United States, we’ve been lucky so far — we’ve avoided a major security incident that impacts our critical infrastructure. However, in 2019, there were examples of incidents that could portend larger attacks.
In March, a “cyber event” knocked out part of the transmission grid in Utah, Wyoming and California. While it did not affect the actual flow of electricity, it was the first known time a cyberattack has caused that kind of disruption in the United States.
Recently, the National Infrastructure Advisory Council (NIAC) issued a report that found cyberthreats pose “an existential threat” to national security, according to an article written by Maggie Miller in The Hill. The report focuses on efforts to mitigate the effects of a cyberattack on communications, energy or financial infrastructure and calls out supply chain threats as a risk to critical infrastructure.
Alarmingly, the “report found that China, Iran and Russia have the ability to launch disruptive cyberattacks on U.S. critical infrastructure, including the electric grid,” wrote Miller.
I testified to Congress the day after 9/11 — after the biggest physical attack on American soil in our history — about the danger cyberattacks posed to our critical infrastructure. In the aftermath of 9/11, the nation scrambled to secure itself physically. We invested billions in airport security, and the TSA exploded in size — not to mention the privacy compromises and concessions we made in the form of the Patriot Act.
But we have been less quick to protect ourselves from cyberthreats. In 2010, I wrote about how vital it was that we acted before a cyber version of 9/11 occurred. Now, finally, there is some real progress.
In September 2019, DHS revived a program to identify cybersecurity risks in aviation and improve U.S. cyber resilience. Early in November, DHS also released a guide on how small businesses and state and local governments can become more secure. The federal government is finally taking steps to recognize that the physical world is no longer the only place where we need protection.
And it’s not just malicious cyber actors we need to be protected against. The physical world and cyber world are intrinsically linked. A 2013 presidential policy directive on critical infrastructure calls this out specifically, which “recommends an integrated approach whereby physical security and cybersecurity professionals are involved in all phases of developing an appropriate risk assessment methodology, conducting risk and vulnerability assessments, and recommending appropriate countermeasures and/or protocols.”
A tornado that hits an oil field in Oklahoma could have huge consequences for shipping out of New Jersey. An attack on the U.K. power grid almost shut off the power on election day. The attack on Ukraine happened around the Russian annexation of Crimea. It’s not enough to understand and work toward cyber resilience on its own. We need to look at security holistically, taking into account everything from the weather to politics to great power competition. And we need to start recognizing that anything connected to the internet, or even things that are internet-adjacent, is a possible security risk.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives.