Lack of transparency, systemic risks weaken national cybersecurity preparedness

What is critical infrastructure? If you ask 5 different people, you may receive 5 different answers. The term critical infrastructure has lost much of its meaning as a differentiator of private entities and currently defines sectors from energy to commercial facilities.

Bob Kolasky, SVP for Critical Infrastructure at Exiger, previously served as Assistant Director for Cybersecurity and Infrastructure Security Agency (CISA), and in this Help Net Security interview talks about protecting critical infrastructure, the importance of information-sharing, national cybersecurity preparedness, and more.

Why is it essential to legally define what critical infrastructure is? Is there a global consensus?

The United States defines critical infrastructure as the “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

Defining critical infrastructure is the backbone of risk prioritization for cybersecurity activities. Much of what government’s rely on to conduct essential functions and maintain national and economic security as well as community well-being is outside the direct operational control of governments and can be thought of as critical infrastructure. Therefore, ensuring the security and resilience of that infrastructure, is a joint public-private effort. By legally defining such critical infrastructure, governments can focus on enabling public-private information sharing, joint efforts to secure infrastructure, and establishing security priorities. It also is the basis for global norms regarding what is “off limits” to cyber actors to maintain deterrence and discourage nation state actors.

There is a general consensus as demonstrated through work done by the Organization of Economic Cooperation and Development (OECD) and the FVEY between the United States, Canada, United Kingdom, Australia and New Zealand on the definition of critical infrastructure. However, there is nuance in particular industry sectors that are highlighted as such by various countries. The European Union has relied on that consensus for European Commission policy as well.

Government organizations must collaborate with the private sector to effectively fend off attackers. What are the benefits of this information-sharing process?

Public-private information sharing is necessary but not sufficient for cyber defense. Information sharing should be multi-directional and include information about cyber threats that is learned through intelligence gathering and system monitoring, information about vulnerabilities that is learned through product review, penetration testing, and real-world incidents as well as contextual information about cyber risk that is created through aggregation of cyber reporting.

It should not be thought of as government sharing with industry or industry sharing with government as much as sharing across governments and private entities to create a rich pool of data about cyber threats and vulnerabilities which can help guide network defense priorities. Doing this in real-time allows for nimble cyber security operations.

Critical infrastructure usually contains a myriad of legacy hardware and software solutions, many of which are not supported by the manufacturer. What challenges are involved in protecting such complex yet outdated architectures?

This is unfortunately true and generally happens in two forms: One is via the idea of a “Technology Deficit” where organizations lack the experience, expertise, and willingness to spend to maintain secure technical solutions; the other is because of long-term operational cycles where system upgrades (particularly around operational technology) only happen once every couple of decades. In both cases, this can lead to outdated software and hardware which is inherently more vulnerable given that security solutions for it are not dynamic.

In an ideal world, organizations would prioritize investments to remove outdated technology from their operational environments. However, this does not always happen; when it doesn’t, there are a couple of options for addressing the issue. They can include placing requirements through government policy or private contracts so that entities can’t operate outdated systems.

Another approach is to identify outdated systems and ensure that they are not connected to critical assets and functions so that any vulnerability in those systems doesn’t present a significant risk because the consequence of a breach would be minimized. If neither of these two solutions are utilized, then it is important to prioritize cyber resilience so that the outdated systems have backup processes in place to ensure critical operations continue even in degraded conditions.

National cybersecurity preparedness requires a layered approach to risk management with multiple lines of defense. How hard is it to set one up?

Countries have generally been successful in establishing layered approaches to risk management in terms of putting in place risk mitigation strategies to respond to threats, identify and close vulnerabilities, and minimize the consequences of an attack.

These approaches, however, are not generally sufficiently robust and dedicated actors can still cause great harm to national interests. As Moody’s just reported there is around $22 trillion of global debt with “high” or “very high” exposure to the risk of cyber attacks. Moody’s particularly highlighted hospitals and gas, electric, and water utilities of having significant exposure.

The obvious conclusion to the reality that lots of risk management activity has been taken at national levels (and the international level), yet lots of risks remain that risk management efforts have not sufficiently led to risk reduction. This should lead to a call for continued efforts at all aspects of the risk management “layers”.

One example where the layer is not sufficiently strong is cyber supply chain risk management. Governments and companies still do not have sufficient transparency into their supply chains and the ability to evaluate the risk of a cyber breach of a supplier to their operations. As such, business arrangements are creating additional risk and, unfortunately, much of that risk is concentrated which could have systemic impacts on national interests and economic activity. Bringing transparency to systemic risk is a needed step to enhance risk management at the national level.