As a senior advisor to two U.S. Presidents, Melissa Hathaway helped develop U.S cybersecurity policies. She currently is the President of Hathaway Global Strategies, and a senior advisor for the Cyber Security Project at Harvard. Hathaway spoke with The Cipher Brief about how critical infrastructure sectors need to be prioritized to help improve overall security efforts.
The Cipher Brief: You have written that our current definitions of what constitutes critical infrastructure may be too broad. Can you elaborate on this? What benefit would be gained from designating some industries as more critical than others?
Melissa Hathaway: Critical infrastructure is a term used by governments to describe certain sectors—energy, oil and gas, telecommunications, water and wastewater systems, transportation, financial services, etc.— that are deemed essential to society and the economy. For example, Presidential Policy Directive 21, signed by President Obama in February 2013, designates 16 different sectors as “critical,” and each of these are becoming increasingly vulnerable to cyber attacks through automation, interconnectedness, and a reliance on the Internet. As such, they are susceptible to equipment failure, human error, and naturally caused outages, as well as physical and cyber attacks. While threats are real and growing, the resources available to protect and increase the resilience of those infrastructures are finite. Unfortunately, most national strategies and policies do not prioritize the services and infrastructures that are most at risk. Instead, they treat all of the infrastructures deemed “critical” equally. As there is no hierarchy of importance with regard to critical infrastructure, governments often issue general guidance and broad regulatory requirements to protect them across the board.
I believe it is time to reconsider what the term “critical” means and whether it truly encompasses so many different sectors. In fact, I believe that there are three critical sectors: power, telecommunications, and financial services. The benefit gained by designating some infrastructure as more critical than others would help us prioritize our use of limited resources and focus our efforts, and as a result, we could make measurable progress in increasing the resilience of the most indispensable services that our society and nation depend upon.
TCB: You have also put forward the idea of focusing more on protecting critical services than critical infrastructure. What are critical services, and what differentiates them from critical infrastructure? Why should they be prioritized over critical infrastructure?
MH: Over the last 25 years, the United States and most other nations have primarily focused on the protection of the physical assets and the logical function of infrastructure components rather than on the products or services that the networked infrastructure delivers to citizens, businesses, and countries. Identifying critical services, like power, telecommunications, and finance, that transcend national boundaries and upon which our digitally connected societies and nations depend, would allow a stronger alignment of security measures with the resources requirements necessary to reduce exposure.
Changing the focus from critical infrastructures to critical services may change the prioritization and approach to protection, resilience, recovery, and restoration of assets. It would also highlight the interdependencies of networked infrastructures across national boundaries, demanding different approaches to domestic and international security.
TCB: How have the threats to critical services and infrastructure changed, and how do you expect them to change moving forward? What do you believe is driving these changes?
MH: We typically think of threats to critical services and infrastructure as physical dangers and the kinetic effects of disruptive actions. But our critical infrastructures and services are increasingly dependent on the Internet and the information communication technologies (ICTs) that underpin them. Thus, they are increasingly vulnerable to electronic disruption, systems failures, and a range of nefarious cyber activities by a spectrum of hackers, criminals, terrorists, and state and non-state actors. Indeed, the availability, integrity, and resilience of these critical infrastructures and services are in harm’s way. Sophisticated, malicious cyber actors are penetrating our network defenses, and most cyber incidents remain undetected for months and some times years. Traditional defense-in-depth approaches, relying first and foremost on a distinct and hardened network perimeter, have failed. Point solutions and defensive mechanisms are and will continue to be outpaced by the volume, scope, scale, and sophistication of cyber threats used to support activism, crime, fraud, espionage, disruption of service, and destruction of assets.
There can be no question that the cybersecurity landscape will continue to evolve dramatically in the next decade. Cyber threats to our critical services and infrastructures will continue to grow in scope and sophistication as more and more of those essentials services are connected to the Internet and reliant on ICTs. Our near term economic opportunity of connecting people, devices, places, and things is estimated at $19 trillion. This attractiveness of the efficiencies, productivity, and growth that this promises will not be ignored. As we embrace the Internet of things (IoT) we must architect for resilience, graceful degradation, and isolation mechanisms so that a threat from one part of our connected society cannot transmit to all other segments.
Defending today’s critical infrastructures and services requires new approaches and advanced techniques that strengthen our collective security and help us prepare for tomorrow’s challenges.
TCB: How can industry and government better work together to improve their ability to secure critical assets?
MH: First and foremost, we must focus on three critical services/infrastructures: energy, telecommunications, and finance. We must develop a better understanding of their interdependencies. Once they are understood and acknowledged, industry and government can work together to better align security measures and the resources needed to reduce risks and increase resilience.
Secondly, we need to clean up our infected infrastructures. The United States is the number one infected country — globally — representing more than 21 percent of Botnet Command and Control servers. The net affect of our infections enables illegal and illicit activities, and jeopardizes all networked infrastructures and services.
Finally, we need to look at a broader range of market levers — regulation is not the only approach. The U.S. Government should use tax incentives, leverage unique applications of the National Defense Production Act, and accelerate and seed innovation to close the security gap. Many U.S. government officials talk about the need for innovation, yet those same officials have not worked closely with industry to really understand where industry is going with the IoT. The government should look to all market levers and collaborate with industry to develop a multi-year technology roadmap that prepares for and designs a future architecture with resilience built in. In the last five years, $7.3B has been invested into 1208 private cybersecurity startups. These grass-roots efforts are being initiated by businesses that can no longer tolerate being victimized by criminals and foreign governments alike. The government must partner with industry and contribute time, money, and technical talent to the research and development — innovation — needs of our digital future.
