Critical Infrastructure Cyber Protection: Stronger Deterrence Helps but Isolation and Mitigation are Essential
Bruce J. Heiman, Partner - Public Policy and Law, K&L Gates
Bruce J. Heiman, Partner - Public Policy and Law, K&L Gates
On September 20, 2018, President Trump signed the National Cyber Strategy of the United States. The Strategy has four pillars, the first of which is to protect the American people, the homeland and the American way of life. Securing critical infrastructure is a key component of that effort. That strategy recognizes that information and communications technology underlies every sector in America and calls for managing cyber security risks to increase the security and resilience of the nation’s information and information systems.
The May 2017 Presidential Policy Directive 21 sets forth 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. The National Cyber Strategy states that the government will use a risk-management approach to “mitigating vulnerabilities to raise the base level of Cybersecurity across critical infrastructure. We simultaneously use a consequence-driven approach to prioritize actions that reduce the potential that the most advanced adversaries could cause large-scale or long-duration disruptions to critical infrastructure.” The Administration will prioritize risk-reduction activities across seven key areas: “national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation.”
Such a focus is fully justified in that selected facilities make attractive targets given that any attack would likely have huge impact with significant externalities.
The National Cyber Strategy appropriately continues to rely on government-private sector cooperation and coordination and utilizes best industry practices developed in the global marketplace. Nevertheless, increased government attention to these sectors is also appropriate given they tend to be concentrated in fewer number of larger firms, nearly all of which have previously established relationships with the government, and are often currently regulated. Moreover, critical infrastructure sectors (and their industrial control systems) are today connected to public communication and internet infrastructures that while greatly improving efficiencies and effectiveness, also dramatically increase vulnerabilities.
One important way in which the government proposes to increase protection is through greater deterrence: “We will also deter malicious cyber actors by imposing costs on them and their sponsors by leveraging a range of tools, including but not limited to prosecutions and economic sanctions, is part of a broader deterrence strategy.” Thus on the same day that the President signed the Strategy, the Trump Administration also adopted a new classified Presidential directive authorizing “offensive cyber operations” against U.S. adversaries, which would allow the military and other agencies to undertake those actions necessary to protect the impacted systems and the nation’s critical networks. The new policy also permits speedier action by those closer to the situation unless these measures would result in death, destruction, or significant economic impacts.
Deterring an attack in the first place is clearly the best outcome. But it would be foolish to expect that all attacks will cease. Indeed, the government’s actions to increase deterrence come after repeated calls for industry to improve its defenses. Such steps range from the most simple such as ensuring passwords are regularly changed to cutting-edge deployment of artificial intelligence that are able to recognize in-real time new malware not previously identified.
But the old adage remains: defenders have to be right every time — an attacker only once. Those seeking to do harm have access to many of the same cutting edge technologies available to defenders.
Critical infrastructure sectors (and their industrial control systems) are today connected to public communication and internet infrastructures that while greatly improving efficiencies and effectiveness, also dramatically increase vulnerabilities
It would be reckless to assume that in the future our adversaries will be completely deterred or be rendered unsuccessful in penetrating our defenses.
The question therefore becomes what to do next? We need to adopt a different paradigm that acknowledges successful attacks will occur despite the government’s efforts at deterrence and industry’s best efforts at prevention. It is time that industry gives greater priority to isolating and mitigating damage as well as facilitating recovery. These usually are defined under the rubric of improving the resiliency of systems. With critical infrastructure, our fault tolerance is quite limited.
Greater attention needs to be paid to designing cyber “fail-safes” that anticipate breaches and respond in a way that minimizes harm. Admittedly this is particularly difficult in systems where continuous reliability is needed, but that clearly illustrates that even greater effort is required.
We’re all familiar with mechanical or physical fail safes — airport luggage carts, lawnmowers, and snowblowers that stop whenever a control lever is released. Similarly air brakes on railway trains, elevator brakes, and isolation/control valves are designed to intercept when system failures occur. Some examples of electronic devices include circuit breakers and industrial alarms. And perhaps front and center in the public consciousness are nuclear reactor control rod automatic shutdowns.
Note that this is not intended to resurrect an internet “kill switch” as some feared was proposed by legislation in 2010, and that would have authorized the President to issue mandatory orders and directives to critical infrastructure systems if a “cyber emergency” was declared. Rather it is a call to the owners and operators of our critical infrastructure, and the developers of the programs they rely upon, to highlight and adopt technologies and automatic processes for isolation and mitigation in the event of an attack.