A recent Pew Research Center study revealed that 83 percent of Americans say public infrastructure will be damaged by a future cyberattack. Add 25 more countries to the mix and the figure drops just 14 percentage points. Only Japanese citizens hold a more pessimistic view than Americans.
A short while ago, gates, guards, and guns were all that was needed to protect our energy, transportation, and water infrastructure from threats. Even as interconnectivity flourished in our personal and professional lives, the industrial control systems underlying our critical infrastructure existed largely isolated from the internet. The perimeter was physical.
Not anymore. A wave of digital transformation is sweeping across the industrial world, pitting demands for greater efficiency and reliability against security. The information and communication technologies that power business and commerce are converging with the operational technologies that control our critical infrastructure — and with little consideration for the risk.
An interconnected infrastructure is a good thing for the U.S. and global economies. Combining advanced computing with industrial automation will boost productivity and output. Interconnectivity also improves the reliability of our infrastructure by enabling predictive and remote maintenance to address problems before they result in costly and sometimes dangerous outages.
But there’s a trade-off. The more interconnected our infrastructure the more vulnerable it is to cyberattacks. Hackers are exploiting this newly connected terrain to conduct reconnaissance, gain remote access, and in some cases, mount attacks.
Thankfully there have only been a handful of cyberattacks against public infrastructure, most notably the 2015 and 2016 malware attacks that left hundreds of thousands of Ukrainians without electricity for a combined total of about seven hours.
But more concerning than known examples of disruptive malware is what we don’t know. The so-called “known unknown” — malware that remains undetected in our critical infrastructure awaiting instructions to disrupt or even damage in the event of geopolitical escalation.
Short of pulling the trigger, a small number of countries are preparing the digital battlefield by gathering target intelligence and prepositioning tools for future operations. As Director of National Intelligence Dan Coates reminded us during his annual threat briefing to Congress, “Moscow is now staging cyber attack assets to allow it to disrupt or damage U.S. civilian and military infrastructure during a crisis.”
As long as a few nation-states monopolize this tradecraft there is hope for establishing a global deterrence regime. But while nation-states are the greatest concern today, the barriers to entry for criminals and other non-state actors are decreasing with every marginal increase in connectivity. To borrow a phrase from Sir Winston Churchill, we must quickly adopt an international strategy that accounts for “the case of lunatics or dictators” not bound by the constraints of globally integrated economic actors.
On the technical front, the solution is more straightforward. Most of the devices that run the world’s infrastructure were never designed to be secure. They often lack basic security features like encryption and authentication because, like the internet itself, they were built to operate in highly trusted, closed environments.
Making matters worse, this interconnected attack surface is highly opaque. Unlike the open standards that handle most of the internet’s traffic, the world’s critical infrastructure runs on dozens of obscure and old protocols, many of which are proprietary to a small number of manufacturers and difficult to parse. When it comes to critical infrastructure in cyberspace, defenders are in the dark without the benefit of night vision goggles. Imagine trying to protect a port from an offshore submarine without knowing the cardinal direction of your own docks. This is the current state of industrial cybersecurity — and its advantage offense.
Faced with these circumstances, some are calling for a retreat into technological isolation — reverting from digital to analog and automated to manual, thus supposedly rendering hacking techniques obsolete. This prescription misses the point and it neuters America’s edge for innovation, a competitive advantage that supports both economic and national security priorities.
On the contrary, America’s critical infrastructure is not vulnerable because it’s digital or automated; it’s vulnerable because the attackers understand the terrain better than the defenders. The security of our critical infrastructure, therefore, depends in large part on our ability to invert the visibility gap, obscuring our most sensitive assets to attackers and exposing them to defenders. We must transform what is an opaque attack surface into a transparent defense architecture.
The aforementioned Pew study also polled citizens on the question of their country’s cyber preparedness. About half of Americans say their country is ready to deal with a major cyberattack. Our view is a more optimistic one informed by those who are at the tip of the spear.
For the first time in the history of modern warfare, industry — not government — is on the front lines. The unfair advantage of America’s position in cyberspace is rooted not in government or industry alone, but rather in the harmonious partnership of the two. With nearly 90 percent of America’s critical infrastructure residing in the private sector, the primary burdens of defense rest with the same men and women who, for generations, have kept the industrial sector running. Now their mission has shifted from one of reliability to resilience — running under attack.
As government sits in the crow’s nest monitoring the horizon of cyberspace for incoming threats, it is necessarily incumbent upon industry to surveil and rid their own networks of the adversaries who’ve already made it ashore. The circumstances of this digital battlefield — paired with deepest deference to civil liberties — has conscripted American industry into action. Indeed, this delicate division of labor is our greatest advantage.
As cyber meets physical we may very well experience damaging cyberattacks against our public infrastructure in the future. But one thing is for certain: We will keep running.
Michael S. Rogers was the 17th director of the National Security Agency and 2nd Commander of U.S. Cyber Command. He is chairman of the Board of Advisors at Claroty. Dave Weinstein is the Chief Security Officer at Claroty and a Visiting Fellow at George Mason University’s National Security Institute.
This post was first published in The Hill.