Sean Atkins is a PhD candidate in security studies and international relations. His research focuses on national defense in cyberspace and cyber statecraft. He is also an active-duty US Air Force officer whose service ranges from national cyber policy development to multiple counterinsurgency operations deployments.
The recent discovery of the SolarWinds cyber-attack offers yet another example of the significant cyber risk America’s critical infrastructure faces.1 In particular, it raises questions about US cybersecurity policy for critical infrastructure, a policy that is founded on voluntary partnership between government and industry. Despite its importance, however, the government has yet to clearly articulate in strategic terms what its policy aims to achieve.
Defining what “success” looks like can guide the massive public and private efforts in this approach. In its absence, the result has been a policy patchwork, pieced together over time in response to newly discovered vulnerabilities and threats like those of the SolarWinds incident. Strategic direction is essential to get ahead of dynamic security challenges and it appears to be lacking in an area critical to the nation.
On December 10, the Center for International Studies (CIS) brought together MIT’s Internet Policy Research Initiative (IPRI), Cybersecurity at MIT Sloan (CAMS), and CyberPolitics@MIT to host a panel discussion aimed at defining long-term "success".2 The panelists combined deep expertise on this issue derived from practice and policy experience within both industry and government.3 Their distinct (though generally not opposing) ideas about what constitutes “success” in critical infrastructure cybersecurity policy included:
- elevating thinking above the mechanics of the problem to develop a more sophisticated strategy that engages the “broader state of affairs”;
- shifting focus from the technological details to address the economic and behavioral foundations of cyber insecurity;
- a deeper partnership between government and industry that is more mature in its operation; and
- stronger and better organized government leadership.
The ensuing discussion outlined a more holistic vision for government-industry partnership to secure the critical functions that US national and economic security relies on.
With talk of cyber Pearl Harbors or digital 9/11s, some of the attention paid to critical infrastructure cybersecurity might border on alarmism, but there is real reason for concern. The US has already seen foreign cyber operators conduct significant disruptive attacks on its financial services sector and virtually place themselves at the controls of electricity distribution points.4 Last year’s National Intelligence threat assessment noted that cyber adversaries were postured to disrupt natural gas pipelines and were actively mapping other critical systems to be able to cause substantial damage.5 Furthermore, increasing reliance on new connected technologies (such as those associated with the growing Internet of Things), and cross-sectoral interdependence (such as the financial services sector’s dependence on the energy and information technology sectors) bring new vulnerable surface area and greater risk for cascading failures. The trend line in terms of both scope and scale of risk is clear, bringing US cybersecurity policy under well-deserved scrutiny.
Since the late 1990s, US policy to secure critical infrastructure from cyber threats has been based on a semi-voluntary partnership between government and private industry.6 Its voluntary component primarily takes the form of coordination and information sharing between government agencies and firms. In some sectors, policy also involves regulation or other purposive government intervention to compel, induce, or help firms to take certain actions on cybersecurity. This approach makes sense considering that the vast majority of critical infrastructure, from financial services to pipelines and from the power grid to telecom networks, is owned and operated by private industry.
The policy regime has evolved significantly over the last two decades, often in response to a continuing flow of emerging threats, realized vulnerabilities, and changes in technology that affect both of these. When stepping back to examine its evolution and consider its future, a striking realization is that a clear definition of success has yet to be articulated. A guiding vision of what “good” would look like for these efforts, beyond broad ideas of information sharing and coordination, is absent.
During an hour and a half discussion moderated by political science professor Chappell Lawson, panelists offered their visions of “success”, detailed its key elements, and highlighted requirements to achieve it. For Mark Montgomery, executive director of the Cyberspace Solarium Commission and former Navy Rear Admiral and Senate Armed Services Committee policy director, success is a better organized and higher functioning public-private partnership. More specifically, this first involves correcting and building consistency in interagency performance across critical infrastructure sectors. For instance, the water sector’s relationship with the Environmental Protection Agency (the sector’s lead agency) is not nearly as high-functioning as that between the financial services sector and the Treasury or the electricity sub-sector and the Department of Energy. Consistency in lead agency engagement and risk evaluation for their sectors is essential. Furthermore, government agency turf wars that continue to impede progress and complicate relations with private industry in some sectors must be eliminated. Second, “success” involves conducting combined preplanning for potential significant cyber-events. This includes federal, state, and local governments working with critical infrastructure owner-operators to develop and exercise playbooks and processes. Third, resilience in the public-private collaboration itself is also a component of “success”. Having a robust vehicle to facilitate flexible and effective collaboration, especially in response and recovery from significant events, is vital.
Montgomery emphasized that achieving these aims would require stronger government leadership. Government must be better organized and this will require an “Admiral Rickover” type of leadership that takes hold of an issue and rigorously applies a standard to it.7 For Montgomery, creation of a National Cyber Director (a Cyberspace Solarium Commission recommendation) would be a step in that direction.8 Much of the director’s potential rests on selecting the right person, however. It must be someone who can walk in with strong relationships in Congress and that CEOs will want to engage.
In contrast, Joel Brenner (CIS senior research fellow9, author of America The Vulnerable, and former National Security Agency lead counsel) argued that the US needs to elevate its thinking beyond its largely procedural improvement focus to develop a definition of success that accounts for the “broader state of affairs”. This procedural orientation is inward looking, directing effort and measuring progress based on how one used to be. This, Brenner notes, is a recipe for self-deception. Instead, the guiding aimpoints for success include first that attacks on critical infrastructure would fail (because of an inability to get through or to produce effects) and would be punished when conducted. Next, there would be liability for firms who knowingly sell insecure goods that made critical systems more vulnerable. Liability is an important driver of behavior and this is one of the only places where knowingly placing defective goods into the stream of commerce is without consequences. Finally, effective security standards would be in place, implemented partly through suasion as well as regulation where needed. Achieving these aims relies on creating positive and negative incentives to address the fundamental challenges to cybersecurity, which are primarily economic, legal, and behavioral in nature, not technical.
Similar to Brenner, Larry Clinton, president of the Internet Security Alliance and co-author of The Cybersecurity Social Contract, defines success in a way that accounts for the broader state of affairs, particularly those associated with the economics of cyber insecurity. Success for Clinton is the United States having a comprehensive strategy that is as integrated and sophisticated as its top cyber competitors. The basics of US strategy have not meaningfully changed since they were established in the 1990’s: primarily standards development and information sharing. In comparison, China has a comprehensive digital strategy that was developed with a much broader scope and pursued with substantial investment. The strategy appears to be the product of a holistic analysis of how to exploit the digital world not only for short-term competitive advantage but for long-term technological and commercial superiority. Expressions of this strategy range from China’s industrial espionage campaigns to its trillion dollar digital silk road initiative, designed with broader geopolitical ambitions in mind. Measured against this bar, current US cyber-strategy and even the Cyberspace Solarium Commission’s recommendations are too narrowly focused to be strategically competitive.
According to Clinton, three things need to happen to move toward an improved strategic framework. First, the relationship between government and industry must become a true partnership. The current public-private partnership is largely rhetorical in nature with the government treating firms as “stakeholders,” or worse as unruly children. The strategic challenge is not corporate malfeasance (although some likely exists). It is that we have an inherently vulnerable system protecting valuable things and government and industry are tied together in this problem. A more fulsome and equitable partnership structure is needed to build unity and to develop and run an effective digital strategy. Second, a shift in thinking needs to occur, from over-focus on technology to the economics that drive behavior of both attacker and defender. At its foundation, the cyber insecurity problem is not that technology is bad, it is that technology is under attack because the economic incentives favor the attacker. It is impossible to make systems invulnerable through better technology or standards; therefore, the underlying economic calculus for attackers and defenders must be addressed. For instance, there is a gap between a commercial and national level of security. Government should not expect firms defending against national security level threats to make un-economic investments in cybersecurity to close that gap. Adjusting the economics to address this gap requires building incentives, tailored to each industry sector. Tax incentives might be appropriate in some markets, procurement incentives in others, and creative no-cost to government forms in still others (such as safety record preferencing as is done with pharmaceutical companies). Finally, stronger government leadership is necessary and Clinton argues for an Office of Digital Security Strategy (ODSS) positioned within the White House. In contrast to the Cyberspace Solarium’s recommendation for a National Cyber Director, the ODSS would have a broader mandate and be equipped with greater staff, budget, and authorities.
For Tony Sager, a former National Security Agency Information Assurance leader who now runs the Center for Internet Security’s global cybersecurity best practices initiative, “success” is a more mature approach to critical infrastructure cybersecurity. This involves first a shift from technology-focused strategies and policies to ones grounded in risk decision-making. Shifting strategic thinking away from the mechanics of the problem and onto developing mechanisms for effective decision-making in a high risk environment is essential. A second component is moving from talk about sharing information to serious discussions about what to do with it. Information sharing is important but it is the means to an end, not the end itself. The aim of information sharing should be improved risk decision-making but most sharing today only provides redundant information, telling recipient decision-makers what they already know. A third element of “success”, is changing to a “security built-in” model for infrastructure technology producers. The current security model involves infrastructure owner-operators acquiring after-market security products to build security on top of their systems after purchase. While this may work for a handful of large well-resourced firms it is unsustainable for others, particularly for medium and small businesses. With a shift to building security into infrastructure up front, market forces begin to take effect to increase security and the government’s role switches to one of helping private actors become smarter buyers with security considerations.
Achieving this level of maturity requires a different kind of leadership from government. It will take more than acting as “the grand convener”, imparting requirements from on high, or coming in with a big bag of money. The cybersecurity challenge to critical infrastructure is dispersed and interwoven across the economy and this means the government needs to organize the various capabilities and talent that exist across the nation, in the private sector, within government, and in non-profits like Center for Internet Security.
In aggregate, the panelists sketched the outlines of an improved strategic vision for US critical infrastructure cybersecurity policy. It drew attention away from the technical details of the challenge to focus instead on its economic and behavioral foundations. In doing so, the discussion pointed toward a more sophisticated and holistic strategy that engages the “broader state of affairs”, develops a more mature partnership between government and industry, and builds stronger and better organized government leadership.
1 Cybersecurity and Infrastructure Security Agency. “Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations.” 17 December 2020. Accessed 30 December 2020: https://us-cert.cisa.gov/ncas/alerts/aa20-352a.
2 This event was part of a continuing research project led by Chappell Lawson and Sean Atkins.
3 The four panelists included: Mark Montgomery, Executive Director of the Cyberspace Solarium Commission; Joel Brenner, CIS Senior Research Fellow; Larry Clinton, President, Internet Security Alliance; and Tony Sager, Senior Vice President of the Center for Internet Security.
4 USA v. Fathi et al. Sealed Indictment. No. 16 CRIM 48. US District Court Southern District of New York. 2016. Accessed 26 August 2019: https://www.justice.gov/opa/file/834996/download.
Smith, Rebecca. “Russian Hackers Reach U.S. Utility Control Rooms, Homeland Security Officials Say.” Wall Street Journal. 23 July 2018. Accessed 20 April 2020: https://www.wsj.com/articles/russian-hackers-reach-u-s-utility-control-rooms-homeland-security-officials-say-1532388110.
5 Coats, Daniel. 2019. Statement for the Record: Worldwide Threat Assessment of the U.S. Intelligence Community. Senate Select Committee on Intelligence. January 29. Accessed August 23, 2019: https://www.intelligence.senate.gov/sites/default/files/documents/os-dcoats-012919.pdf
6 PDD-63 (Presidential Decision Directive/NSC-63). 1998. Critical Infrastructure Protection. May 22. Accessed July 23, 2018 https://fas.org/irp/offdocs/pdd/pdd-63.htm
7 Admiral Hyman G Rickover served in the US Navy from 1918 – 1982 and is known as the “Father of Nuclear Navy”. His stringent safety and quality control standards ensured the Navy’s record of zero reactor accidents.
8 U.S. Cyberspace Solarium Commission. Official Report. March 2020. Accessed 30 Dec 2020: https://www.solarium.gov/report
9 In 2017 Brenner led a CIS sponsored study on securing critical infrastructure networks, which can be found here: https://cis.mit.edu/sites/default/files/documents/Report-IPRI-CIS-CriticalInfrastructure-2017-Brenner.pdf.