The saying goes, “Never let a good crisis go to waste.” The escalating number of cyberattacks against our country’s critical infrastructure, including most recently an attack on a water treatment facility in Florida, provide an important opportunity to evaluate and enhance the collective defense model.
While the incident in Florida ultimately did not result in any harm, its occurrence demonstrates that threat actors are targeting and exploiting vulnerabilities in our infrastructure. Consequently, following the attack, the U.S. Senate Intelligence Committee asked the Environmental Protection Agency to review whether the 2015 Water and Wastewater Sector-Specific Plan developed by the Department of Homeland Security for enhancing the security and resilience of that sector should be updated to mitigate similar risks.
An effective response cannot, however, rest solely on the private sector or the U.S. government due to informational and operational restraints. Instead, it is imperative that the public and private sectors come together to develop a solution for rapid and effective responses.
Attacks on our nation’s critical infrastructure, which includes physical and cyber systems and assets, like a water treatment facility or a power grid, could be devastating to our economic security and public health and safety. This infrastructure is typically privately owned and operates in a decentralized economy. The private sector is in the unusual position of balancing implementing security protocols and systems to protect these assets with their fiduciary duties to shareholders. Due to these competing interests, any threat response protocol should be done in tandem with the federal government.
Federal Government Progress
The federal government is rising to the challenge. For example, Congress recently passed the IoT Cybersecurity Improvement Act, which would set minimum security requirements for developing, patching, and configuring Internet of Things devices.
Along with requiring the National Institute of Standards and Technology (NIST) to issue standards-based guidelines for devices owned or controlled by the federal government, the law specifies that federal acquisition rules must reflect pending security standard and guidelines and prohibit federal agencies from procuring contracts for devices that cannot meet these guidelines.
Moreover, the Federal Energy Regulatory Commission, responsible for overseeing the reliability of the nation’s power grid, recently issued a proposal for public utilities to secure incentive-based rate treatment for voluntary cybersecurity investments that go above mandatory Critical Infrastructure Protection Reliability Standards.
In addition, this year’s National Defense Authorization Act includes a broad range of cybresecurity recommendations developed by the public-private initiative known as the Cyberspace Solarium Commission (CSC).
Among other things, the CSC has recommended establishing the national cyber director and supporting Office of the National Cyber Director, the creation of a continuity of the economy plan and the formation of a Joint Cyber Planning Committee under the Cybersecurity and Infrastructure Security Agency (CISA) to facilitate the coordination of defensive cybersecurity campaigns across federal agencies and the private sector.
And, notably, the Biden administration requested congressional approval for a significant spending plan, which includes funds for CISA to bolster cybersecurity across federal civilian networks and support the piloting of new shared security and cloud computing services.
More Can Be Done to Build Upon Federal Initiatives
First, in cooperation with infrastructure owners and operators, the government must collaborate with the private sector operating the infrastructure to develop cybersecurity standards and guidelines. Although each critical infrastructure sector faces unique challenges through its diverse customer base and corporate responsibilities, the entire infrastructure ecosystem faces a common threat by virtue of being connected to the internet. By helping to address this commonality, federal standards and guidelines may result in a level playing field across all sectors.
Second, the government needs to bolster funding for CISA. With additional resources, CISA would be better able to work with owners and operators of the nation’s critical infrastructure to supplement efforts to secure networks.
Third, private infrastructure owners and operators need federal support, either through direct funding or financial incentives. Federal incentives, for example, may provide needed resources for the private sector to update vulnerable and insecure infrastructure. They may also motivate the private sector to modernize their infrastructure to enhance their ability to share cyber threat information between themselves and government partners and then to act on it.
Federal support also is needed in investigating cyberattacks to effectively protect our nation’s infrastructure. By investigating the attacks, the public and private sectors can better identify threat actors and hold them accountable for their criminal and malicious conduct.
However, the cost to reach attribution can be a significant barrier for the private sector, especially when considering the private sector’s obligations to shareholders. Thus, a coordinated effort to finance, investigate, and reach attribution is imperative, but in such a manner as to avoid increasing legal liabilities to the infrastructure owner.
Our country knows how to address cyber threats and protect critical infrastructure. The recent federal initiatives are encouraging. CISA, for example, worked cooperatively with those on the front lines of the presidential election, including state and local governments, election officials, federal partners, and vendors, to successfully manage the potential cybersecurity risks to the nation’s election infrastructure.
Now is the time to take the next steps towards a collective defense model across all critical infrastructure sectors to address and manage those risks.
This column does not necessarily reflect the opinion of The Bureau of National Affairs,Inc. or its owners.
Evan D. Wolff is a partner at Crowell & Moring and co-chair of the firm’s Privacy & Cybersecurity group and a member of the Government Contracts group.
Maida O. Lerner is senior counsel in Crowell & Moring’s Privacy & Cybersecurity, Government Contracts, and Environment & Natural Resources groups.