Why the government says industry can’t wait for a single cyber catastrophe
WASHINGTON — Industry, government and citizens are bracing for a catastrophic cyberattack to change the status quo of cybersecurity practices said the Cyberspace Solarium Commission.
"A slow surrender of U.S. power," is how Rep. Mike Gallagher, R-Wisconsin, and co-chair of the commission, described the current approach at an event in Washington Thursday.
Only victims of cyberattacks can measure the full extent of damage; what is catacylsmic to one may not be to others. Without a unified plan for resilience throughout government and industry, a singular event disrupting basic operations or the economy is inevitable, the commission said.
While the U.S. government had made strides in cybersecurity, some say its push has depreciated the word "cybersecurity." Government uses cybersecurity too broadly when identifying malicious activity, said Suzanne Spaulding, senior adviser at the Department of Homeland Security, International Security Program and Commission member, while speaking at an event in Washington Thursday.
As a result, cyber needs reinvigoration and recognition of a ubiquitous threat landscape. "Theft of [personally identifiable information] is not the same as an attack on an industrial control system," she said.
Industry considers a "cyber Pearl Harbor" a collective event that shuts down the whole world at once. But severe cyberattacks aren't always cataclysmic — bad actors can haunt systems as "termites" and steadily erode underlying security, said Chris Inglis, professor of cybersecurity studies at the U.S. Naval Academy and a Commission member, while speaking at an event in Washington Wednesday. Those cyberthreats fall somewhere between "cataclysmic and insidious."
The Cyberspace Solarium Commission, established in 2019 to strategize American defenses in cyberspace, says it is releasing its report Wednesday.
Cyber defenses are multifaceted, including deterrence by denial, or the ability for the U.S. to immediately regain operations if a hacker succeeds. Deterrence could shape the behavior of cyber and devalue, if not eliminate, the "constant drumbeat of attacks," said Tom Fanning, CEO of Southern Company and Commission member, speaking Thursday.
Deterrence by denial undermines the reward of malicious activity. But before U.S. industry and government can ensure speedy recovery, they have to prioritize assets — which requires collaboration between the private and public sector.
The electric utilities industry knows the electric grid better than the government, said Fanning. The industry has an obligation to relay where the priority systems exist to the government.
By prioritizing systems, operations and data in the event of of a catastrophic cyberattack, the U.S. can maintain economic continuity and diminish adversaries' reward of an attack.
The U.S. has to understand what data needs protection or what offline holdings uphold critical infrastructure, said Samantha Ravich, Chairman of FDD's Center on Cyber and Technology Innovation and Commission member, while speaking Thursday.
"You can't have banks function without the electric grid," which runs on oil, gas and coal, said Ravich. Prioritization sends adversaries a clear message: "The next day, they will feel our wrath. That is deterrence."
The U.S. cannot wait for its perception of a cyber catastrophe to actualize. The window of recovery is shrinking daily, and a resilient nation is one that relies on cross-sector functions, or interdependencies and cross sector reliance — not sectors or industries in silos.
The Commission identified systematically important infrastructure, focussing on cross-sector functions the American public relies on:
-
Telecommunications
-
Utilities
The functions, when identified, need prioritization, said Spaulding. An outline of prioritization will be one of the recommendations within the commission's report. The Commission hopes that the American public will demand the recommendations will be pushed through Congress and made into law, said Ravich.
Gloss