The Solar Winds incident, the JBS meat packing company and the Colonial Pipelines ransomware attacks in the United States – we have all heard about them – but a major part of the private sector is not fully aware of the strategic consequences of these attacks. The demarcation line between private and public disappears in cyberspace when it comes to critical infrastructures. It is imperative that both the public and private sector work together to address the consequences of this threat effectively.
Now, what is critical infrastructure? The easiest definition comes from the US itself: “[…] systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters”. Thus, national critical infrastructure (NCI) can be seen as comprising health, food and agriculture, water, transportation, communication systems, security, energy, facilities of governmental/public services, dams, critical manufacturing, even financial systems.
NCI is the most vulnerable sector to a malicious cyber threat since it is the most at-hand target and an ever-growing attack surface if the aim of such an operation would be to create the most damage (even if not in terms of lost lives as in the case of conventional military actions). What is even more concerning is the fact that we are facing a triad of interdependent threats: criminal, terrorist and state actor attacks. In some instances, they are realized by combining some of these elements or all of them together. The fog of war that Clausewitz mentioned in his book “On War” appears to be even more prevalent in cyber.
This is proven by the rising number of cyber incidents targeting this sector amid the lack of proper preparedness of not only private operators of such systems, but also of operators of national infrastructure owned and operated by governments. Nowadays, systems within each sector are automated and interlinked. In the past, an incident that would have been an isolated failure can now cause widespread disruption because of snow-ball-like effects and supply-chain vulnerabilities. Disrupting or even disabling NCI may reduce the ability to efficiently defend the state, to continue functioning through a crisis, and could compromise public confidence in these services and reduce economic or military strength of a nation. This is why cyber-resilience – the capability to sustain a cyber-attack, minimize damages and recover from it – is such an important and challenging mission.
This year, following several high-profile attacks in the US, the Biden administration decided to take a step in the right direction and focus on ensuring a higher level of security for NCI. First, in May 2021, President Joe Biden issued an Executive Order on “Improving the Nation’s Cybersecurity”. Similar initiatives have been put forward by other presidents, however, this executive order was followed by a Memorandum in July with a narrower scope: “Improving Cybersecurity for Critical Infrastructure Control Systems”. This latest initiative aims to bring more coherence to what is right now a “patchwork of sector-specific statutes that have been adopted piecemeal, typically in response to discrete security threats in particular sectors that gained public attention”, according to the president.
What is even more interesting in this memo is the fact that it emphasizes a shared responsibility between the government and NCI operators, highlighting the importance of cooperation in order to avoid threats to this sector. From a private party’s perspective, the Executive Order and the memo were welcomed news since they provide more clarity and uniformity in what is expected from us when working with the government and operating in critical sectors. On the other hand, these cybersecurity standards also mean more investment coming in order to upgrade cyber defense capabilities in both federal agencies and private companies. The memo gives the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) the authority to draft a number of “cyber performance goals” which the administration hopes critical infrastructure owners and operators will voluntarily adopt. This optional, collaborative effort is called the Industrial Control Systems Cybersecurity Initiative and has as a main goal to encourage, develop and enable the use of a baseline level of cybersecurity techniques and systems. Even though following these guidelines will be entirely voluntary, companies are encouraged to evaluate their data privacy and security vulnerabilities and come up with measures to address them. Peer pressure is expected to enhance the level of compliance across industry.
Washington’s strategic objectives in the realm of cyber are to build a resilient ecosystem and impose costs on foreign adversaries that attack the US. In order to build a resilient ecosystem, private actors along with public ones have to work together in order to realize such a difficult objective. At the White House meeting of August 25th, Biden administration together with representatives of the private sector have concluded among other things that the NIST framework must be strengthened to protect the integrity of the technology supply chain, gas pipelines must be aggregated to the Industrial Control Systems Cybersecurity Initiative and that multi-factor authentication, along with advanced research of zero trust programs, event logging and cyber awareness training must become an important pillar of the development of the United States. The meeting represents an ambitious initiative to reset the national cybersecurity posture of the US. The key is to create a legal and technical framework, a bridge between the private sector and the public one.
Across the Atlantic, the European Union has come up years ago with a piece of legislation – the Networks and Information Security Directive (NIS) – focusing on the same topic: security of networks and information systems, covering critical infrastructure as well. The Directive has three parts, touching upon national capabilities, cross-border collaboration, and national supervision of critical sectors. When first enacted, it came with a so-called “NIS-toolkit” containing guidelines of implementation and good practices for EU Member States when addressing cybersecurity. However, these guidelines have the character of a legally binding instrument, contrary to the non-binding ones that are being developed by CISA in the US. Comparing EU and US initiatives on cybersecurity, it is clear that the Union is more inclined towards hard-law and binding mechanisms in order to make private entities and governments comply with a base-level cybersecurity approach, while the US sticks with voluntary goals and guidelines, leaving more space for different entities to interpret them, and relying on peer pressure. The EU’s General Data Protection Regulation (GDPR) is another example of the use of this regulatory approach. In a recent evaluation conducted by the European Commission, however, it has been established that there is a need for a consolidated version (NIS 2) in order to enhance collaboration and enforcement issues.
What is common for both jurisdictions (EU and US) is the fact that things are starting to get moving and the importance of secured critical infrastructure services is better understood. The proliferation of cyber incidents targeting NCI gave rise to concerns about cybercrime, acts of terrorism and cyber-attacks by state actors or their proxies. Even president Biden stated that a (series of) cyber-attack(s) could someday lead to a “real shooting war.” Some events such as the ransomware attack directed against Saudi Aramco oil refineries in 2021 or the WannaCry attack that affected the National Health Service in the UK in 2017 are just two high profile examples from a large plethora of incidents that are affecting critical infrastructure sectors worldwide.
The race between China and the United States for strategic advantage is ongoing and cybersecurity is an essential part of the geopolitical competition. The recent Microsoft Exchange APT attack which was attributed to China, affecting more than 3000 organizations worldwide is just the latest evidence of rising stakes in this game. In fact, China announced on September 1st that it will pass national legislation that will compel companies to provide early notice on exploitable zero days vulnerabilities to the Chinese government, allowing them to patch early or even to use the information for offensive purposes. This move is intended to give Beijing early access to sensible information, from all the companies that are operating on the Chinese mainland, including foreign companies that might also operate in critical infrastructure sectors.
The common values at the foundation of the Trans-Atlantic alliance between the US and Europe, should be transformed into common lines of action in the cyber sector, including establishing a common ground for national and international cybersecurity law, with emphasis on creating an effective framework for collaboration between the private and public sectors of critical infrastructure. Inaction and complacency are not an option, as cyber events affect international security and endanger public safety and health, such as during the COVID-19 pandemic. Not only have state affiliates tried to steal vaccine formulas, but also hospitals have been disabled in ransomware attacks and could no longer treat COVID patients effectively. It remains to be seen whether Biden’s cyber policy will continue with the system of voluntary guidelines or will follow the European approach, go further and introduce federal legislation. One thing is certain: cyber threats are universal and they are growing in numbers, complexity and intensity.
Since tools and weapons in the cyber realm develop constantly and at high speed, it is crucial to develop national policies to identify and monitor the critical infrastructure elements and to better protect them from all sorts of attacks, including in cyberspace. Moreover, critical infrastructure facilities should be tested continuously with adversarial simulation in order to realistically test their resilience, response and the effectiveness of their security capabilities.
We, at Cyber Dacians, see the developments of cyber tools and weapons on a daily basis, and have first-hand experience how difficult it is to stay one step ahead of the bad guys and how easy it is to surpass defensive mechanisms. That’s why we strongly believe in a shared responsibility and effort between private and public actors and are committed to play our part as providers of offensive cybersecurity software and consulting services.
Timo S. Koster