America’s Critical Infrastructure is Fragile and Vulnerable
In May of last year, the 5,500-mile-long Colonial Pipeline shut down for the first time ever. A ransomware attack on the pipeline created fuel shortages on the entire East Coast, driving up gas prices and creating a state of emergency. The attack sparked immense concern over critical infrastructure cyber security.
Cyber networks and information systems support critical infrastructure. Transportation systems, energy, financial services, and communications are inherently at risk for cyber-attacks and cyber intrusions. Securing U.S. critical infrastructure cyber networks is vital to protecting U.S. national security, public health, safety, and economic prosperity. Therefore, the U.S. should implement a defense-forward strategy to prevent cyberattacks on critical infrastructure.
U.S. defensive cyber efforts to date have largely been ineffective. Problems include the difficulties of cyber attribution as well as gaps in information sharing between the government and private sector companies. An estimated 80 percent of the nation’s critical infrastructure is operated and owned by private sector companies. Therefore, there are challenges in implementing federal cyber security initiatives to combat malicious cyber actors. The implementation relies on the willingness and ability of private companies.
The U.S. should apply the Department of Defense’s “defense-forward” strategy to U.S. critical infrastructure cyber security. A defense-forward strategy encompasses the proactive observing, pursuing, and countering of adversary operations and imposing costs in day-to-day competition to disrupt and defeat ongoing malicious adversary cyber campaigns, deter future campaigns, and reinforce favorable international norms of behavior.
A cyber defense-forward strategy would:
Decrease the confidence of attackers: Defense-forward operations decrease the confidence of malicious cyber actors and their ability to carry out attacks successfully. Thus, defense-forward operations can decrease the number of cyber-attacks. In addition, defense-forward operations include information operations which can also reduce the perceived legitimacy of cyber-attacks, thus reducing an attacker’s motivation to conduct more attacks. For example, a defense-forward strategy would allow the U.S. to access a hacker group’s systems and cameras, enabling the U.S. to gain access to confidential information to prevent a future cyber-attack. A defense-forward strategy would also involve using information operations to disseminate and convince potential cyber actors that attacking U.S. critical infrastructure would prove ineffective. Any attempt to do so would result in severe penalties, thus limiting their confidence in carrying out attacks.
Make U.S. critical infrastructure proactive in cyberspace: A defense-forward strategy indicates a preemptive rather than reactive response to cyberattacks. A defense-forward approach encompasses threat hunting and penetration testing and allows the U.S. critical infrastructure to be proactive in cyberspace. Penetration testing enables U.S. critical infrastructure to identify network vulnerabilities. Threat hunters can then actively hunt for possible attackers in their network using the known attacker’s techniques, tactics, and procedures.
Strengthen private sector networks: A defense-forward strategy allows the U.S. critical infrastructure community to increase the cost of cyberattacks and decrease the perceived benefits of attacking, specifically the private sector. Defense-forward strategy can reduce the incentives for cyberattacks on the private sector. It can make private sector networks more robust and more resilient.
Some argue that increasing U.S. offensive cyber capabilities, such as a defense-forward strategy may encourage other actors to increase their budgets to conduct offensive cyber operations. First, implementing a defense-forward strategy will decrease the ability of such actors to conduct cyber-attacks. Implementing a defense-forward strategy will not prompt an increase in an adversary’s cyber operations depending on their proper interpretation of U.S. intent. The U.S. would employ a defense-forward approach as an offensive-defensive measure to protect U.S. critical infrastructure, not to attack foreign nations’ cyber networks.
After last year’s attack on the Colonial Pipeline, many people wonder when and where the next attack on critical infrastructure will occur. Addressing vulnerabilities in our cyber networks and information systems through a defense-forward strategy will keep our nation’s critical infrastructure safe. A defense-forward strategy will strengthen U.S. national security, protect public health and safety, and promote economic prosperity.