PERSPECTIVE: We’re The Government and We’re Here to Help Protect Critical Infrastructure

This post originally appeared in the November 8, 2018 update from Cipher Brief  by Francis X. Taylor.

As we look back on cybersecurity awareness month, which ran in October, there’s no better time to examine the cybersecurity health of our critical infrastructure (CI). When a majority of the actual infrastructure that makes up “critical infrastructure” is owned by the private sector, the question becomes: what is the role of the federal government, and how should private industry and the federal government work together to protect the cybersecurity of critical infrastructure?  Is the federal government too involved, or not involved enough?

We first need to understand that protecting the cybersecurity of our private sector partners is critical to national security. Too often, the private industry has reported cyber-attacks and the response from the federal government has been inconsistent at best, and absent at worst. Nation State actors, criminal organizations and terrorists all understand the vulnerabilities of our systems and actively work to exploit them. For instance, after the 2016 election, multiple sources reported that foreign actors hacked election systems in several states across our country. Recent reports indicate that our election infrastructure is still vulnerable almost two years after the initial attack. Yet Congress can’t seem to pass a bill to help protect one of the most critical aspects of democracy: free and fair elections. The federal government has a limited role in securing election mechanics associated with the voting process itself, but it can do more to help States understand the nature of the cyber security risk they face and to share best practices that would help mitigate those risks. This has been very effective in other critical infrastructure sectors and needs to be expanded in the election infrastructure sector as well.

The Obama Administration deemed election security the nation’s sixteenth critical infrastructure sector in January 2017. That was an important start. This designation means that the election infrastructure, which is primarily in the hands of state and local governments, is now eligible for additional funding, intelligence, and other resources only available at the federal level.

More broadly, it is the responsibility of the federal government, through the Department of Homeland Security (DHS), to be the leader in providing a mechanism, such as public-private partnerships (P3s), for the owners and operators of critical infrastructure, recognizing a majority of which are privately-owned businesses. The goal of this partnership is to share threat and resilience information for and on, cyber and physical security best practices, as well as classified and unclassified government information. DHS has the responsibility to coordinate preparedness efforts across industries and U.S. governments, and through the National Protection and Programs Directorate (NPPD), has had some .

To support the public-private sector cooperation, DHS established Information Sharing and Analysis Centers (ISACs) more than 10 years ago, which allow sector-specific information and best practice sharing between industry and the federal government. ISACs have proven their worth. For example, the Oil and Natural Gas ISAC (ONG-ISAC) has allowed for peer-to-peer information sharing between LNG companies, and bi-directional intel sharing with the federal intelligence community, as noted in a recently published report by the American Petroleum Institute. ONG-ISAC is one example, but the ISACs are across most industries and sectors, with the government sharing key intel across the sectors.

Another recently announced public-private partnership effort is the recently announced Pipeline Cybersecurity Initiative. With the support of key industry players, this initiative will deepen the energy industry’s relationship with the federal government, to further improve the cybersecurity of the sector. The decision by the Department of Energy (DOE) to invest $28 million in research and development to protect the energy sector cybersecurity is positive. Considering that cyberattacks on the oil and natural gas sector have increased to about four per second, this investment could not come at a better time.

In addition to the development of public-private partnership efforts by the federal government to improve cybersecurity, the government has also started picking winners and losers, instead of focusing on protecting all 16 federally designated critical infrastructure . Contrary to this, the Trump Administration recently proposed a plan to bail out the coal and nuclear industries under the guise that the cybersecurity of these industries are supposedly more secure than that of liquid and natural gas (LNG), which does not seem to be the case. For now, White House advisors have convinced the Administration to shelf that plan. Hopefully enough of Congress will push back on the idea of the executive branch micro-managing market forces, and instead direct this effort to ensure that all CI owners and operators have access to, and can leverage, government intelligence and information to protect and improve CI cybersecurity. It is imperative that the federal government protect all 16 critical infrastructure sectors, regardless of market performance.

As our attention shifts away from cybersecurity awareness, it’s important that we maintain our vigilance in protecting our critical infrastructure. Furthermore, we can’t let the hyper-politicization of today’s environment impact how we protect our nation’s critical infrastructure. While the role of the federal government in protecting our nation’s cybersecurity is continually evolving, by developing and improving on current P3s, the government can be a leader in protecting the cybersecurity of our critical infrastructure.

Cipher Brief Editorial Note: On the heels of Cybersecurity Awareness Month in October, President Donald Trump has proclaimed November as National Critical Infrastructure Security and Resilience Month.

It’s a mouthful, but the declaration highlights the important need to focus on securing critical infrastructure.  Secretary of State Kirstjen Nielsen released a statement on the President’s proclamation, saying “Americans rely on secure and resilient infrastructure to provide access to safe food, reliable electricity and transportation, clean water, and instant communication. These physical and cyber systems—and others across all 16 critical infrastructure sectors—provide the essential services that support and underpin American society.

Francis X. Taylor is the former Under Secretary for Intelligence and Analysis (I&A) at the U.S. Department of Homeland Security (DHS).