The security policies underpinning the nation’s critical infrastructure sectors and protecting them from cyberattacks are outdated and require comprehensive overhaul, according to a recent report by the Cyberspace Solarium Commission 2.0.
According to the report, the existing policies have significant gaps, with one of the main issues being ineffective collaboration between the government and private sector partners.
Additionally, Sector Risk Management Agencies (SRMAs) are poorly organized and lack the necessary relationships, resources and authority to perform their tasks.
“Meanwhile, there are numerous other challenges. The strategy and policy documents governing critical infrastructure have become stale,” the report warned. “The current systems for designating sectors as critical and for mitigating cross-sector risks are inadequate.”
Partnering With Industry
One of the key recommendations from the report is making government a better partner to industry and through both voluntary partnerships and regulation, as noted in the new National Cybersecurity Strategy.
“The current system fails to clearly assign responsibilities during a cybersecurity incident, leading to inefficient and redundant responses from various agencies,” said Craig Jones, vice president of security operations at Ontinue.
He added that while specifics of the cybersecurity threats presently endangering U.S. critical infrastructure were not detailed in the recent report, cybersecurity threats to critical infrastructure commonly include malware, ransomware, phishing attacks, DDoS attacks and other intrusion techniques.
“These threats continuously evolve,” he pointed out. “The transformation of cybersecurity threats against critical infrastructure is a multifaceted process, shaped by technological advancements, geopolitical dynamics and the escalating sophistication of cybercriminals.”
This evolution of cybersecurity threats includes a surge in ransomware attacks, a shift toward supply chain attacks and the exploitation of remote work infrastructure in the wake of the COVID-19 pandemic.
Cybersecurity Through Global Cooperation
Darren Guccione, CEO and co-founder at Keeper Security, said one of the most important takeaways from this summary is the Pentagon’s commitment to addressing the ever-expanding cybersecurity threat landscape through global cooperation.
“International cooperation is critical to combat the threat of cyberattacks, especially when the threat actors are sponsored or shielded from international prosecution by a nation-state,” he said.
He added that as the government increases investment into cybersecurity and uses more third-party solutions, the private vendors and developers that want those contracts will be forced to make sure their products also meet federal standards.
“One way this process is being streamlined for federal agencies, state and local governments and higher education institutions is through programs like FedRAMP and StateRAMP,” he said.
A FedRAMP-authorized vendor or product is vetted by the program so that individual agencies can save time and money while looking for a solution.
The report highlighted a critical concern: The current system’s failure to clearly assign responsibilities in the aftermath of a cybersecurity incident.
“This can lead to chaotic responses, with multiple agencies scrambling to address the same incident,” Jones explained.
To tackle this issue, the report proposed empowering the Cybersecurity and Infrastructure Security Agency (CISA) to take the lead and fundamentally rewriting the Presidential Policy Directive 21 (PPD-21), which currently provides guidance for federal agencies on ensuring the security of critical infrastructure providers.
Jones said to simplify regulatory processes and avoid duplication when federal agencies respond to cyberattacks, there needs to be an amplification of inter-agency communication and coordination.
“By fostering better back-end communication among agencies, the burden on victim companies can be eased as they won’t be inundated with redundant enquiries,” he said. “Such an approach would pave the way for a more streamlined and effective response to cybersecurity incidents.”
From Guccione’s perspective, cybersecurity is national security and must be prioritized as such.
When used for political purposes, these cyberattacks may be part of a larger effort to threaten operations, destabilize a government or disrupt critical infrastructure such as power grids, transportation networks and financial institutions.
“Protecting critical infrastructure and the services that people rely on from cyberattacks is as important as protecting it from physical attacks, because the consequences have the potential to be equally devastating,” he said.