Introduction
Almost fifteen months after the crippling attack on the Colonial Pipeline, changes in attitudes and action of the federal government have resulted in some of the most significant cybersecurity evolutions in modern history. Previous to the ransomware attack on the U.S. oil and gas network, little consideration was given to the operational technology underpinning our nation’s critical infrastructure as a target of cyber attack, let alone attacks constructed to destabilize U.S. economic strength and confidence by the American people in the institutions upon which they depend.
Less than a week after that event, the U.S. federal government signaled its commitment to change with the publication of Executive Order (E.O.) 14028, which set in motion a series of requirements instantiating new and strengthening existing cybersecurity regulation aimed at reducing unnecessary risk, increasing readiness, and enhancing resilience across all elements of U.S. critical infrastructure.
Following a strong response from Congress and the civilian agencies responsible for critical infrastructure, Representative Bonnie Coleman Watson succinctly summarized, in an October 2021 oversight hearing held by the House Committee on Homeland Security which reviewed cybersecurity practices for transportation and critical infrastructure, that “…when it comes to transportation, cybersecurity inaction is not an option. When gas stops flowing due to a cyber-attack… it means Americans struggle to fill up their tanks … people’s lives and livelihoods depend on [cybersecurity of critical infrastructure].”
When it comes to what we hold most dear, time is of the essence to work collaboratively between public and private entities to share information and jointly ready our domestic institutions for the wave of cyber threats on the horizon.
After all – cyber defense is the new offense.
“…when it comes to transportation, cybersecurity inaction is not an option.”
What’s Past is Present – Reducing Domestic Cybersecurity Risk
The ransomware attack on Colonial Pipeline wreaked havoc on daily routines, sending the American public into a state of panic. And although not a kinetic attack, the effect on the confidence of the American people was the same: emerging from the life-altering COVID-19 pandemic, Amercians scoured the country searching for gas stations that still had fuel, and if found, lined up for hours at the pumps to fill vehicles and reserves in fear that it could be their last.
While not a visible or protracted attack on physical institutions, the cyber attack on domestic pipeline infrastructure might as well have been, as the net effect on the American people was just as devastating. The cyberattack on the Colonial Pipeline was the unfortunate wakeup call the U.S. government needed in order to start taking cybersecurity seriously.
Since then, the Biden administration demonstrated its commitment to not just requesting change in cybersecurity practices of public and private infrastructure, but demanding it. E.O. 14028 set in motion cascading activities across the federal government, sparking hearings across the oversight committees in the House and Senate, the publication of key pipeline and rail regulation from the Transportation Security Agency, and a series of supportive legislation across both chambers, most notably the House’s initial legislative response, the Cyber Incident Reporting for Critical Infrastructure Act of 2021 (H.R. 5440), which manifested with resounding bicameral and bipartisan support in the Consolidated Appropriations Act for 2022.
The end of 2021 demonstrated that there was little patience for undue cyber risk, and the federal government took swift and comprehensive measures to reduce any unnecessary cyber risk through any means necessary, to include fostering stronger partnerships with the private sector with the August 2021 stand-up of the Cybersecurity and Infrastructure Security Agency’s Joint Cyber Defense Collaborative (JCDC).
The Time is Now – Increasing Cyber Readiness
The March 2022 delivery of the Fiscal Year 2022 omnibus cemented federal appetite for change in Division Y, which directed CISA to establish mandatory reporting requirements and processes for U.S. businesses to immediately share details of cyber incidents or ransomware attacks with CISA, and if not followed, the Act further granted CISA subpoena authority to hold those noncompliant entities accountable. In addition to supporting the strengthening CISA’s authority across the domestic security space, the administration was building out the office and position of the National Cyber Director, as directed by the Fiscal Year 2021 National Defense Authorization Act (NDAA).
“…directed CISA to establish mandatory reporting requirements and processes for U.S. businesses to immediately share details of cyber incidents or ransomware attacks.”
The position, originally a key recommendation from the Cyberspace Solarium Commission, is a critical element of increasing readiness across those institutions which uphold U.S. national security objectives. National Cyber Director Chris Inglis is on the verge of delivering a long-awaited domestic cyber strategy, built upon the tenets of the ONCD’s Strategic Intent, in which he commits to “…building an ecosystem defined by aggregating stability and resilience instead of compounding risk.”
Another important recommendation from the original July 2020 Solarium Commission was the call to Conduct Cybersecurity Assessments of Weapon Systems (recommendation 6.2.b), which the Commissioners wrote “…with an intent to gain mission assurance of these platforms.” The importance of this particular recommendation, as highlighted in the 2022 CSC2.0 annual assessment, notes progress made towards the objective of gaining strategic understanding of the cyber readiness of DoD weapon systems through congressionally-directed activities such as the Strategic Cybersecurity Program (SCP). The SCP is a vital element in understanding, establishing, and maintaining cyber readiness of weapon systems.DoD SES John Garstka directs the efficacy of the SCP, which is important given his commanding understanding of the vast vulnerabilities of weapon systems given the generally unassumed attack vectors.
“The call to conduct Cybersecurity Assessments of Weapon Systems (recommendation 6.2.b), which the Commissioners wrote ‘…with an intent to gain mission assurance of these platforms’.”
In fact, in the spirit of Director Gartska’s comments from a 2019 accounting of cyber wargaming, in which he foreshadowed the impending confluence of OT and information technology (IT) by emphasizing the imperative of “…reducing the risk to mission at the combatant command level, we have to protect more than the traditional IT space,” CISA Director Jen Easterly is wholly focused on the Agency’s “Shields Up” effort to bring cyber readiness across the entirety of the domestic space.
The Path That Lies Ahead – Enhancing Cyber Resilience
In early August, the National Security Telecommunications Advisory Council (NSTAC) released a draft report investigating the inevitable convergence of OT and IT systems and its effect on resiliency of domestic OT systems. Defining resilience as “...what does not happen to operations or consumers of the operational services,” this report is significant because of how it flags resilience as a function of combined preparedness and safeguarding, offense and defense.
Reducing the misperception that OT and IT systems are distinct, and that OT can be “air-gapped” from cyber threats, is an essential step in ensuring resilience across the collective body of domestic institutions. The current conflict in Ukraine demonstrates the porosity of those interconnected systems which are quite literally being used to protect those democratic institutions which we hold dear; whether typical bombastic propagandizing or not, the Russian threat of cyber intrusion onto a U.S. weapon system belies a very clear and present danger – that no matter where in the world American technology exists, it is not safe from those adversaries wishing to harm to the U.S. way of life.
“Reducing the misperception that OT and IT systems are distinct, and that OT can be “air-gapped” from cyber threats, is an essential step in ensuring resilience across the collective body of domestic institutions.”
Representative Mike Gallagher, a Solarium Commissioner and vociferous proponent of commercial innovation and the necessary partnership between public and private, recently wrote about our competitive advantage being the U.S. commercial technology sector. Resilience is an imperative that all elements of our defense industrial base must take seriously, in partnership with those commercial providers who can see vulnerabilities across the entire system. In fact, in both House and Senate reports to accompany the FY23 NDAA, there are examples of continued congressional interest in ensuring the DoD’s focus on, and accountability of, resilience across weapon systems. This is tremendous progress for a formation almost entirely predicated upon legacy systems.
CISA’s JCDC is the preeminent example of how public and private institutions can come together and in an truly objective manner to secure historically under appreciated components of critical infrastructure; while the inclusion of ICS/SCADA is a tremendous step in the right direction, additional attention needs to be given to the totality of the transportation networks which carry Americans to destinations domestic and abroad. The opportunity for state and local entities to apply for cybersecurity grants from the Department of Homeland Security to increase cybersecurity of OT and IT systems will further support domestic resiliency, and given upcoming U.S. midterm elections, could not have come at a better time.
Conclusion
The opening salvo of President Biden’s Executive Order 14028 provides the stark warning that collectively, public and private institutions must work together to manifest: “… the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.” No longer can the nation sit by and assume a secure and protected infrastructure if the effort is not equally applied across all elements of network and operational technologies.
Given the evolution of the threat environment, and how global conflict continues to take root in unobservable and non-kinetic domains, there is no greater imperative than the one before us – understanding where and how we can continue to reduce unnecessary risk to those institutions upon which American confidence relies, bolstering readiness to those systems which guarantee our national security , and ensuring the resilience of our economy and way of life.
Democracy depends on it.