Experts warn of urgent need to improve U.S. critical infrastructure protection

US Policy on Critical Infrastructure Protection Inadequate, Expert Group Warns

A congressionally mandated group of experts called the CSC 2.0 has warned that US government policies designed to protect critical infrastructure against cyber attacks are outdated and inadequate. Critical infrastructure sectors such as water and transportation could be compromised when exposed to cyber threats. In a detailed report released last week, the group highlighted the lack of a framework to quickly and effectively respond to cyber attacks using modern approaches and technology. The report urged the White House to update the presidential policy directive 21, which established how federal agencies engage with private infrastructure operators, and create a new strategy that identifies strategic changes. The report also called on the government to refine the public-private partnership model for better collaboration and engagement.

Colonial Pipeline Ransomware Attack

The CSC 2.0 report cited the 2021 Colonial Pipeline ransomware attack as a case study demonstrating the limitations of the current government policies and agencies. The group noted that the incident revealed the difficulty of the national critical infrastructure system to handle crises and the inadequacy of the public-private partnership model. The Colonial Pipeline incident was the largest attack on the US energy sector, and rogue actors held critical infrastructure hostage using ransomware. The attack, which continued for hours, exposed the poor communication between the Transportation Security Administration, the Transportation Department, and the Cybersecurity and Infrastructure Security Agency (CISA), which is responsible for responding to cyber attacks and offering technical assistance and mitigation. CISA was not immediately informed about the attack, and neither Colonial Pipeline nor the FBI alerted the agency or the Transportation Security Administration. The report notes that the incident demonstrated the lack of coordination between government agencies and the private sector, indicating that the existing approach is poorly suited for speeding up response times, especially during crises.

Outdated Policies

The current federal framework for protecting critical infrastructure cybersecurity is outdated, according to the CSC 2.0 report. The report found that sector specific plans, which identify key assets, threats, and risks, have not been updated since 2015, with the initial releases being cut and paste versions of a template with little emphasis on significant differences. The group called out the National Infrastructure Protection Plan for collaboration between government and critical infrastructure facilities, which has not been updated since 2013. The report advised the government to update responsibilities for key strategy documents and establish accountability via adequately defined roles and expectations. It also recommended clarifying the role of CISA as the national risk management agency and updating the minimum security standards that agencies should continuously maintain.

CISA’s Priorities and Effectiveness

The report found that CISA isn’t serving effectively as the leader that most interviewees said was needed to realize the full potential of the framework underlying the sector risk management framework. The authors noted that the agency’s priorities seemed fixed on cybersecurity at the expense of physical security. Nevertheless, CISA is charged with responsibilities that extend beyond cybersecurity, as violent domestic extremists also constitute a physical threat against the US.

Recommendations

The CSC 2.0 report makes several key recommendations. Firstly, it suggests that the next version of the policy should prioritize updated strategic changes, with a renewed focus on resilience rather than simply keeping systems secure and cyber-defended. The report also recommends that the government define critical infrastructure sub-sectors and outline how to add or remove different sectors from the current list of 16.
The document stated that additional resources would be necessary to support agencies responsible for the critical infrastructure sectors in serving various industries adequately.

The White House Should Organize Collaborative Efforts to Address Systemic Risks

The report highlights the need for the White House to organize efforts to facilitate more collaboration aimed at understanding systemic and cross-sector threats. The authors recommended that the government establish a point of contact in the government for each sector for handling a crisis more effectively.

Philosophical Discussion and Advice

The CSC 2.0 report suggests that the current approach taken by US agencies to safeguarding critical infrastructure cybersecurity is limited in various ways, given the modern wave of cyber attacks. It is essential to understand that cyber attacks are evolving quickly, and it is imperative to review the approach regularly to keep up with technological trends. Therefore, the US government should listen and act on the recommendations of cybersecurity experts to strengthen the country’s critical infrastructure cybersecurity. The government should collaborate with the private sector to identify and diminish the risks and vulnerabilities faced by the country’s critical infrastructure. This will require more significant investment in cybersecurity funding and resources for government agencies and private operators.

The report’s observations are timely and should be treated with the utmost importance as technology continues to advance and the US economy becomes more reliant on cyberspace. Addressing these gaps in the critical infrastructure cybersecurity framework now is necessary to protect US national security and economic well-being.