Strengthening the Cybersecurity of U.S. Critical Infrastructure

In December 2015, Ukraine witnessed the world’s first-known cyber-induced power outage. An attack against its electrical grid caused some 220,000 residents of western Ukraine to lose power for several hours. Affected control centers required months to fully recover from the attack, a fact which should concern American policymakers. Cyber actors threaten to disrupt or destroy United States infrastructure, and sophisticated cyber attackers are often able to penetrated even the most heavily defended critical infrastructure networks and systems. The U.S. must be prepared for a similar attack against its electrical grid or other critical infrastructure assets.

Chinese and Russian state and state-sponsored actors engage in long-term, sophisticated cyberattacks against American computer systems and networks. The May 2014 indictment of five Chinese military hackers illustrates just how serious this threat is. Through just one campaign, Chinese hackers infiltrated U.S. nuclear power, metals, and solar products industries. In separate incidents, Russian and Chinese actors had even penetrated the U.S. electrical grid’s systems and controls. These incidents highlight how easily hackers could disrupt or degrade the industrial control systems that operate critical infrastructure. While neither Russia nor China intends to harm the U.S. today, it would be a mistake to ignore these vulnerabilities.

Other actors, such as Iran, North Korea, and various non-state groups, want to execute cyberattacks against U.S. critical infrastructure and are developing the capabilities to do so. Iran is investing heavily to improve its cyber warfare capacities and oversees proxies that perform cyberattacks against the U.S. The FBI recently indicted seven individuals who worked on behalf of the Iranian government to execute repeated, coordinated attacks to disable websites of nearly 50 U.S. financial institutions. While its capabilities do not yet match those of Chinese and Russian actors, Iran will only continue to strengthen its cyber arsenal.

North Korea’s hack of Sony in late 2014 shows its malicious intentions in cyberspace. Though experts do not consider North Korea’s capabilities to be equal to that of Russia and China, it has fewer constraints and is more willing to execute cyberattacks. FBI Director James Comey has also stated that ISIS-affiliated hackers are “starting to explore…critical infrastructure.” These actors, though not yet sophisticated, will continue to develop their cyber arsenals to launch cyberattacks against U.S. critical infrastructure.

The U.S. Government has taken steps to mitigate these cyber risks, but its measures remain insufficient. Executive Order 13636 required the National Institute of Standards and Technology to develop a voluntary cybersecurity framework to reduce critical infrastructure cyber risk. However, voluntary frameworks and programs are not enough to convince critical infrastructure owners and operators to invest in cybersecurity; resource constraints make cyber issues a low priority for small and mid-sized asset owners. While select government agencies, called sector-specific agencies, oversee cyber defense for all 16 critical infrastructure sectors, 11 sectors face “significant” cyber risk. Moreover, sector-specific agencies do not coordinate enough joint crisis simulation exercises to prepare their sectors for attacks. Likewise, many sector-specific agencies struggle to provide timely, actionable cyber information to the private sector.1

Therefore, U.S. policymakers should strengthen critical infrastructure cybersecurity by: (1) promoting cybersecurity tax incentives; (2) bolstering the cyber insurance market; and (3) enhancing public-private information sharing.

First, Congress should enact legislation to provide tax credits for owners and operators who strengthen cybersecurity. Congress should task the National Institute of Standards and Technologies to create measurable metrics to verify whether critical infrastructure owners and operators have adopted its cybersecurity framework. Owners and operators who successfully adopt the framework would be eligible for refundable tax credits to cover implementation and upkeep costs—including personnel hours, products and services costs, and anything else reasonably associated with its implementation and upkeep. This plan would mitigate the financial burden of cybersecurity for many small and mid-sized critical infrastructure asset owners.

Second, Congress should promote a more robust cyber insurance market. In an October 2015 report, cybersecurity expert Elana Broitman argued that Congress should require the Department of Homeland Security to publish data from existing cyber-information sharing mechanisms and cross-reference this data with the cybersecurity framework. The federal government should follow these recommendations. Businesses and organizations can use this public data to measure the efficacy and cost-effectiveness of different cybersecurity products and services. Insurance providers would use this information to better analyze cyber risk, build actuarial models, and begin underwriting policies. An enhanced cyber insurance market would increase critical infrastructure risk management and drive safety standards.

Third, federal agencies and industry should continue to deepen public-private collaboration. The Department of Homeland Security should lead more frequent public-private crisis simulation exercises. These exercises must include local and state government participants, establish leadership roles, and produce “muscle memory” within organizations and across sectors. Additionally, government and industry must expand information sharing efforts. The Department of Homeland Security recently launched a platform entitled Automatic Indicator Sharing that enables real-time, public-private sharing of cyber threat indicators. However, the platform only included six participants as of March 2016. The Department of Homeland Security and relevant government agencies must encourage critical infrastructure sectors to participate in this platform. Such a robust information-sharing scheme would provide timely and actionable information to participants from all critical infrastructure sectors.

The reliability of critical infrastructure is vital to U.S. homeland security. A major offensive against U.S. critical infrastructure assets could endanger civilians and hurt the economy. U.S. policymakers should promote market incentives and encourage more robust public-private information sharing to most effectively help owners and operators defend against these threats.