A National Imperative – Cyber Resiliency
Strategies to Safeguard Critical Infrastructure Against Cyber Threats
By Andrea E. Davis, Founder and President of The Resiliency Initiative
I started my career in emergency management in 1999. At the time, the focus was on the collapse of the world as we know it due to Y2K and computers not understanding the number 2. It seems rather silly after all the impactful crises we have dealt with since then. However, the concern and focus on our reliance on technology were justified. Fast forward 25 years, we are significantly more dependent on technology. Our technological systems, which are the backbone of our critical infrastructure, are increasingly vulnerable to cyber-attacks.
It feels like every day we wake up to the news of another cyber-attack, from pharmaceutical companies to healthcare operations to multinational computer companies. The FBI estimates that US consumers and businesses lost $12.5 billion to cybercrimes in 2023. The threats and the losses only keep increasing.
Earlier this year, FBI Director Christopher Wray testified before a House Select Committee on the vulnerability of US critical infrastructure. Director Wray stated that there is a threat of attack, especially from foreign actors, to sectors such as energy, water, transportation, communication, finance, and healthcare. Critical infrastructure systems are increasingly digitized and connected to the internet, making them vulnerable to ransomware, malware, phishing attacks, denial-of-service (DoS) attacks, and other cyber disruptions.
Our nation’s critical infrastructure must be resilient to withstand and recover from these cyber disruptions. So, what are we doing about it?
Presidential Policy Directive 21 (PPD-21) advanced national policy to focus on the resiliency of the US critical infrastructure sectors. The Directive outlined the 16 essential infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so critical to the US that disruption would have a debilitating impact on national security, national economic security, national public health or safety, or any combination thereof. Additionally, the recent publication of the National Security Memorandum on Critical Infrastructure Security and Resilience addressed our national vulnerabilities and created strategies to confront insidious cyber threats that have taken center stage from a national security standpoint.
These cybersecurity measures are essential to safeguard these infrastructure sectors from exploitation and disruption. Additionally, many critical infrastructure sectors are interconnected and interdependent. A disruption in one industry can have cascading effects on others. For example, a cyberattack on a power grid could impact transportation systems, communication networks, and healthcare facilities.
Let’s examine a few incidents impacting the US infrastructure:
- For two days in August 2003, the US and Canada suffered one of the worst power outages in history, with over 50 million customers without power. It was concluded that the main cause of the outage was a “software bug,” not cyber terrorism. However, the US Department of Energy and Canada’s Ministry of Natural Resources created a task force to conduct a deep dive into the outage and provide recommendations on how to ensure similar outages don’t occur again. The final report stated that “procedural vulnerabilities were compounded by inadequate, out-of-date maintenance contracts.” Over 20 years later, the vulnerabilities that the report detailed still exist across the US electrical grid, and cyber criminals’ sophistication has significantly increased.
- In May 2021, the US suffered one of its most significant critical infrastructure cyber-attacks – the Colonial Pipeline ransomware attack. The attack shut down Colonial Pipeline for five days, 45% of pipeline operators were impacted, panic buying ensued across the southeastern US, and significant supply chain disruptions were felt to an already strained system due to the COVID-19 crisis. The Colonial Pipeline attack highlighted the lack of government regulation when it came to reporting a cyber-attack on critical infrastructure and the lack of transparency to the US consumer once an attack occurred. The Colonial Pipeline attack led to the passage of the Strengthening American Cybersecurity Act (SACA), which created a reporting protocol and increased the Department for Cybersecurity & Infrastructure Security Agency’s (CISA) threat monitoring responsibilities.
- Finally, in early February 2024, over 70,000 AT&T customers were left without cell service, and multiple 911 call centers were out of service for close to eight hours due to a “technical error.” Over 70% of the US population relies on a cell phone as their primary mode of communication. Imagine a threat actor recreating a similar “technical error” throughout all cell phone networks in the US for several days.
Safeguarding our critical infrastructure requires a comprehensive and proactive approach involving collaboration, innovation, and continuous improvement in preparedness and response capabilities for the US to stay a step ahead of the cybersecurity threat.
I recommend the following four-pronged approach:
- Developing Public-Private Partnerships: Collaboration between government agencies, private sector organizations, and other stakeholders is crucial for protecting critical infrastructure. Public-private partnerships can facilitate information sharing, resource allocation, and coordinated responses to emergencies and cyber threats. The Federal Emergency Management Agency’s (FEMA) Public-Private Partnership guidebook provides a solid framework and approach to establishing partnerships.
- Investing in Comprehensive Emergency Preparedness and Response Plans: Emergency management plans and protocols should address the unique challenges posed by cyber-attack disruptions to critical infrastructure. This includes conducting risk assessments, developing contingency plans, training personnel, and conducting exercises to test preparedness and response capabilities.
- Increased Information Sharing and Coordination: Timely and accurate information sharing among stakeholders is essential for effective emergency management and cybersecurity. Coordination between government agencies, law enforcement, industry partners, and international organizations helps to identify threats, mitigate risks, and respond to incidents efficiently.
- Continued Investment in Technology and Innovation: Continued investment in technology and innovation is necessary to enhance the resilience and security of critical infrastructure. This includes deploying advanced monitoring and detection systems, implementing secure communication protocols, and leveraging emerging technologies such as artificial intelligence and blockchain for cybersecurity.
About the Author
Andrea Davis is a world-renowned expert in the field of emergency management. Currently, Ms. Davis is the President and CEO of a Women Owned Small Business (WOSB), The Resiliency Initiative (TRI). Ms. Davis founded TRI out of a passion to serve the whole community before, during, and after an emergency. Ms. Davis has held leadership roles with NGOs (The American Red Cross, Save the Children US), the US Federal Government (FEMA, The Federal Reserve) and Fortune 500 Companies (Walmart, Disney). With each role, Ms. Davis used her influence to lead global initiatives focused on the importance of making risk-informed determinations and engaging all members of the community in the decision-making process. To learn more about The Resiliency Initiative or speak with Ms. Davis, please send an email to [email protected] or visit http://www.theresiliencyinitiative.com.