In a flurry of announcements this week, officials announced new cybersecurity mandates on the railroad and airline industries and fines for federal contractors who fail to report breaches. This second set of compulsory maneuvers follows cybersecurity regulations for US pipeline operators issued earlier this year, and a separate mandate that government contractors strengthen their networks.
The White House also announced last week that it is “working to deploy action plans for additional critical infrastructure sectors” after a 100-day push to improve cybersecurity in America’s balkanized electricity grid.
One senior defense official says that protecting the transportation and energy infrastructure that Americans — and the US military — rely on is a priority.
“Those have direct implications for how well we can execute our military operations in the future,” said deputy defense secretary Kathleen Hicks in an exclusive interview with CNN. “We believe that those are targets that a China or Russia would go after, when they’re thinking about military campaigns.”
China and Russia remain “the priority” focus for the Defense Department, Hicks said, “because they have so much capability, and then a secondary focus on Iran and others.”
US has been hit by a string of ransomware attacks
The push comes as US officials are also grappling with a string of ransomware attacks on critical infrastructure at the hands of cybercriminals, including an attack on Colonial Pipeline, which disrupted gas supplies on the east coast for the better part of a week in May.
Other, smaller hacks — like the February breach of a water treatment facility in Florida that raised treatment chemical levels in the water to potentially poisonous levels — have shown how some critical infrastructure sectors are better resourced to protect themselves than others. Big US electric utilities, for example, invest millions of dollars in cyber defenses, while small town water plants are often strapped for cash.
While the Department of Homeland Security is the lead agency working with private firms to improve their cyber defenses, Pentagon officials focus on protecting the defense industrial base from supply chain hacks and consider the cybersecurity aspects of future conflicts.
That’s a relatively new concern for the Defense Department, long focused on more traditional “kinetic” threats against the US — like terrorist attacks using conventional bombs, or even the nuclear threat from a rogue North Korea.
“That tying together of the homeland to military campaigns abroad is not something most Americans think about,” Hicks said. “And it’s not something for years, the Defense Department had to worry about.”
“That is a significant change,” she added.
But cybersecurity officials have long been concerned about Russian efforts to “preposition” against US critical infrastructure, Rob Joyce, head of the National Security Agency’s Cybersecurity Directorate, said at the Aspen Cyber Summit last week.
“We’ve seen them actively use disruptive effects around the globe. And we’ve seen evidence of prepositioning against US critical infrastructure,” Joyce said. “All things that can’t be tolerated and we need to work against.”
Some Russian hacking groups specialize in infiltrating critical infrastructure firms, both to collect information and, perhaps in some cases, to gain a foothold into networks in the event of a conflict, according to some US officials and private sector experts.
Challenge of securing infrastructure not under federal control
Part of the challenge for national security officials across government working on this problem is that the majority of critical infrastructure isn’t under federal control. The government is left trying to cajole, persuade, collaborate and, at times, mandate a sprawl of different organizations to step up their own cybersecurity efforts.
One of the key lessons the Pentagon took from the SolarWinds hack, a Russian espionage operation that breached at least nine federal agencies in 2020, was that it made very clear for officials “the degree to which we are tied into and interdependent with a much broader commercial and industrial base and research center ecosystem,” Hicks said.
The Pentagon’s approach is “making sure that our industrial base partners are strong themselves, and that we have ways of helping them become aware of when they have challenges,” she said.
In one DOD-specific effort to bridge the gap between federal know-how and the private sector, the US Cyber Command in 2018 awarded a partnership contract with a local digital security nonprofit to open an innovation center in Maryland that works with private industry to harden critical infrastructure networks — from traffic lights to water treatment facilities.
Hicks noted that it “still does not appear with DOD investigations that there was a direct risk to DOD networks” from SolarWinds, but, she said, “we don’t take that as anything other than a signal that, in this case, we did okay, but that we have to keep our guard up, because they’ll keep coming at us.”