Twenty years ago, on July 15, 1996, President Bill Clinton issued Executive Order 13010, establishing the President's Commission on Critical Infrastructure Protection, a task force that worked for more than a year on evaluating the various threats to those critical systems that keep the nation humming.
Since then, a succession of further executive orders, presidential policy directives and federal laws have further refined, expanded and enhanced the nation's efforts to protect critical systems from physical or cyber attack.
At the 20th anniversary of Clinton's first salvo in the battle, Federal Times set out to assess two decades of progress. Since that time, the number of critical infrastructure categories has doubled, from eight to 16, and the Department of Homeland Security has become the lead agency for critical infrastructure protection. Current legislation stands to elevate DHS's role in cybersecurity even further, and the private-sector owners of critical infrastructure facilities are by and large working with DHS and other agencies to implement strong security — however, their progress and success varies from one to the next.
Where we are
Critical infrastructure is defined as the systems that are indispensable for the functioning of a nation, such as power generation, wastewater treatment, health and emergency services and communications.
Special Multimedia Report
Critical Risk: Assessing the cybersecurity of the nation's infrastructure
The cyber threat today is "significant and evolving," said Suzanne Spaulding, undersecretary for DHS's National Protection and Programs Directorate. Because the threat doesn't stay still, neither can the defenses. The Homeland Security Department oversees the federal effort to protect the 16 critical infrastructure sectors. DHS periodically updates its National Infrastructure Protection Plan and issues sector-specific plans to drill down into each piece of the critical infrastructure.
"I know it can be a bit overwhelming and hard to get your arms around. I find it helpful to break that threat down and there are a number of ways that you can do that you can think about it in terms of the variety of actors, [or] you can think of it in terms of the variety of effects.
Think of the adversaries as vandals, burglars, spies or saboteurs, Spaulding suggested. Vandals enjoy breaking in to deface websites or to launch denial of service attacks — sometimes for political purposes, such as Anonymous, and sometimes just for kicks. Burglars are, as the name suggests, looking for ways to steal personal information and money from their victims. The category also includes theft of intellectual property.
"Some of that intellectual property theft might be industrial espionage. But much of it is probably done by nation states who are trying to advantage their nation. So that moves us into spies who are stealing traditional national security [information], spy versus spy," she said.
Finally, the saboteurs are out to destroy assets important to their targets. "That's one of the most concerning aspects of cyber security threats that we look at today, threats to industrial control systems to supervisory control and data acquisition (SCADA) systems," Spaulding said. "Those are the cyber attacks that can have physical consequences that could be quite significant."
Addressing any of the three types of attackers requires staying ahead of technology developments, maintaining transparency and visibility and sharing information. It also requires maintaining a broad view, said Gregory Touhill, deputy assistant secretary for cybersecurity operations at DHS.
"As we've evolved over time we've actually added different components within those different [critical infrastructure] sectors," he said. "For example, in the past we hadn't necessarily viewed retail as a critical infrastructure per se, but in the aftermath of some very noteworthy cyber breaches such as the Target breach in 2013, we realized that the retail sector is a critical part of our economy and therefore needs to be included in that critical infrastructure."
For the most part, the federal government acts as a partner to private industry in protecting the infrastructure. Only in a few situations does the government have direct regulatory powers over the industry in question, but it can always serve as a resource and a guide. DHS coordinates with regulatory organizations, such as the Nuclear Regulatory Commission, and with other cabinet-level agencies to collaborate with industry.
The various sectors are progressing at various speeds, some staying well ahead of cyber threats and others lagging.
"There are some sectors that have got a head start on others when it comes to cybersecurity and cyberdefense," Touhill said. "A good example is the financial sector. Back in the 1990s, the financial sector was already at the forefront of digitizing banking and all of the different financial services. They were heavily reliant on computer systems and the security of the data streams going between the financial services sector. Other sectors are now seeing the same type of inter-relationships fostered by computers and the digitization of their businesses. As a result these sectors are increasingly stepping up their game when it comes to cybersecurity."
The threat is not merely theoretical. Successful cyber attacks have disrupted elements of the critical infrastructure, in the U.S. and elsewhere. Most notably recently, a successful attack near the end of 2015 knocked out part of the Ukranian power grid, putting more than 200,000 homes and businesses in the dark. (Wired published a detailed account of how that attack unfolded.)
As the 20-year mark comes and goes, the battle to keep U.S. critical infrastructure safe goes on unabated. Changes are underway to firm up the defenses and to keep abreast of the ever-evolving threat.
That evolution in the threat is mirrored by changes to the targets, said Bob Jennings, Verizon's global practice manager for critical infrastructure protection and cybersecurity. Where security efforts of the past centered around information technology, operational technologies — "those things that control the widgets and gears and gadgets in our world today" — are becoming more and more prevalent. That expands the area exposed to potential attack, just as the bad guys are getting better at finding and exploiting vulnerabilities, he said.
"When you think in terms of security and information technology, corporate systems business systems, there's a whole other world that greatly increases the security exposure," he said. "That's operational technology, and so we deal with that across all of the various sectors from manufacturing to nuclear power generation. [It's an] absolutely fascinating world with all the security concerns associated with it."
While protecting the critical infrastructure encompasses physical security as well, it would be unwise to think that any given sector is safe from the cyber threat, Touhill said, in part because of the operational technology that Jennings mentioned.
"I think most folks take a look at critical infrastructure and kind of believe that some of the critical infrastructure is largely isolated from a cybersecurity attack. I disagree," he said. "I believe that all 16 critical infrastructures are increasingly vulnerable and have an attack surface that could be exploited through cyberattack. As we see the advent of the internet of things, we see increasing digitization of business processes and the like, every sector is vulnerable to cyber attack and needs to take cybersecurity seriously."
To better address the changing world, DHS is reorganizing the NPPD under a new name, Cyber and Infrastructure Protection. Spaulding said the new name better reflects the organization's emerging mission.
"The changes we are trying to bring about at NPPD have to do with reflecting the convergence of physical and cyber that we see in the real world and making sure that our institutional structure does not preserve stovepipes around cyber and physical that really get in the way of that holistic approach to risk management that we are asking private-sector folks to take," she said in another recent interview. "We are asking them to think about threats and vulnerability and consequences and mitigation across cyber and physical at every step of the way. Understanding that cyberattacks can have physical consequences but there are physical vulnerabilities that can cause disruption in your information communications technology, that there are mitigation measures for cyber incidents that could be physical mitigation. So, we think a holistic approach is important and we want to organize that way."
Still, there is more the U.S. government can and should do, said Bruce McConnell, global vice president of the EastWest Institute and former DHS deputy under secretary for cybersecurity.
"I think [the government] needs to pay more attention to the international dimensions of the problem," he said. "I work with governments around the world to secure systems and technologies, including critical infrastructure. The U.S., while it's very vulnerable because it's the most advanced from a technical standpoint, it's also the most advanced from the security standpoint so there's a lot of lot of good practices here that could be shared."