lawfareblog | The Colonial Pipeline attack was the most recent reminder of a steadily encroaching wave of cyber threats affecting the nation’s critical infrastructure. Although the ransomware attack was considered to be “relatively unsophisticated” in nature, it was powerful enough to shut down America’s largest refined products pipeline for several days. It took Colonial six days to get the Cybersecurity and Infrastructure Security Agency (CISA) any notifications that could then be disseminated to other at-risk industry entities—and even then, acting CISA Director Brandon Wales remarked that he did not think Colonial would have reached out to CISA had the FBI not facilitated the interaction. Much of the discussion around the Colonial Pipeline ransomware attack has obscured a key point: The U.S. government does not have a reliable method to identify, support and secure the most “critical of critical” infrastructure.
The U.S. government is not completely aware of what is critical—as in which companies’ disruption could have devastating or cascading consequences for the economy, national security, or public health and safety. Since its inception, the term “critical infrastructure” has grown so large that it has lost any meaningful specificity. Ranking Member of the House Homeland Security Committee, Rep. John Katko, reaffirmed this evaluation in a recent press release noting that because the United States has diluted what qualifies as critical infrastructure, “the federal government has visibility into a shockingly small sliver of significant cyber incidents across the country.” Underlying this dilution is the fact that no sufficiently granular and legally enforceable designation for “critical infrastructure” exists—consequently, there is no bound that keeps the concept from expanding into obscurity. Previous bills that have attempted to confer benefits or burdens on “critical infrastructure” have been vague and have not provided any clarity on what qualifies as such.
Furthermore, a risk-based approach to national security requires that the U.S. must prioritize its resources in areas where it can have the greatest impact to prevent the worst consequences. The U.S. government’s most capable adversaries, including Russia and China, are constantly looking for opportunities to scale their cyber operations and focus on targets that would have the greatest destructive impact. These past cyberattacks have illustrated that the nation’s adversaries have adopted a clear strategy that targets the “critical of critical” nodes that underlie U.S. national security. Therefore, the United States should respond in kind and reshape its approach to identifying and protecting them. The Cyberspace Solarium Commission’s 2020 report addresses just that.
The commission recommended that the United States codify into law the concept of “systemically important critical infrastructure” (SICI). These entities, responsible for the most important critical systems and assets in the U.S., would be granted special assistance from the federal government as well as assuming increased responsibility for additional security and information security requirements that are vital to their unique status and importance. This proposal answers the increasing need for the identification, partnership, and protection of the most “critical of critical” infrastructure.
0 comments:
Post a Comment