NIAC's timely warning on infrastructure attacks

On Aug. 22 President Donald Trump's National Infrastructure Advisory Council released a draft report on the threat of cyberattacks on the nation's critical infrastructure.

I can only applaud the committee's findings and offer my strongest support for their recommendations to harness, organize and focus the "tremendous" but fragmented resources with public and private sectors. As NIAC said so eloquently, "There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber-attack to organize effectively and take bold action."

While this warning may seem "apocalyptic," it is by no means inflated. The risk is real and increasing.

There are two major ways in which radicalized groups could inflict harm on financial and energy critical infrastructure (beyond use of the internet for fundraising, recruitment, communication etc.). These are:

• Disinformation to cause social unrest/financial panic. A good example would be the 2013 Dow Jones Industrial Average drop of about 150 points linked to a false message on a hacked Associated Press Twitter account, reporting an attack on the White House. In three minutes, $136 billion in stock market value was erased in Standard & Poor's 500 shares. Syrian hackers claimed responsibility.

• Critical infrastructure disruption. Potential for disruption of critical infrastructure industries including, but not limited to financial, transportation, health, food, water and power industries poses a unique and existential risk. This critical infrastructure -- which is designed generally to meet end-user expectations related to both low cost and reliability -- is often "static." Taking down systems to patch or upgrade is both costly and disruptive. In some industries -- like health care -- where IT is responsible for the delivery of life-saving/continuing services, such management is impossible.

This week, as NIAC has recommended, there is pressing need to improve security and protection of particularly vulnerable targets. While there is no quick fix to this challenge, we concur with NIAC that tremendous resources within both public and private sector can be brought to bear quickly, and we believe that recommendations within the report provide clear, practical suggestions for ways to achieve the goal.

Of particular note, the recommendation calling for the identification of "best-in-class scanning tools and assessment practices" and calling on network owners and operators "of the most critical networks to scan and sanitize their systems on a voluntary basis" could offer a simple and compelling mechanism for enabling organizations to act quickly.

Speaking from the vantage point of a 25-year practitioner in the field, any cyber solution would require the involvement and cooperation of a variety of stakeholders within a given organization, whose "incentives" to act are often misaligned. If a solution is perceived as painful to a user, disruptive to the business or more expensive than the possible impact, inaction is the result.

I therefore urge the administration to help counter this situation by offering organizations clear visibility into both the extent of the problem and the "art of the possible." This can be accomplished, as suggested by NIAC, via an assessment methodology, which can be used to identify the extent of the risk, coupled with a center of excellence that gives both the private and public sector the opportunity to engage directly with those capabilities that can solve the problems identified within the assessment.

These capabilities can be based on real-world implementations, built upon those technologies which meet certain a-political criteria, for instance designation by the Department of Homeland Security or certification by the Federal Risk and Authorization Management Program. This "show and tell" environment, bolstered by implementation of a recommendation calling for "limited time, outcome-based market incentives that encourage owners and operators to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices," would offer organizations a positive, fact-based way to engage in a solutioning process.

I am encouraged by NIAC's report. It expressed the urgency with which we must act, yet offered recommendations that are practical and achievable. As the committee stated, "The U.S. government and private sector collectively have tremendous cyber capabilities and resources to defend critical private systems from aggressive cyberattacks -- provided they are properly organized." We should "use this moment of foresight to take bold, decisive actions."