On March 6, 2018, Carnegie convened a group of leading experts from government, academia, industry, and critical infrastructure communities for a roundtable discussion on the protection of critical infrastructure. Yigal Unna, director of the Israeli National Cyber Directorate, joined as a special guest. The discussion centered around 3 key questions that were presented to the participants. Below is a summary of the discussion which was conducted under Chatham House rules.
Trajectory of the Cyber Threat to Critical Infrastructure
Question: How is the threat landscape evolving and what are the most pressing threats? How is the capability of non-state actors changing?
- There has been a dramatic growth in the capabilities of non-state cyber actors, blurring the lines between state and non-state actors’ capabilities and decreasing barriers to entry.
- The increasing capability of non-state actors poses new challenges for states as they strive to establish norms, especially given the perverse incentives structure for non-state actors.
- The attack surface is expanding due to continued growth in automation and connectivity. Even as we enter the fourth industrial revolution, we have yet to solve the cybersecurity challenges of the third.
- A greater drive for efficiency has led to increased interdependency, creating less secure devices and aggregated risk.
- International governments don’t yet have a common set of definitions for what is critical infrastructure, making it challenging to develop common strategies.
Conclusions: The U.S. government and the private sector are still not sufficiently agile to keep up with cyber threats. The government and the private sector should be encouraged to revisit their approach to cybersecurity in this domain, taking a fresh look at evolving definitions, perspectives, and paradigms surrounding approaches to and divisions of labor in critical infrastructure cybersecurity. This ought to extend to both public-private collaboration and international cooperation.
Priorities for Enhancing Security Through Defense, Resilience, and Deterrence
Questions: What strategies can the private sector and government pursue to address threats across various tiers of capability?
- Efforts to secure critical infrastructure currently focus on key “sectors and assets.” Shifting the perspective more towards a mindset of assuring “missions and functions” is important for better risk management.
- The use of encryption in critical infrastructure is a valuable way to raise the bar for cybersecurity. This should be considered in the context of the overall encryption debate.
- More effort is needed to understand the potential for cascading effects. Critical functions of critical infrastructure should be isolated and simplified to reduce risk of cascading effects.
- The government and the private sector must consider new regulatory standards and norms to combat the growth of systemic risks from global information and communication technology supply chains.
- The use of cost imposition is important for deterring top-tier threats, because it won’t be possible to secure networks from a determined top-tier adversary. Recent international coordination to “name-and-shame” is good, but it must be coupled with real cost-impositions to change threat actors’ behavior.
- Private sector efforts to improve efficiency and cut costs can contribute to risk exposure. Cyber insurance and other forms of soft regulation can shift incentives toward effective risk management and motivate adoption of better cybersecurity practices.
Conclusions: Explicit strategies are needed for each of the three activities (defense, resilience, and cost imposition). Executing such strategies requires greater attention to the international dimension and to the development of new concepts and creative incentives for risk management. Obviously, the relationship between the three strategies would require careful reflection and adequate harmonization.
Key Dilemmas and Potential Solutions
Question: What are the dilemmas for securing critical infrastructure, and what solutions should we consider?
- The international norm (GGE) against attacks on critical infrastructure presents governments with the dilemma that expanding of the designation of critical infrastructure will constrict potential targets for offensive cyber operations.
- The private sector is currently expected to help defend against cyber threats, including nation state threats. There are several tradeoffs between expanding or limiting the private sector’s role in active cyber defense, such as the limited resources of government and the complexity/risk introduced by more active measures.
- In an attempt to curb malicious cyber activity, existing laws have also penalized network security defenders. To enhance security, governments should consider extending legal protections to security researchers and network defenders, and enhance accountability measures over time.
- A continued dilemma is the inability of U.S. government and private sector to anticipate attacks. But, like in attribution, the private sector has capabilities and information that can be useful when combined with government information. There may be creative ways to leverage public-private partnerships to tackle this “indicators and warning” dilemma.
- A related dilemma is associated with the growing capacity to attribute attacks to their perpetrators and the penchant for making such attribution public. While these could help bolster the deterrence posture against attacks, especially those directed at critical infrastructure, failure (or reluctance) to retaliate against the identified perpetrators ends up weakening this deterrence.
Conclusions: There remain several dilemmas for how to incentive the right behavior; considerable effort is now required to discuss and resolve these dilemmas.