October 24, 2023

Introduction by ISA President Larry Clinton

Critical Infrastructure in the United States is facing a substantial risk of cyber attacks at all times due to the imbalance of risk assessment between the public and private sectors. Until this disparity is mitigated, the United States will never be adequately protected on all sides from cyber attacks. 

It’s no secret that nations often strategically target the critical infrastructure of their opponents. Recently, it was discovered that Iran has been secretly targeting critical infrastructure, like telecommunications, in several different regions, including North America. In addition, according to a DHS advisory, Russia has been carving its way into the US grid and targeting critical infrastructure.  

Yet for most utilities, the cost of cybersecurity investment adequate to defend against nation-state (or similarly sophisticated) cyber attacks are not justified by their – state approved – business model. Private companies are naturally expected to provide reasonable security for their systems.  However, reasonableness is traditionally understood in purely economic terms.  Everyone knows 10% of inventory is “walking out the back door” every month but private entities are risk tolerant for these losses since it would be more expensive to hire the guards and gates to cut pilfering down below the current levels. For a business this is entirely reasonable. 

Government also has economic considerations, but also has national security, social safety net elections and other non-economic elements to consider when determining adequate risk especially from nation state attackers. 

The problem is in cybersecurity the government and industry are all using the same system – which is being secured at the traditional level in the face of national security level risks.  

The National Infrastructure Protection Plan (NIPP) recognizes this anomaly of legitimate differences in how private sector entities and the government assess risks This reasonable but problematic gap between commercial-level and national-level security has been recognized and articulated for years. Chris Krebs, former director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA), noted that “private companies fund security at a commercial level appropriate to their needs while the government funds at a higher, national security level. To create a sustainable ‘collective defense’ we must find a way to fill this economic delta.” Since private companies only really must look at their cybersecurity risk from a commercial standpoint, that’s all they support in their cybersecurity budget.   

 The facile solution would be to simply shift the cost of providing national security level cyber security to the shareholders of the private sector companies. However, aside from the political hill such a solution would have to navigate, shifting national security to the private sector is a bad idea for multiple reasons. To begin with investors don’t have to invest in utilities. Investors will naturally move investment away from entities that do not generate a commercial return. Forcing private companies to bear economically unjustified security costs will naturally lead to investor flight.   

The result of that would be that the companies do not have the money to make the security investments and in addition have less money to provide the critical services (and jobs) for consumers.  

It is the responsibility of the government, constitutionally charged with providing for the common defense of the country, to fill this gap. The joint industry-DHS Collective Defense White Paper concluded, “In a world in which reliance on critical infrastructure is shared by industry and government and where industry may be on the front lines of national defense, such as in a cyber-attack, a sustainable partnership must be developed to address both perspectives by finding creative mechanisms while taking into consideration the issue of limited resources for industry and government.”  

Even though the federal government acknowledges this problem, there is minimal effort being made to address the issue.  

The digital era has changed the threat picture for the twenty-first century and further adaptations are required for government to effectively fulfill its constitutional obligations. Future posts will discuss alternative ways to address this critical infrastructure economic security gap on a sustainable basis.