Cybersecurity for U.S. critical infrastructure a ‘national-security imperative,’ NSC official says

Protecting U.S. critical infrastructure from the often-debilitating impacts of cyberattacks is a “national imperative” that will require cooperation between the government and private sector, according to Brian Scott, director of critical-infrastructure cybersecurity for the National Security Council (NSC).

Scott said variety of sources—nation-states, state-sponsored actors and cybercriminals—are responsible for the cyberattacks, and many of the impacts have been significant, as recent events have reinforced. Indeed, more than 18,000 entities were deemed vulnerable during the SolarWinds attacks first announced in December, and a ransomware attack on Colonial Pipeline resulted in the shutdown of more than 11,000 gas stations in the southeast U.S., he said.

“Public and private entities are increasingly under constant, sophisticated, malicious and often-unseen probing and attacks from nation-state adversaries and criminals,” Scott said last week during the “Cyber Defenders” online event hosted by Nextgov. “Today more than ever, cybersecurity is a national-security imperative.

“Adversaries and malicious cyber actors see U.S. government and U.S. commercial networks as particularly rich targets and are aggressively working to compromise them.”

Beyond the SolarWinds and Colonial Pipeline incidents, Scott cited compromises to Microsoft Exchange Servers and Pulse Secure VPNs as examples of the challenges facing public and private U.S. entities in an increasingly treacherous cyber environment.

Meanwhile, ransomware attacks last year generated average demands of more than $100,00, with the top ransom demands exceeding $10 million, Scott. And a 2019 study estimated that data breaches cost the company experiencing one an average of $13 million, as well as significant intellectual-property losses, he said.

Scott said it is time to halt this cycle of U.S., beginning with a new mindset regarding cybersecurity.

“As a community, we’ve come to accept that we’ll move from one incident to another and respond to them,” Scott said. “While we must acknowledge that incidents and breaches will happen and that we must prepare for them, we cannot simply afford to let waiting for the next incident to happen be the status quo under which we operate. The national-security implications are simply too great to do that.

“The cost of insecure technology is staggering, and that cost is borne, at the end, by the victims—in loss of property and in incident response and cleanup. Small businesses, schools, hospitals, local government, critical-infrastructure owners and operators, and our citizens bear the brunt of these costs.”

Critical-infrastructure providers have to be especially cognizant of cybersecurity issues, which can be challenging because many systems were designed long before cyberthreats were a consideration, Scott said. When such older operational-technology (OT) systems are connected to information-technology (IT) networks, it can result in unintended vulnerabilities that can be exploited by hackers, he said.

“Advances in IT and OT have led to enormous efficiencies, business integration and connectivity across the business enterprise,” Scott said. “But integration and connectivity, with consideration being given to control-system cybersecurity, makes those control systems vulnerable to an increase risk of malicious cybersecurity.

“OT networks and systems require additional—and sometimes different—protection against cyberthreats. Cyberthreats to our control systems and OT are becoming more sophisticated, our advisories are becoming bolder, and our infrastructure is becoming increasingly interconnected at a rapid pace.”

Even protecting the OT system may not be enough to ensure that practical operations can continue in the event of a cyberattack, according to Scott.

“As we saw in the Colonial Pipeline incident, even though the OT systems were not affected, the loss of the IT systems effectively shut down operations for over five days,” he said.

The recent executive order announced by President Joe Biden is a crucial step in “changing the calculus” about cybersecurity and prioritizing efforts to prevent attacks, Scott said. Although the executive order only addresses federal systems directly, its impacts should be evident on more broadly, according to Scott.

“The executive order provides insights that should inform the private sector,” he said. “Outdated security models, unencrypted data, failure to patch software and change passwords have led to compromises of systems in the public and private sectors.

“The federal government must lead the way and increase its adoption of security best practices, including a zero-trust model, accelerate movement toward secure cloud services, and consistently employ foundational security tools like multi-factor authentication and encryption.”

In addition, the executive order calls for a new regime regarding the manner in which software development is done, Scott said.

“The current model of build-sell-and-maybe-patch means that the software products that the federal government and the public buy often include defects and vulnerabilities. This is unacceptable,” Scott said. “These defects are vulnerabilities that developers are accepting as the norm, with the expectation that they can patch them later—if they deem that that the defects and vulnerabilities are sufficiently serious to merit fixing.

“We can’t go on with that process. We are taking aggressive steps to ensure that the software that the government buys is built more securely from the start, by requiring federal vendor to build software in a secure development environment, using strict securing standards and processes. These efforts will pay dividends outside of the federal government, as well, because much of the software that the government buys is the same software that the private sector buys.”

Successfully thwarting cyberattacks will require the federal government to “lead the way,” but it must forge a greater level of cooperation with the private sector, according to Scott.

“Partnerships are critical to the safety of our nation in cyberspace,” he said. “The government needs the private sector and the visibility and expertise it provides, and the private sector needs the government.”

Partnering with international allies also is important, Scott said.

“As an example, we built a coalition of dozens of countries to support our attribution of the SolarWinds intrusion to the Russian foreign intelligence service and bolstered our actions to hold Russia accountable for its malign actions in cyberspace,” Scott said.

“One of our first global initiatives will be a cooperative effort to counter ransomware. International cooperation to address ransomware is critically important, because trans-national criminals are most often the perpetrators of these crimes—and they often leverage global infrastructure and money laundering to do it.”