U.S. infrastructure is in “a pre-9/11 moment” when it comes to cybersecurity and time is running short to shore up its cyber defenses, an industry advisory committee warned Tuesday.
If government and industry don’t dramatically boost their efforts to protect critical infrastructure, such as the financial system or electric grids, they risk missing a “narrow and fleeting window of opportunity before a watershed, 9/11-level cyberattack,” according to a report approved by the Homeland Security Department’s National Infrastructure Advisory Council.
To stave off and prepare for such an attack, government and industry must create segregated and highly secure communication networks that are used solely for critical command and control systems, the NIAC report authors said.
The government should also dramatically ease the process for sharing cyber threat information between industry and government, the report said.
That includes more rapidly declassifying cyber threat information gathered by intelligence agencies so it can be shared broadly throughout critical infrastructure sectors and speeding up the process for granting security clearances to industry cyber leaders so they can review cyber threat information classified at the secret and top-secret levels.
Analysis: There are few in government and private industry who disagree with the need to dramatically improve cyber security to protect critical utilities, communications, financial systems, air travel, water/sewage/dams and other infrastructure. But as this article suggests, the biggest impediment thus far to private-public cooperation in the realm of cyber security is trust — the private sector doesn’t trust government to adequately protect things like consumer privacy, while government doesn’t trust the private sector to take national security as seriously as federal agencies. There is also the problem of too much government bureaucracy standing in the way of faster implementation of cyber protection strategies.
Everyone — Congress, the private sector, the Trump administration, and the Defense Department — recognizes the cyber threat facing critical infrastructure technology. There have been countless hearings on Capitol Hill; President Trump has issued executive orders calling for ramped-up cyber security efforts among federal agencies; the Pentagon just made Cyber Command a combatant command; and so on. That nothing is getting done quickly is due to the twin issues of trust and bureaucratic inertia.
Truth be told, it probably will take a ‘cyber 9/11’ before government and industry get together on the level necessary to protect critical infrastructure, but only against subsequent cyber attacks.