In an era where we are completely reliant on digital connectivity, the security of our critical infrastructure is paramount. CISA defines 16 sectors of US critical infrastructure; each unique and yet each deeply interconnected. Most believe that it is safe because, after all, the government controls most of it and thus it must be well protected. Leaving aside the false assumption that if it were controlled by the government, that it would be protected, the reality is that a staggering 65% of the U.S. infrastructure is privately owned while state and local governments own 30%, and the federal government just 5%. This means that the security of the complex web of goods and services that our country sits atop is almost entirely dependent on the cybersecurity practices and investments of these private companies.
If we take our national security seriously, we should acknowledge the deep vulnerabilities of this privately kept infrastructure to our country. We have seen the repercussions of cyberattacks on private companies like these; the millions of lives that are affected, the panic, the price surges, etc. The ransomware attack on Colonial Pipeline was one of the most prominent examples of this with fuel supply shortages, price increases, and a significant geographic impact. This was despite the warnings by the Director of National Intelligence back in 2019 that pipelines were particularly vulnerable to cyberattacks and that they could cause lengthy shutdowns. In the healthcare sector, the ransomware attack on Change Healthcare not only exposed the personal health, identity and financial information of possibly one-third of all Americans, but the life-threatening impact prevented healthcare providers from delivering care, filling prescriptions, and processing insurance claims.
Each of these attacks was on a single sector, but the obvious what-if questions concern the fear that a similar attack would occur simultaneously across multiple organizations within a sector, across sectors, or both. We are seeing an increase in coordination among cyber criminal organizations. The logical conclusion is that this cooperation will lead to larger scale attacks. Due to the interconnectedness of our critical infrastructure and our supply chains, a coordinated, multi-org, cross-sector attack would mean cascading, widespread detriment across the country. To date, the average person has had little in the way of personal impact from cyberattacks compared to the very personal impact this type of attack would cause.
Disrupting multiple sectors is increasingly being done via supply-chain attacks. We saw with the COVID outbreak how delicate our supply chains are, and how even a small interruption or delay causes large ripples. We assume that our supply chains are made up of large companies with big budgets for security, but small companies, whether it be a software or a product supply chain, are often involved all along the way. These small organizations, small municipalities, etc., lack the skills and ability to adequately defend themselves and lack the resources necessary to outsource it. They usually have one or two IT people, zero dedicated cybersecurity staff, and subpar tools.
The situation is further complicated by geo-political issues. We have nation-state threat actors, funded, staffed, and in some cases housed within foreign military branches, targeting US corporations. Imagine a foreign military landing on the shores of Virginia with the intent of invading the capital and taking control of the state. It seems so far-fetched. Our military would intercept the threat long before they were anywhere near US soil. Now imagine the same threat, but the adversaries make it to the Virginia shorelines, and when the governor calls for help the federal government says, “we are sorry, but we do not have the resources to defend you, you are on your own.” This is unimaginable, but this is basically the state of cybersecurity in the US. The Director of the FBI, Christopher Wray, recently said that FBI cyber staff is outnumbered 50 to 1 by just the hackers from China. There is no other scenario in which a private US organization would be alone in direct conflict with foreign attackers. Our companies, specifically the IT and cybersecurity staff within these companies, are serving on the frontlines. When an attack happens, these men and women become active combatants in cyber warfare. Most of them fail or fail to start because they do not know where to begin. They are not trained and are not battle-tested. The same can be said for many within larger organizations as well. Given the gravity of the situation and the depth of the vulnerability, increased regulatory intervention along with federal investment seems unavoidable.
Regulation alone is not a solution, but it does establish baseline security standards and provide much-needed funding to support defenses. Standards have come a long way and are relatively mature. Though there is still a tremendous amount of gray area, and a lack of relevance or attainability for certain industries and smaller organizations. The federal government must prioritize injecting funds into cybersecurity initiatives, ensuring that even the smallest entities managing critical infrastructure can implement strong security measures. With this funding, we must build a strong defense posture and cyber resiliency within these private sector organizations. This involves more than deploying advanced tools; it requires developing skilled personnel capable of responding to incidents and defending against attacks. Upskilling programs should focus on blue teaming and incident response, ensuring that organizations have the expertise to manage their security proactively.
A critical component of effective cybersecurity is understanding and applying the standard risk formula: Risk = Threat x Vulnerability x Consequence. This formula emphasizes that risk is determined by evaluating the likelihood of an attack (Threat), the weaknesses in defenses (Vulnerability), and the potential impact of a breach (Consequence). By focusing on this risk assessment approach, organizations are better positioned to recognize and respond to attacks more quickly.
During this training period and beyond, maintaining a relationship with a battle-tested incident response team who also aids in the development and management of a strong incident response plan is essential. Consulting organizations and service providers must enhance the focus on in-depth security automation and dispense with the profit-driven cafeteria menu of vendors. Managed detection and response (as well as automation to this end), cyber threat intelligence, attack surface analysis, and risk-driven threat consulting should be standard operating procedure for organizations of all sizes involved in US critical infrastructure.
While the situation seems dire, hope must remain ever-present. Our national security, from a cyber perspective, hinges on the cybersecurity capabilities of private sector entities. The stakes are high, but failure is not an option. By honestly recognizing the vulnerabilities, investing in cybersecurity, and uniting and upskilling our cyber personnel to serve on the frontlines, we can build a resilient defense against the ever-evolving landscape of threats. All industries and sectors, both private and public, must work in tandem and become radically open to information sharing. This fight can only be won together. The time to act is now, ensuring that our essential services are secure in the face of growing digital dangers.
About the Author
Chris Storey currently serves as the Director of Business Development at Qriar, a company known for its expertise in implementing, integrating, and customizing cybersecurity products and services, spanning EDR, Attack Surface Management, Privileged Access Management, Identity Governance and Administration, SIEM, and Secure API Management. He brings over eight years of experience in business development, sales, and account management, with a specialized focus on cybersecurity solutions.
His passion is rooted in delivering exceptional customer service and cultivating enduring client relationships. Chris possesses a knack for unraveling complex issues and fashioning tailored solutions. Certified in Identity and Access Management, Privileged Access Management, and Threat and Vulnerability Management, he blends innovation with time-tested approaches. Chris’s ultimate aim is to be a dedicated cybersecurity partner and advocate, helping companies fulfill their security and business objectives