Analyzing United States Infrastructure Cyber Readiness

Analyzing United States Infrastructure Cyber Readiness

During the Cold War, the United States was worried about the possibility of a nuclear attack, an imminent land invasion by Russians, and an all-out war on the continent of Europe. However, as we fast forward to the modern day, the issues and realities of war are a lot more abstract. The concept of fighting large land battles may be preceded by engrossing and long-lasting conflicts in the cyber space. No longer is the importance of taking out the white house. Rather, the likely target for said cyber-attacks are critical points in our infrastructure. In this paper I will be discussing the United States critical infrastructure and its importance. Then I will be talking about the US cyber readiness, comparing the United States readiness with Germany and then I will be recommending a possible solution to enhance the countries cyber readiness.

 As stated in PPD-21, there are 16 infrastructures deemed critical. The 16 critical infrastructures are the Chemical, Commercial facility, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Emergency Services, Energy, Financial Services, Food and Agriculture, Government, Healthcare and Public Health, Information Technology, Nuclear power and waste management, Transportation services, Water and wastewater services. The PPD-21 states that a critical infrastructure is something, “…whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”. Each one of these infrastructure sectors is and will continue to be a continuing target for potential attackers. In 2015, Russians took control of Prykarpattyaoblenergo Control Center (PPC) which left over 200 thousand people in Western Ukraine without power (IRMI). Although not the United States, the affect that such a targeted attack on one of our critical infrastructures could devastate our economy and our readiness.

 Even after creating executive orders and trying to form partnerships, the government admits that the country is woefully prepared for intense and targeted strikes against critical infrastructure. A testimony from James A. Lewis, the senior vice president of the Center of Strategic and International Studies, stated that for the longest time that the first federal cyber security policy implemented in 1998 focused on the wrong actors, that of terrorists or non-state actors. That in fact, the real threat posed to our infrastructure would and will come from Nation states like Russia, North Korea, China, etc. (james). All four countries have probed our defenses and infrastructure, all with varying degrees of success. Lewis testifies that if our most important sectors are targeted (energy, finance, telecommunications, government) by any of those large state actors, that we could not defend them. Another issue Lewis describes is that of the sectors that can defend themselves it is because they are larger businesses. Those resources may not be available to smaller and medium size businesses possibly leaving them unsecure.

This overall lack of readiness has been described by Micheal J Bayer and associates Naval Cyber Security Review as flatfooted cyber security readiness. Bayer and associates describe this flat footedness as a key reason why our nation’s economic, military, and technological advantage has been eroded by IP theft, cyber intrusions, and cyber-attacks (Naval). They claim that this flat footedness stems from a combination of problems from people, cultural, process, and resources.

The private industry sees the United States cyber security readiness as lack luster as well. In an article posted by the Insurance Journal, it stated that ever since the 2015 sanction of Iran and the backing out of the oil deal, cyber-attacks on critical infrastructure have sharply increased. Using mass Phishing schemes and targeted attacks at higher up personnel, it is clear that the United States is becoming more and more a constant target and the fact that these attacks are happening indicates that they must be working on some level (insurance).

Innovation creates adaptation and innovation and the private industry is no different. Although most business in a study done by RedTeamSecure claim that the United States readiness could be improved; that only a successful attack or disruption would increase the budget for a majority of security programs and teams. Attitudes about risk appetite and tolerance are key factors in private businesses, the majority owners of critical infrastructures, in improving cyber readiness.

An article on Thirdway.org by Mehta lists a lot of issues with cyber security in the United States and a key point on that list is that the United States does not have a comprehensive plan aimed at the nation state attacker. Especially in how, as Mehta states, “still lacks a comprehensive strategic approach to how it identifies, pursues, and punishes malicious human cyber attackers and the organizations and countries often behind them.” 

 One of the first actions taken by the White House in regard to cyber security was the PPD 63 in 1998 as a first step measure to decrease the threat of cyber-attacks on critical infrastructure. In 2003 PPD 63 was later renamed to the “National Strategy to Secure Cyberspace”. Later in 2008, the Comprehensive National Cybersecurity Initiative (CNCI) was codified by NSPD-54 and HSPD-23 which had the main goals of setting up creating a baseline for security, a plan to continue said security, and the future growth of security practices the country. However, with time certain focuses change when it came to cyber security. In response to the current state of the United States cyber readiness, the federal government has attempted to implement multiple methods in order to increase the countries cyber readiness. Critical Infrastructure is largely owned by private industry, yet it is the Federal government that has to help mandate laws and defend against outside state and terrorist cyber threats. In a testimonial by the Department of Justice associate deputy Suji Raman, Readiness for potential attacks on critical infrastructure is a shared effort. Raman states, “The Department recognizes that the private sector requires timely cyber threat information to secure its systems.”. On August 9^th, 2017, President Trump issued Executive Order 13800 “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure”. The executive order pushed for a standard following of NIST guidelines, similar to Obamas Executive order in 2013, and put a 90-day timeframe down for a plan to implement NIST security Policies in place for all department heads. President Trump also created an executive order in order to help foster a stronger and more robust federal cyber security workforce. There is a large gap between the number of jobs needed filled and the number of eligible cyber security experts to fill said jobs.

 However, despite making broad executive orders, many state that said executive orders are fairly ineffective. Executive orders allow the President to bypass the other branches in order to set a mindset in the country, but it is not legally binding legislation. Therefore, it is assumed that the country, legislators, and other policy makers will follow the course set by the executive order. The Wired author Ishan Mehta states that although the white house has signed multiple executive orders to enhance the nations cyber readiness it still has not developed an overarching strategy to tackle the numerous cyber-attacks on our infrastructure. Mehta states that for every 1,000 cyber-attacks only 3 see an enforcement response. Under President Trumps leadership, cyber security readiness has actually waned. In [date], the national security advisor John Bolton issued the statement that saw the Cyber Security Coordinator position in the white house removed. Former Secretary of State Rex Tillerson even had the Office of The Coordinator of Cyber Issues removed as well as cancelling funding for major cyber training camps (Wired). Politics and Mehtas thoughts on the current government aside, it is clear that there is restructuring going on in the White House that may seemingly affect the nations cyber readiness.

 To better understand the current state of the United States cyber readiness it is advantageous to compare it to a similar nation-state. In this case it will be Germany. Using the Potomac Institutes Cyber Readiness Index (CRI), there are a few key differences between the two. The United States has a much higher capability of responding to cyber incidences than Germany does. Multiple state departments run cyber security exercises and the United States on a global scale is a western world leader in Cyber Security response teams. Research and Development into cyber security is also a strength of the United States. Leading the R&D are  groups like DARPA, Homeland Security Advanced Research Agency (HS-ARPA), and Intelligence Advanced Research Projects Agency (I-ARPA), the United States can stay on top of the most current technology, practices, and theories that relate to cyber security. Dakota State University and other schools benefit as well by getting funding from  the NSF for promoting research in computer science and cyber security.

 However, Germany’s national strategy is a lot stronger and shows a glaring hole in the United States lack of having a coherent strategy. In Microsofts’ 2017 Security Intelligence Report, Germany scored high compared most countries when dealing with Malware and cyber-attacks. Germany, Microsoft states, has been building on the German Security IT law passed in 2015 to create a better partnership of information sharing between businesses and companies. An issue that both the United States and Germany are having is a man power issue. An article on DW discusses Germanys need for more trained personnel and the incentives to attract them into a cyber program. President Trump earlier had signed an Executive Order to help promote an increase in cyber staffing, especially in the Federal government.

 The United States Cyber Readiness is a situation that requires more time and planning. The federal government has a large numbered staff that are trained for response measures, a large and robust research and development aspect when it comes to cyber security, and we are a world leader in sharing and dispersing information. For the last 10 years the White House has put down possible paths, mindsets, and more cyber ready cultures with the numerous executive orders. From what the private industry has stated, looking at cyber security plans implemented by Germany, and the overall effectiveness of the past policies by the White House  I believe the best course of action for the white house to take is to officially implement legislation towards a unified and coherent national strategy. The United States government and Private industry, a large holder of the countries critical infrastructure, needs not only guidelines but the legal motivation to better themselves and a real, solidified relationship with the Federal government so that Cyber Readiness can be dispersed between them. There are guidelines and frameworks out there that are not law but are incredible jumping points for a standard ideal of cyber readiness and security. NISTIR 7621 and the ISO 27001 family could be a great base to implement as a legal standard when it comes to cyber readiness.

 Overall, the United States will have its hands full now and in the future. With the future of Cyber-attacks and conventional Cyber warfare becoming more of a norm, the US will have to be continually improving itself in order to defend its 16 critical infrastructures. Keeping them intact and safe from terrorists and the more likely state actors will keep the United States from having a potential crisis. The current United States cyber readiness is in a confused position. With the current administration coming out with pro-cyber executive orders but not having any real teeth to real legislation, the cyber readiness has been in neutral for a few years. Some analysts even claim we are sliding backwards. Comparing the United States with Germany, it is clear that for its faults, the United States has a fairly complex response rate, research and development, and education when compared to Germany. However, Germany has a more focused national strategy when it comes to cyber readiness. Germany has a clear plan and legislation to work with private companies in order to increase overall security. This lack of a national strategy when it comes to cyber security is my biggest recommendation. Even just having a clear and required base for cyber security using already established and fleshed-out frameworks like NISTIR 7621 and the ISO 27001 family would be a difficult but necessary first step. In the end, cyber security will continue to be a growing topic in the years to come and it will show dividends if the United States removes itself from the neutral state it has been in the last few years and pushes itself to becoming the world’s leader in cyber security again.

• “CRI Germany Profile.” 2018.
• Bayer, Micheal J. “Cyber Security Readiness Review.”
• Deutsche Welle. “Germany Struggles to Step up Cyberdefense: DW: 07.08.2018.” DW.COM, https://www.dw.com/en/germany-struggles-to-step-up-cyberdefense/a-44979677.
• “Germany Steps up Leadership in Cybersecurity.” Microsoft Security, 20 Mar. 2019, https://www.microsoft.com/security/blog/2017/03/28/germany-steps-up-leadership-in-cybersecurity/.
• “Iran Increases Cyber Attacks on U.S. Gov’t, Infrastructure: Cyber Security Firms.” Insurance Journal, 24 June 2019, https://www.insurancejournal.com/news/national/2019/06/24/530257.htm.
• Lewis, James A. “Cyber Threats to Our Nations Critical Infrastructure.”
• Marks, Joseph. “The Cybersecurity 202: U.S. Businesses Are Preparing for Iranian Hacks after American Cyberattack.” The Washington Post, WP Company, 24 June 2019, https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/06/24/the-cybersecurity-202-u-s-businesses-are-preparing-for-iranian-hacks-after-american-cyber-attack/5d1007a81ad2e552a21d507f.
• Mehta, Ishan. “Under Trump, the Fight Against Cybercrime Has Waned.” Wired, Conde Nast, 27 June 2019, https://www.wired.com/story/under-trump-the-fight-against-cybercrime-has-waned/.
• Talamantes, Jeremiah. “Risk Readiness Is Critical for Infrastructure.” RedTeam Security, RedTeam Security, 15 Apr. 2019, https://www.redteamsecure.com/risk-readiness-critical-infrastructure/.
• “The Growing Threat of Cyber-Attacks on Critical Infrastructure.” Threat of Cyber-Attacks on Critical Infrastructure | Expert Commentary | IRMI.com, https://www.irmi.com/articles/expert-commentary/cyber-attack-critical-infrastructure.
• “To Catch a Hacker: Toward a Comprehensive Strategy to Identify, Pursue, and Punish Malicious Cyber Actors – Third Way.” – Third Way, https://www.thirdway.org/report/to-catch-a-hacker-toward-a-comprehensive-strategy-to-identify-pursue-and-punish-malicious-cyber-actors.