In this five-part series CISO Brian Lozada examines the state of cybersecurity in our nation’s critical infrastructure, what is at risk, what makes it unique and what measures can be taken to bolster its safeguards.
In the second article, I more closely examined these evolving threats, the challenges of cyberwarfare and the key adversaries the United States faces on the digital battlefield. In this installment, I will review past initiatives to secure the nation’s critical infrastructure, including the Obama Administration’s 2013 executive order.
Past Initiatives to Protect the Nation’s Critical Infrastructure
In President George W. Bush’s 2003 National Strategy to Secure Cyberspace, he identified the Department of Justice and the Federal Bureau of Investigation (FBI) as the two government agencies given the responsibility of leading “the national effort to investigate and prosecute cybercrime” (FBI).
The FBI, however, has a dual role in that it is expected to “prevent harm to national security as the nation’s domestic intelligence agency” and “enforces laws as the nation’s principal law-enforcing agency” (FBI). Because of this double responsibility, the FBI is able to handle cybersecurity threats to the nation that stem from any source, whether from nation-states, terrorist organizations or criminal enterprises.
In the same year, Bush issued the National Security Presidential Directive 54/Homeland Security Presidential Directive 23, which created the Comprehensive National Cybersecurity Initiative (CNCI), a formal effort to further protect federal government systems from cyber threats and attacks.
In 2004, The Department of Homeland Security formed the National Cyber Security Division (NCSD) to partner with government, industry, and academia to further safeguard the nation from such attacks.
The NCSD collaborates with other members of the U.S. Intelligence Community to formulate strategies and tactics, including the Cybersecurity Preparedness program and the National Cyber Alert System, to use in preventing and responding to the growing threat of cyberattacks on the nation (Kraft, 2012).
President Obama revised the National Security Presidential Directive 54 in May 2009 and appointed an Executive Branch Cybersecurity Coordinator in the White House; this appointment ensured that the Executive Branch would have a responsibility to work closely with both local and state governments to foster a unified response to cyber incidents, as well as to improve cyber-related information sharing amongst all levels of government and the private sector.
In May 2011, an International Strategy for Cyberspace was issued to state the nation’s intentions of continued deterrence of “malicious actors” who seek to disrupt internet networks. In addition, Obama announced legislative proposals intended to improve cybersecurity initiatives within the private sector (Kraft, 2012).
In 2012, Obama launched another legislative proposal in which he declared that “threats to cyberspace pose one of the most serious economic and national security challenges of the 21st century for the United States and our allies” (Dowdy, 2012, p. 129). The key threats, according to Dowdy (2012), target the critical national infrastructure, the government’s classified information, and the intellectual property of the private enterprise.
The following year, in his State of the Union Address on February 12, 2013, Obama made mention of the importance of dealing with the threats of cybersecurity and how those threats may impact our nation in years to come. In his address, he stated, “America must also face the rapidly growing threat from cyber-attacks and our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems” (Osawa, 2013).
He further revealed that he had signed a new executive order “that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs, and our privacy” (Osawa, 2013).
The executive order further defined critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters” (National Institute of Standards and Technology, 2014, p. 2). In this address, Obama brings to light the transformation of cybersecurity as a top priority in national and international security in recent years.
Further, in his State of the Union address, Obama expressed concern over the exposure of national critical infrastructures on the Internet, stating that “enemies of the U.S. are seeking the ability to sabotage our power grids, financial institutions, and air traffic control systems” (Salane, 2013, p. 1).
To support Obama’s proposed legislation to better safeguard the nation against potential cyberattacks, the government and private sector developed a voluntary, risk-based Cybersecurity Framework to set forth standardized guidelines to act as industry standards and best practices to assist organizations in managing cybersecurity risks (National Institute of Standards and Technology, 2014).
The executive order issued by the White House in response to this address, Improving Critical Infrastructure Cybersecurity, set out to improve the cybersecurity of the nation’s critical infrastructure through voluntary, collaborative efforts involving federal agencies and owners and operators of privately owned critical infrastructures.
One of the key elements that former DHS Secretary Janet Napolitano identifies in the 2013 executive order is to improve the sharing of information related to “cybersecurity threats, vulnerabilities, attacks, prevention, and response both within and across sectors” (Fischer, Liu, Rollins, & Theohary, 2013, p. 6). A second focus is to develop standards and best practices to prevent cyberattacks against the nation’s core critical infrastructures (Fischer, Liu, Rollins, & Theohary, 2013).
In my next article, I will break down the framework, assess its pros and cons, and draw final conclusions about its effectiveness in preparing organizations for future cyberwar.