The term “critical infrastructure” is used by governments around the world to describe industries and physical assets deemed essential to their economies and national security. Critical infrastructure industries include agriculture, electricity generation, financial services, health care, telecommunications, and government services like law enforcement and the water supply (i.e. drinking water, waste water, dams, etc.).
Cybersecurity vulnerabilities within the US critical infrastructure were first recognized during the administration of George H.W. Bush in the early 1990s, and President Clinton first addressed Critical Infrastructure Protection (CIP) with Presidential Decision Directive 63 (PDD-63) in 1998. Soon thereafter, Deputy Defense Secretary John Hamre cautioned the U.S. Congress about CIP by warning of a potential “cyber Pearl Harbor.” Hamre stated that a devastating cyber-attack, “is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.”
Subsequent administrations also dabbled in critical infrastructure protection. President Bush (43) instituted the Comprehensive National Cybersecurity Initiative (CNCI) to re-engineer federal cybersecurity programs while President Obama issued Executive Order 13636 in February 2013 which led to the creation of the NIST cybersecurity framework in 2014.
So federal cybersecurity programs are nothing new, dating back over 20 years, but how are these programs being received by actual security professionals working at critical infrastructure organizations? Not very well unfortunately, and these federal cybersecurity program lapses are happening at an extremely dangerous time when cyber-threats are getting worse.
How do I know this? ESG surveyed 303 security professionals working at critical infrastructure organizations earlier this year as background for a soon-to-be-published report on cyber supply chain security (note: I am an ESG employee). As part of this project, survey respondents were asked to compare the threat landscape today with two years ago. Alarmingly, two-thirds of cybersecurity professionals working at critical infrastructure organizations believe that the threat landscape today is either much worse or somewhat worse than it was two years ago.
Given the increase in cyber-risk and tight public/private partnership between the US government and critical infrastructure sectors, you’d think that cybersecurity professionals working at critical infrastructure would have a clear understanding of the federal cybersecurity strategy. Regrettably, this is not the case. The ESG research reveals that:
- 5% of cybersecurity professionals working at critical infrastructure organizations believe that the US government’s cybersecurity strategy is extremely unclear and not at all thorough
- 25% of cybersecurity professionals working at critical infrastructure organizations believe that the US government’s cybersecurity strategy is somewhat unclear and not very thorough
- 47% of cybersecurity professionals working at critical infrastructure organizations believe that the US government’s cybersecurity strategy is somewhat clear and thorough
- 22% of cybersecurity professionals working at critical infrastructure organizations believe that the US government’s cybersecurity strategy is extremely clear and thorough
- 2% of cybersecurity professionals working at critical infrastructure organizations don’t know or have no opinion
While these results resemble a normal curve, there is reason to look at this data with pessimism – in spite of over 20 years of cybersecurity dialogue and spending in Washington, most cybersecurity professionals working at critical infrastructure organizations remain uncertain about the US government’s role or its plans for this domain. Clearly, the feds must elucidate the government’s mission, programs, and objectives in a much more direct and lucid fashion moving forward.
There is a very important corollary within the ESG research as well: While critical industry cybersecurity professionals may be confused about US government cybersecurity programs, they are still looking to Uncle Sam to provide more proactive help. Nearly half (45%) of survey respondents believe that the US federal government should be significantly more active with cybersecurity strategies and defenses while another 38% say that the US federal government should be somewhat more active with cybersecurity strategies and defenses.
In summary, US critical infrastructure organizations are under attack and the cyber-threat landscape is getting worse. While the feds have talked about critical infrastructure protection for over 2 decades, there is a distinct communication and action gap between Washington and cybersecurity professionals. Nevertheless, these same people of the front lines of critical infrastructure protection want the US government to get more engage in the cybersecurity battle.
So the succinct message from the trenches is that cybersecurity professionals working at critical infrastructure organizations want less rhetorical chatter and more action from the US government – and the clock is ticking.
If you’d like to read more about this research, there is an ESG research brief available for free download here. Let me know what you think.
More on critical infrastructure protection
- Critical infrastructure: Off the web, out of danger?
- U.S. Critical Infrastructure under Cyber-Attack
- How much at risk is the U.S.'s critical infrastructure?
- Choose preparation over fear to protect critical infrastructure
- Critical infrastructure risks still high
- Energy sector a prime target for cyber attacks