What the U.S. Government Can Do to Protect the Grid
To conclude a year-long research project, the Massachusetts Institute of Technology (MIT) recently released a 50-page report asking U.S. President Donald Trump to take action to defend U.S. critical infrastructure from cyberattacks.
“The nation can no longer afford a pattern of uncoordinated executive action and scattershot research. Total security is not achievable,” writes the report’s primary author, former U.S. National Security Agency Inspector General Joel Brenner. “But a materially improved security environment for the infrastructure on which virtually all economic and social activity depend can be created with sufficient resources and political will.”
The report, Keeping America Safe: Toward More Secure Networks for Critical Sectors, was published in March 2017 and discusses eight challenges for the U.S. government to address to increase the electric grid’s cybersecurity. These challenges were identified through a series of workshops held over the course of 2016.
Improve coordination. “Critical infrastructure defense is insufficiently coordinated across the government,” the report says. “Changing the status quo will require a more directive effort from the White House.”
That effort, the report authors say, should include elevating a cybersecurity role to the position of deputy national security advisor for cybersecurity. The deputy would then work on long-term policy to budget for the cybersecurity of critical infrastructure.
Measure risk and infrastructure fragility. So far, the U.S. government has been unable to measure the rate of return on investment for cybersecurity, making it difficult to calculate risk to the electric grid.
The report recommends that the president direct a department secretary to schedule a meeting of experts to “assess impediments to measuring cyber risk and fragility, and to recommend a national strategy to meet this challenge.”
Review laws and regulations. Participants in the workshops that led to the creation of the report “overwhelmingly” said there was a disconnect between mandatory compliance regimes and cybersecurity improvements.
To address this challenge, the report recommends the president draft legislation for “more favorable tax treatment of qualified cybersecurity investment in critical infrastructure and, potentially, throughout the economy, including investment necessary to convert to a more secure Domain Name Service and to more secure border gateway protocols.”
Enable operators. The linkages between the electric sector and the financial sector create the possibility for cascading failures, the report finds.
To prevent this from occurring, the report says the president should direct a department secretary to meet with experts to determine how a “robust cross-sector” simulation could be carried out.
Reduce complexity. Critical infrastructure participants in the MIT workshops said that “unduly complex, and insufficiently secure, hardware, software, and industrial controls were a significant source of cyber vulnerabilities that created physical danger, as well as risk to information.”
Instead, the report recommends that the president direct a department secretary to create an “accelerated schedule” on how to incentivize and produce more-secure and less-complex controls, software, and hardware for critical infrastructure.
Address system architecture. The report found that security—when it comes to the Internet—is used to address endpoints and is often ignored to bring a product to market quickly and for a low cost.
“Security professionals from all sectors overwhelmingly believed that certain aspects of their systems could not otherwise be made reasonably secure unless isolated from public networks,” the report says. “There are significant differences of opinion about appropriate degrees of isolation.”
To address this challenge, the president should explore the feasibility of isolating all activity subject to the Federal Energy Regulatory Commission’s jurisdiction to “define acceptable degrees of isolation,” the report says.
Following this, and similar actions by the North American Electric Reliability Corporation, the president should then direct one of his secretaries to consult with stakeholders about the ability to create standards of care for hardware and software manufactured for critical infrastructure use.
Formulate deterrence. While the United States has been effective at deterring outright attacks on its critical infrastructure, it has not been successful at deterring lower-level attacks against its economy and political system.
In response, the report says the president should conduct a review of U.S. deterrence strategy. “That strategy should include, but not be limited to, (i) hardening critical American systems and infrastructure; (ii) raising the price for attacking them; (iii) constructing a diplomatic strategy for achieving verifiable cybersecurity agreements with potential adversaries; and (iv) evaluating the nation’s ability in the long term to maintain offensive dominance in cyberspace and the stabilizing or destabilizing effect of attempting to do so,” the report explains.
Train cyber professionals. The United States—like most nations—is experiencing a cybersecurity workforce shortage.
To prevent the shortage from worsening, the report recommends that the president create a blue-ribbon commission to study the feasibility of “increasing the supply of highly trained computer scientists and engineers, and developing model curricula for training computer scientists and engineers in the defense of critical systems.”