As news of DDoS attacks against U.S. airport websites broke last week, many experts and government officials quickly assured the public that airport operations were not affected, and safety was never a concern. While these statements are decidedly correct and incredibly important to note, we were struck by what they didn’t say as much as what they did.
These are the threats we’ve been worried about. For years, current and former government officials and cybersecurity experts have been warning that the risk calculation for critical infrastructure, such as airports and other elements that support our daily way of life, has changed.
As is widely recognized, risk is a function of three elements: threat, vulnerability, and consequence.
Threat. Until relatively recently, many critical infrastructure owners assumed that the threat of cyber-attacks on their assets was low. This was, in part, because of assumptions that cyber-attacks were likely to be launched by nation-state actors – and that nation-state actors would be cautious about conducting attacks against U.S. critical infrastructure for fear of retaliation or wider negative geopolitical or economic impacts. As experts have been warning, attacks such as those last week show that non-nation-state actors are more than capable and are not constrained by these traditional norms. We also now see nation-state actors’ willingness to defer to aligned non-state actors in order to avoid repercussions.
Vulnerability. Similarly, many critical infrastructure owners were first focused on kinetic risks from cyber-attacks. While preventing planes from falling from the sky or explosions at airports is absolutely a top priority, that alone is not enough. Other systems that contribute to functioning critical infrastructure operations – particularly “back office” or public facing – are vulnerable as well.
Consequence. With the evidence of a growing number of these types of attacks, critical infrastructure owners must re-evaluate their perception of consequence. Amongst other issues, these types of attacks, especially over a protracted campaign, erode public trust and the perceptions of the safety that are essential for U.S. critical infrastructure. As recent high-profile events have demonstrated, such as the Colonial Pipeline ransomware attack, these types of attacks do not have to result in a kinetic outcome – they only need to erode public confidence that operations are secure and safe to have a detrimental psychological and economic impact. Similarly, we’ve seen that our analysis of consequences should include thoughts not just about the direct impacts to one node, or one organization – but across an industry or a supply chain, given the inherent interconnected nature of critical infrastructure.
Many in government, industry, and nongovernment organizations have seen the evolving risk these types of attacks pose across critical infrastructure and have long been working to increase the awareness of this changed calculus and capability across the sectors to mitigate and remediate these risks. Critical infrastructure operators will have to broaden their risk calculus and work to securely configure their attack surface from the expanded threat landscape despite a lack of capacity and depth in their organizations. With a persistent adversarial threat to the public’s trust in critical infrastructure, leveraging public-private partnerships and shared resources to expand cyber defenses and countering the potential for loss of public confidence in the operations of U.S. infrastructure will be all that more vital. Leaders across the community recognize that we shouldn’t expect critical infrastructure owners and operators to do this alone – or that every owner or operator will have the internal expertise needed. We must continue to build the connectivity in the community, creating the strong relationships needed not only to share information and expertise, but also to better understand and evaluate that shared risk. We must also continue to advance options that provide owners and operators with tools and expertise that mitigate risk and can be relied upon.