Cybersecurity and Infrastructure Security Agency Assistant Director for Infrastructure Security Brian Harrell wants stakeholders at the industry and community levels to be prepared, among other critical threats, for potential attacks from above — particularly as off-the-shelf drones can be easily modified to carry an explosive, biological or chemical payload.
“This is not an emerging threat. This was emerging five years ago. This is here. It is now,” Harrell told the Government Technology & Services Coalition’s EMERGENCY MANAGEMENT 2019 event.
As CISA focuses on the counter-UAS mission, the agency must “provide those recommendations to the private sector to prepare critical infrastructure.”
“Private industry does not own the airspace above generation facilities, above a transmission substation, above a water plant — so the overhead threat for attack is absolutely real today,” Harrell stressed.
Harrell also suggested that “if you are in industry, and you own a foreign-manufactured drone and it is operating in your system, you are potentially incurring and introducing risk into your system… as that drone is flying, it could be mapping infrastructure, it could be looking at very critical and key things on your system. So does it matter to you that that data is possibly going outside of your system or outside the United States? I’m sure the answer is yes.”
The Department of Homeland Security intends to push out an alert to industry in which “we detail the threat and we also suggest mitigation measures for what to do about it.”
Federal officials will utilize the Information Sharing and Analysis Center channels, among others, to pass this alert along to industry.
“If I know something, you should know something as well,” Harrell said. “I refuse to simply sit on some security threat information and keep it to myself. This needs to be out in industry so you guys can make the procurement decisions and protect your systems.”
At CISA, he stressed, the first question in taking threat intelligence and determining a course of preemptive action is “what is the value to the private sector.”
“In everything we do we’ll provide value. I do not want to see things over my tenure here that go out of my shop simply to sit on someone’s desk and collect a pile of dust,” Harrell said. “Whether it’s an assessment, whether it’s a private-sector clearance, whether it’s active-shooter training it needs to provide you value — something you can immediately pull out of your back pocket and be safer today versus what you were yesterday.”
“At the end of the day our job is to help protect critical infrastructure to this country in lockstep with private industry and our federal partners” — protecting the country’s 16 critical infrastructure sectors including water, energy and agriculture from threats posed by nation-states, man-made events and natural disasters. To help do that, CISA is “maintaining a significant field presence” and is on the ground in every U.S. state and territory.
“When things go bump in the night, and there’s a problem whether it’s malware on a utility system, whether it a pipe bomb that goes off on a natural gas pipeline somewhere in the country, we will be there; we are a moment’s notice away and we will provide that subject-matter expertise as quickly as we possibly can if requested,” Harrell said.
Infrastructure priorities for the agency include threat awareness and mitigation assessments for soft targets and crowded places, including school campuses that could benefit from preparedness expertise. “We need to be able to provide that road map to say ‘good security looks like this,'” he said.
In August, CISA plans to launch in coordination with the Justice and Education departments a new SchoolSafety.gov website with simple resources that will “provide useful resources for school administrators to use” on security measures ranging from lighting to alarms to access control.
Another priority is the insider threat, as “the next major infrastructure attack — potentially, with high likelihood — likely comes from an insider attack, somebody with institutional knowledge as to how to bring somebody to their knees.” As the Internet of Things expands, Harrell said, it’s critical to not look at security in silos and prepare for hybrid attacks: “Your physical security systems potentially have a cybersecurity vulnerability.”
CISA has placed a focus on coordinating cross-sector operations and “collective defense” with a “whole-of-government outlook” in protecting infrastructure as “we are all in this together.”
Harrell also emphasized the threats from China — the most active cyber-espionage threat — and Russia, which harbors “significant capabilities.”
“Russia wants to poke us in the eye and make us turn on each other — and, quite frankly, they’ve done a pretty successful job of that,” he said. “But China is stealing our data, mapping our systems and acquiring our secrets.” Collective defense — the government, industry and citizens working together — is especially critical to confront the threat, he emphasized, and corporate culture needs to evolve to incorporate daily security conversations “not just after a breach.”
Harrell also wants to make sure that stakeholders are utilizing the information and training resources amassed by CISA to help keep industry and communities safer.
“We have put out a lot of documents, a lot of videos, we’ve spent millions of dollars on things that nobody knows about. And this needs to change. I do not need you to go back and reinvent the wheel when I have a great million-dollar video for you to utilize on vehicle ramming, on counter-IED, on UAS, trying to defend against the overhead threat,” he said. “We have this information — and right now my appeal, and my call to arms on this, is to engage industry, engage the Hill and say ‘look, we have these things that we should already be using.’ It’s already paid for.”