Defining Success for Critical Infrastructure Cybersecurity Policy

2021-03-11 - 8 minutes read

Written by Sean Atkins1

Since the late 1990s, U.S. policy to secure its critical infrastructure from cyber threats has been based on a semi-voluntary partnership between government and private industry.2 The voluntary component primarily takes the form of coordination and information sharing between government agencies and firms. The less voluntary elements include sector-specific regulations or other purposive government efforts to compel, induce, or help private owner-operators of critical infrastructure take certain actions on cybersecurity. This general approach makes sense considering that the vast majority of critical infrastructure, from financial services to pipelines and from the power grid to telecommunications, is owned and operated by private industry.

However, despite the importance and urgency of the challenge — reaffirmed by the recent SolarWinds hack — the government has yet to articulate in clear strategic terms what its policy aims to achieve. A definition of  “success” to guide its public-private partnership approach is missing. As a result, the current policy regime resembles an improvised patchwork, pieced together over time in response to newly discovered vulnerabilities and threats. Strategic direction based on clear long-term objectives is essential to get ahead of dynamic security challenges.

On 10 December, the Center for International Studies (CIS), in partnership with IPRI, Cybersecurity at MIT Sloan (CAMS), and CyberPolitics@MIT, hosted a panel discussion aimed at defining what long-term “success” might look like. 3 The panelists included:

The panelists provided deep expertise on this issue derived from practice and policy experience within both industry and government. Despite their differing perspectives and distinct ideas about what constitutes “success”, there was a general agreement on its central themes, with some variation on how they should be manifested in practice. Together, they outlined a more holistic vision for government-industry partnership than currently exists in policy. A summary of four of the key takeaways from the event follows.

Event Outcome Summary and Takeaways

Critical infrastructure cybersecurity policy should be guided by a broader vision of success that addresses not only the technological challenges to cybersecurity, but its economic and behavioral foundations as well. This means both elevating thinking above the technical and organizational mechanics of the problem, and identifying measures of progress that account for the changing threat context. More specifically, this involves four key elements: (1) a comprehensive and integrated strategy, (2) a high-functioning public-private partnership, (3) organized and capable government leadership, and (4) a system of tailored incentives (both positive and negative) for firms to make appropriate investments.

  1. The U.S. should possess a comprehensive strategy for altering the current state of affairs in a manner that reduces motivation or ability to conduct significant cyber-attacks or produce significant effects on critical infrastructure. The basics of U.S. cyber-strategy (standards setting and information sharing) have not meaningfully changed since they were established in the 1990s, but the strategies of its top cyber competitors have advanced in both sophistication and scope. Moving forward, the U.S. strategy should adjust the underlying economic calculus for attackers and defenders (which currently favors attackers) and develop mechanisms for effective risk decision-making. Participants varied in how comprehensive this strategy should be, from a narrower focus on factors and actors directly related to cybersecurity, to a much broader scope that included improving competitive advantage of U.S. technology firms.
  2. The U.S. should have a high-functioning public-private partnership that works in all critical infrastructure sectors. Government and industry are tied together in this challenge, and the capabilities and authorities required to address it are split between the two. A fulsome and equitable partnership structure is needed to build unity and to execute an effective digital strategy. This means having a robust vehicle to facilitate flexible collaboration on prevention as well as a practiced response and recovery to build resilience. It also involves more purposeful information sharing that not only feeds operational activities, but also improves risk decision-making. This form of partnership should be consistent across sectors, with government agency performance in engagement and risk evaluation uniformly reliable for their sectors. Participants saw a range of possible manifestations of this form of partnership, from joint government-industry “war rooms”, which enable shared awareness and collaboration, to broader preplanning and exercising for potential significant cyber-events.
  3. Government leadership should be better organized and more capable. The cybersecurity challenge to critical infrastructure is interwoven across the economy and this means that the government needs to organize the various capabilities and talent that exist across the nation, including the private sector, government, and non-profits that often serve as intermediaries and facilitators. This is a more actively engaged leadership, beyond acting as convener, funder, or regulator. The form this leadership should take varied by participant, from creation of a National Cyber Director to a White House Office of Digital Security Strategy with a broader mandate and equipped with greater staff, budget, and authorities.
  4. The U.S. should have a system of well-fitted incentives (both positive and negative) to address the underlying economic and behavioral challenges to critical infrastructure cybersecurity. There is a difference between the requirements to meet commercial and national security demands and firms should not be expected to make un-economic investments to close that gap. Adjusting the economics to make up the difference requires building incentives that are tailored to each sector’s characteristics. A menu of options could include tax incentives for some markets, procurement incentives, and creative no-cost to government forms (such as safety record preferencing, which is done with pharmaceutical companies). This also includes redressing liability gaps (for instance, for firms that knowingly sell insecure goods that make critical systems more vulnerable).

[1] Sean Atkins is an MIT Political Science PhD Candidate and active duty US Air Force officer. The views expressed here are those of the author and do not necessarily reflect the official policy or position of the Air Force, the Department of Defense or the U.S. Government.

[2] PDD-63 (Presidential Decision Directive/NSC-63). 1998. Critical Infrastructure Protection. May 22. Accessed January 7, 2021 https://fas.org/irp/offdocs/pdd/pdd-63.htm

[3] This event was part of a continuing research project led by Chappell Lawson and Sean Atkins. It can be found at: https://www.youtube.com/watch?v=tl2PdxaZTSY.