The nation’s critical infrastructure – the power grid, communication channels, financial systems, etc. – that we rely on, increasingly requires cybersecurity expertise and management in today’s connected world. From protecting the intellectual property that drives our technological leading edge, to closing the back doors that can be used to infiltrate and disable systems, securing critical infrastructure must be a priority for both the public and private sectors.
This was emphasized at a DC CyberWeek discussion hosted by Georgetown University, where cybersecurity experts urged a greater understanding of cyberspace and increased United States government support for improving cybersecurity. Panelist John Wood, CEO of Telos Corporation, offered a thought which I believe is a major wake-up call: “In 1999, the Chinese government made the decision that they couldn’t beat us militarily, and they couldn’t beat us financially — and that remains to be seen — but they decided to build a cyber-warrior program, and this past year, the Chinese government graduated just under 2 million cyber warriors.”
As a cyber professional supporting US Government contracts, I agree with the need to close the gap in cybersecurity funding, professionals, knowledge, and supply chain risk management to reduce vulnerabilities introduced to critical infrastructure via third-party researchers, developers and vendors. It’s a topic worth exploring as we conclude National Cyber Security Awareness Month and embark on Critical Infrastructure Security and Resilience Month.
When it comes to integrating the latest and greatest technological breakthroughs in cybersecurity, we almost certainly consider first the benefits, in the form of cost savings and systems efficiency and profitability, rather than the risks and the need for rigorous vetting. When breaches occur and vulnerabilities are discovered within our systems, however, we must dedicate enormous time and resources, halting crucial business operations, to go into full crisis mode. Reacting this way has an adverse effect on productivity, profitability, consumer confidence, and competitiveness; typical kneejerk reactions are often met with typical kneejerk solutions, which often become permanent until the next vulnerability is identified. Does the game “whack-a-mole” come to mind?
At Secure Halo, we believe that to protect critical infrastructure, every phase of technology integration is crucial and must be closely examined. Here are suggestions on ways to monitor three critical phases of technology integration – research (conception), development (manufacturing) and fielding (deployment).
Phase 1: Research (Conception)
- Academia: Most technology-oriented research that impacts critical infrastructure is most likely done through academic partnerships. At any given time, unknown personnel that are affiliated with the academic institution’s research lab, such as students and professors, are exposed to this critical research. Understanding the role of adjunct professorships, visiting scholars and foreign exchange students, is crucial for the integrity of technology research intended for critical infrastructure.
- Collaboration: Secure Halo considers all personnel involved in a product’s research phase to be critical and knowledgeable, regardless of time spent on the project. Adversaries, whether nation-state or competitors, are constantly seeking personnel with exposure to said research in order to develop a competitive edge. Collaboration opportunities in this phase are frequent, therefore, it is expected that researchers might be exposed to would-be adversaries during this time. We suggest that organizations implement effective policies that appropriately account for collaborative environments.
- Funding: As a result of donations and gifts given to academic and research centers, it is often implied that donors and grantors might want to have insight into other ongoing sensitive projects. We encourage policies that legally enforce integrity and non-disclosure of sensitive projects.
- Travel: Individuals who are involved in research must understand that they are targets while traveling abroad. Foreign state security and intelligence services employ creative methods to obtain sensitive information. Travel light and assume that anything brought abroad can be stolen or tampered with.
Phase 2: Development (Manufacturing)
- Third-party vendors: In the development phase, it is important to understand that several parties are most likely involved in the development of crucial components to said technology. Secure Halo deems third-party vendors just as critical as those spearheading the development effort. Who are these members of your supply chain? What accountability policies are in place to ensure that this information is not being disclosed and examined?
- Performance: In a world where we might consider cost and savings ahead of security and integrity, we may overestimate the performance and competence of developers and manufacturers – are their products proven in the marketplace? If so, how do you know this? Not all vendors are obligated to disclose these details, and in some cases, disclosing known product performance issues is voluntary.
- Joint Ventures: It happens. Developers and manufactures are incentivized to share and collaborate in order to fulfill joint venture partnership obligations – is your research and concept development a part of these exchanges?
- Information Security: Do your vendors’ security practices align with your own standards? Do you have contractual requirements to meet such standards, or notify you of a breach? Have you thought through which of your vendors are critical to your project and the impact if their services or products were interrupted by a breach or cyber attack?
Phase 3: Fielding (Deployment)
- Managed services: This phase is critical, and organizations must be clear on what their plan is for servicing technology introduced to critical infrastructure. Some organizations may want to keep all servicing aspects in-house, however, who services the product once an issue is beyond the capability and bandwidth of the organization? In the absence of appropriate contract language, developers may outsource servicing to companies that you may know nothing about, including its personnel and location.
- Liability: In a world of cyber intrusions that occur daily, your organization may be held legally liable and accountable by US regulatory agencies in the event of a data breach caused by your organization. Depending on the severity of a breach and data compromised, your organization may be assessed fines and suspensions. Secure Halo encourages you to build appropriate contracts that disclose liabilities and outline the responsibilities of every contributor.
More than 80 percent of America’s critical infrastructure is privately owned. Protecting these critical assets requires focus from both the public and private sectors. Learn how responsible Risk Management and Mitigation strategies can help your organization integrate new technologies into your environment. Read: Why Cyber Resilience Matters in Critical Systems.