Aerial view of oil refinery plant showing critical infrastructure cyber defense

Why Investments in Better Infrastructure Cyber Defense Are Just a Start

Over the past decade, a host of surveys have shown that Americans and other Western citizenry are deeply worried about “cyberterrorism” threats to critical infrastructure. The potential for such attacks often tops the list for national security challenges of greatest concern and incidents like the 2021 Colonial Pipeline ransomware attack have accentuated this popular unease, even in spite of the fact that fuel access disruptions in that case were primarily caused by the company’s defensive shutdown of pipeline systems.

Given such a generalized fear about critical infrastructure (CI) vulnerabilities, recent Department of Energy (DoE) moves to fund cybersecurity innovations aimed at CI protection should be welcomed. The $12 million in funding awarded to research efforts across several major universities will help construct critical foundations upon which better defense against major energy grid-related disruptions might be found. However, it’s well worth remembering the strategic context within which the United States and other nations have experienced compromise of CI, particularly the grid. A holistic understanding of the geo-strategic underpinnings of cyber threats to CI is critical to building detection, mitigation and resilience techniques that accurately assess risk and minimize false positive conclusions.

Announced in late April, the DoE will disburse $12 million dollars to six different research and development initiatives across the country. Tied to the administration goals of making energy provision to Americans more efficient, convenient and equitable, these projects each promise to build out knowledge and capabilities that will shore up – in many cases in a preliminary capacity – the cyber defense of electric power systems.

Projects at New York University and Virginia Tech will enhance the capacity for CI operators to localize anomalous behaviors and maintain systems availability even as disruption is ongoing. At University of Illinois at Chicago, researchers will build a new substation specifically around integrated cybersecurity considerations. And three projects – at Florida International University, Iowa State University and Texas A&M – will leverage AI and machine learning techniques to improve cyber threat mitigation capabilities along several lines.

To some degree, of course, the particular risk that these projects seek to address is fairly obvious. Over and above other sectors of CI, the energy grid serves as a plane upon which all other critical national systems operate, from transportation infrastructure to chemical plants, wastewater systems and emergency services. If the grid is disrupted, so too are those national functions. In some cases, issues with electrical systems would even cause immediate and calamitous disruptions. The people of Ukraine experienced such a domino effect during the 2015 Black Energy incident, where malware employed by Russian threat group Sandworm succeeded in off-lining grid access across three oblasts for some hours.

That said, the effort to better secure CI and leverage new techniques for infrastructure resilience is critical over and above the simple risk of punctuated disruption. Experts have regularly noted the manner in which foreign compromise of infrastructure systems appears to reflect a deterrence posture of sorts on the part of America’s adversaries. Deterrence is all about cost imposition and generally requires signals of sufficient credibility and urgency that a target can be convinced to stay the present course (i.e. to avoid new hostilities). There are several methods by which countries affect deterrence in international relations, not least of which is the hardening of national defenses to such a level that foreign attack becomes extremely costly. Unfortunately, that approach has persistently proven to be infeasible in cyberspace given that formidable national cyber defenses mean encouraging robust security habits among entire populations.

The main alternative to deterrence by denial is deterrence by punishment, in which countries attempt to offensively impose costs on adversaries in such a fashion that specific red lines – i.e. this far and no further – might be drawn. It is here that the threat to American CI comes into sharp relief. Extensive compromise of infrastructure control systems and business networks reflects an attempt by nations like Russia to hold critical American assets “at risk.” In other words, compromise of CI allows a foreign adversary to signal their capability and willingness to harm the American economy and industry up front. Then, using those exploits as the need arises in international affairs to enable a more acute disruption can then be used to signal more specific wants and intentions. The threat to CI, in short, has serious implications for American foreign policy and promises to constrain efforts to protect national interests.

Simply put, if efforts like those of the DoE can help diffuse foreign attempts to hold critical infrastructure at risk, then the degree to which foreign belligerents can misbehave and transgress in the face of conventional expectations of behavior in international affairs might be minimized. Such a result would mean greater American capacity for cyber leadership and more space within which Washington can be effective during international crises. Perhaps particularly given the recent development of a new, more isolated normal for a prominent cyber adversary – the Russian Federation – it’s easy to see how such programming has unique significance for securing our digital futures.

Unfortunately, of course, there remains a long way to go beyond the kind of programming recently funded by the federal government. Whilst such foundational efforts are critical, promising technical fundamentals need to be married to national cyber defense strategies in order to be most effective out into the future. And there are, naturally, a great many challenges in accomplishing such a complex task.

On one front, for instance, matching technical know-how and tactics to strategic knowledge has been perennially difficult in cyberspace. Diverse private industry settings produce a fragmented set of standards, practices and knowledge foundations for strategic planners to plug into. At the same time, cyber conflict strategy and operational theory remains a developing body of know-how within the defense community. Those involved in national-level cyber defense efforts and those working to protect narrow areas of American IP space, in other words, often don’t speak the same conceptual language, making collaboration challenging.

Securing #criticalinfrastructure and leveraging new techniques for #cyberresilience is critical over and above the simple risk of punctuated disruption. It reflects a deterrence posture of sorts on the part of adversaries. #cybersecurity #respectdataClick to Tweet

Another challenge for securing CI comes from the advent of increased artificial intelligence usage for cyber defense. Whilst AI promises to solve many conventional problems in the protection of large, often fragmented network spaces, so too does it present a new target for foreign belligerents. As many experts have pointed out, AI’s defensive promise for cybersecurity may end up being offset by the appeal to malicious actors of attacking AI itself. Cyber artificial intelligence attacks, in which adversaries try to poison or otherwise manipulate how AI algorithms work, are yet another attractive option for those interested in subverting the function of American infrastructure systems and holding critical assets at risk in order to leverage future strategic gains. And so, while efforts like those backed by DoE are clearly a net positive for the nation, the prospective contributions of these and other efforts must be tempered by both practical assessment of the strategic context of foreign CI attacks and the reality of extremely strong incentives for American competitors to continually look for new methods of compromise.