The United States’ critical infrastructure remains dangerously exposed to cyberattacks, experts warned at the Billington CyberSecurity Summit, stressing that government and private industry must deepen collaboration to meet the growing cyber threats.
Tom Fanning – the retired chairman, president, and CEO of Southern Company, who also served on the Cyberspace Solarium Commission – noted that roughly 85% or more of America’s critical infrastructure is privately owned.
“We have a great, big gaping hole,” Fanning said during a Sept. 11 panel, explaining that the hole is “this kind of cross-sector collaboration” when it comes to critical infrastructure.
“The notion of reimagining national security with the collaboration of the private sector with government, that is what needs to be advanced in order to make America safe,” Fanning said.
Similarly, Felipe Fernandez, the chief technology officer (CTO) at Fortinet Federal, explained that “there’s not just a technology problem,” but there’s also a human incentive problem.
“Organizations need to know they should share as soon as possible, as soon as things are detected,” Fernandez said. “There isn’t this time to waste or consider the ramifications for your organization’s reputation. There are greater ramifications for the community, human lives in certain cases, particularly in the case of critical infrastructure.”
Fernandez stressed that the federal government needs to improve the efficiency and speed at which it shares resources with the private sector. That way, he said, when the federal government is engaged in incident response, “It’s quick, it’s fast, you know who’s in charge.”
Nevertheless, the CTO said that there is some room for optimism in the critical infrastructure space going forward.
“I am optimistic that some of the policies that have been introduced and initiatives such as the reconciliation bill afford budgeting for cyber in the critical infrastructure space, not just modernization to the capabilities of critical infrastructure, the infrastructure itself, but also the cyber capabilities that should come along with it,” Fernandez said.
“The AI Action Plan also addresses critical infrastructure, so to see guidance … in that regard is very promising as well,” he added. “And as a vendor who’s introducing AI to our technologies to help these sectors protect these assets, we think there’s a bright future, although there are some holes in the current space.”
Additionally, some of the experts pointed to passing the reauthorization of the soon-to-expire Cybersecurity Information Sharing Act of 2015 (CISA 2015) as another potential bright spot in the cybersecurity space.
The 2015 law put in place a legal framework for the government and private sector to share cybersecurity threat data. The law has since then been hailed as foundational to improving U.S. cybersecurity.
“Reauthorizing CISA 2015, the Cybersecurity Information Sharing Act – we cannot be sent back a decade – that is essential … and then getting operational collaboration,” said Frank Cillufo, the director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University. Cillufo also served with Fanning on the Cyberspace Solarium Commission.