With critical infrastructure emerging as a major concern for the U.S. government, cybersecurity efforts must account for critical infrastructure’s interdependent and connected nature, and make sure to address the linkages between industries, said experts from the private and public sector at a Wednesday event hosted by the Atlantic Council.
“It’s National Cybersecurity month, and I know you all know that next month is Critical Infrastructure and Resiliency month, right,” joked Suzanne Spaulding, senior advisor at the Center for Strategic and International Studies and former under secretary for the National Protection and Programs Directorate (NPPD) within the Department of Homeland Security (DHS). She noted how the current National Cybersecurity Strategy builds off the work of previous administrations in protecting critical infrastructure, with adjustments that make sense.
“DHS is very explicitly talking about creating a list of key national critical functions, understanding that what we care about is not the computers or the IT networks. It’s what they enable, the functions that are dependent upon those systems and networks. And that’s a critically important insight,” said Spaulding.
Spaulding said that listing those national critical functions goes a step further than naming industries as critical infrastructure.
“This strategy talks about some key sectors within the 16 critical infrastructure sectors. They’re all important, but they’re not all equally important when you start looking at national critical functions. It calls out a handful of those sectors as being particularly important, and I think that’s valuable” she said.
She called on DHS to institutionalize the focus on these sectors and bring them together in a key infrastructure executive committee, something recommended by National Infrastructure Advisory Council. “These infrastructures are critically interdependent, in ways that are not always immediately obvious,” Spaulding added.
“This isn’t a reinvention or reconceptualization of the 16-sector model. It’s looking across those to find where they’re interdependent and where they overlap,” said John Costello, director of strategy, policy, and plans at NPPD.
“We’re dealing with an environment where critical infrastructure is growing more and more interdependent, even between entities and across sectors,” Costello said. “One of the challenges of that is, where does your risk end? In a networked environment, it doesn’t stop at your walls or your enterprise. You are inheriting risk, and you are passing risk on.”
Costello emphasized the role that DHS’s National Risk Management Center plays in bringing critical infrastructure leaders together to discuss and act on their shared risk.
“When you look at what the NRMC is going to do, you have to ask yourself, what does that look like in practice, and how do you implement that? How do you take a cross-sector approach and take it from a risk assessment all the way down to a risk management activity, especially cross-sector,” he asked, adding that NRMC’s answer would be to understand interdependencies by bringing the private sector together, and planning for potential incidents based on that information.
“The ability to work across sectors and across many different stakeholders, and understand what their collective risk is around a certain function, and then bring everyone to the table and say, ‘How are we going to plan together to manage and reduce this risk?’ is essentially what the National Risk Management Center is intended to do, and it is a cornerstone in how we are looking at managing national risk, regardless of what the hazard is,” said Costello.