Top officials with prominent providers of technology services to the Federal government welcomed the Biden administration’s April 30 national security memorandum (NSM) that aims to better protect U.S. critical infrastructure sectors, and said that success of that effort will depend on robust collaboration with the private sector and renewed efforts to modernize IT systems and protect them with tried-and-true cybersecurity strategies.
The White House’s new NSM comes amid an increasing flurry of warnings this year from Federal government officials about threats to U.S. critical infrastructure from nation-state adversaries who officials say are penetrating the networks of infrastructure providers in preparation for possibly bringing them down in the future.
Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly put it this way at an April 30 House appropriations hearing: “As we look at the threats to our nation, none is more serious than Chinese cyber actors that are burrowing deep into our critical infrastructure to prepare to launch disruptive and destructive attacks in the event of a major conflict.”
The White House’s NSM aims to better protect critical infrastructure sectors by enlisting U.S. intelligence agencies to ramp up their sharing of threat data across multiple levels of government and with private-sector critical infrastructure providers. The NSM also places renewed emphasis on creating “minimum security and resilience requirements within and across” critical infrastructure sectors.
While the NSM does not prescribe any particular steps for individual sectors, its language does hint at more specific directives to com, citing the “limits of a voluntary approach to risk management in the current threat environment.”
Top security officials from Hitachi Vantara Federal, Zscaler, and Illumio told MeriTalk that the new NSM is sorely needed to meet the rising level of threats, and that a key factor in executing on the aims of the new NSM lies in effective collaboration with private sector firms that can supply the services and expertise necessary to get the job done.
“It is crucial that public and private sectors collaborate to develop solutions that harmonize security, resilience, and sustainability objectives to ensure the infrastructure the American people rely on is protected from current and future threats,” said Gary Hix, chief technology officer at Hitachi Vantara Federal.
“As state-sponsored threat groups continue to ramp up threat activity against U.S. critical infrastructure, the White House’s New National Security Memorandum (NSM) on Critical Infrastructure comes at a crucial time,” said Gary Barlet, Federal field CTO at Illumio.
“Historically, critical infrastructure organizations have faced mounting challenges in addressing these threats, largely due to a lack of visibility, outdated technologies, unknown vulnerabilities, and resource constraints,” he said. “Nevertheless, safeguarding the nation’s critical infrastructure is imperative, and having guidelines, such as the ones outlined in the NSM, will allow organizations to further understand their vulnerabilities and guard valuable information against threat groups.”
“With the revelations of nation-state hackers targeting U.S. critical infrastructure, we are at a crucial juncture, where complacency will lead to catastrophic events,” said Hansang Bae, public sector CTO at Zscaler.
“Acknowledging the scope and severity of this threat, the Administration’s National Security Memorandum on Critical Infrastructure builds on the momentum of the National Cybersecurity Strategy to further protect our national security, public safety and economic prosperity tied to the critical infrastructure sectors,” Bae said.
The Zscaler official said that Federal government agencies need to “serve as role models for secure and resilient systems,” adding, “this means increasing the speed of digital modernization to reduce reliance on vulnerable legacy technology, like VPNs, as well as implementing zero trust architecture as the first line of defense.”
“It also means collaborating with the public and private sectors, and applying lessons learned along with a whole-of-government approach, at local, state and federal levels to protect these vital sectors,” Bae said. “All levels of government need to be engaged as critical infrastructure is intertwined with no clear boundaries.”
As critical infrastructure providers rise to meet the increased level of threats, Barlet urged a recommitment to the “small, yet meaningful tasks … when it comes to implementing a plan in place to prevent attacks on critical infrastructure from turning into disasters.”
“One approach is an ‘assume breach’ mindset, which focuses on proactively having solutions in place to minimize the impact of an attack when it inevitably occurs,” he said. “Zero Trust Segmentation (i.e., microsegmentation) is another effective step, focusing on containing threats when they break in, stopping them from traversing across networks or devices, and quickly minimizing operational risk.”
“Lastly, enhancing cyber hygiene – a commonly overlooked approach – is crucial,” Barlet said. “Practicing regular device updates, engaging in phishing awareness training, and recognizing potential threats are all integral components of maintaining robust cyber hygiene across all available resources. Leveraging available resources and promptly reporting incidents, as directed in CIRCIA, is also a vital step to take.”
Hix also pointed to the NSM’s focus on vulnerabilities that infrastructure providers face from other severe threats outside of the cybersecurity realm, saying that it “rightly recognizes the growing threat of natural hazards to our critical infrastructure.”
“It is encouraging to see sustainability prioritized as a core component of cyber resilience,” he continued. “Resilient systems that leverage energy-efficient technologies, renewable power sources, and environmentally conscious designs can not only withstand disruptions caused by natural disasters, supply chain shocks, and other instability but also reduce emissions and environmental impact.”
“Integrating sustainable practices from the ground up can future-proof our most essential assets against the compounding risks of natural disasters,” Hix said.
