Protecting critical infrastructure is an imperative for any government grappling to integrate resilient cybersecurity measures into the assets, systems, and networks that are vital for a nation’s national, economic, and public health and safety security.  The 16 sectors identified by the Department of Homeland Security (DHS) reflect the industries that are essential to sustaining the country’s wellbeing. The United States has developed several strategies and roadmaps during different presidential administrations to address critical infrastructure security to include but not limited to: Executive Order 14028 on Improving the Nation’s Cybersecurity, a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, a National Infrastructure Protection Plan, Presidential Policy Directive 21, and NIST’s Framework for Improving Critical Infrastructure Cybersecurity. The most current effort to safeguard these infrastructures is in Congress where a bill seeks to amend the annual defense policy legislation that incorporates cyber security for the nation’s “most vital infrastructure.”  It is clear that the highest levels of government acknowledge the need to ensure that these vital sectors do not suffer a catastrophic or debilitating cyber attack.

There has been a long-held assumption that as much as 85 percent of the United States’ critical infrastructure is owned and operated by the private sector, although there is some indication that the percentage may be higher.  One recent articleraises the question if the continued interconnectivity of the digitized world doesn’t exponentially expand the space that is produced and incorporated into existing infrastructure. We have been living so long under the pretense that this notional 85 percent is a static number that it has failed to keep up with the dynamism that is the cyber landscape, taking into account “smart” cities and the Internet of Things.  Whether this percentage is higher than the long-maintained “85” is something that needs to be investigated properly if the United States wants to try to attempt to secure critical infrastructures with any type of measurable metric.

With 16 sectors representing the essential industries on which a public relies, and these industries’ roles in driving economic and national security interests, securing critical infrastructure is more than a challenge, it’s a near impossibility. Collectively, these critical infrastructures affect every part of public and private society to some extent, a reality further complicated by the degree of interconnectivity these sectors not only have on the public, but also on one another as well. As the old adage says, “if everything is important, then nothing is important,” and this is true as there are not enough financial, material, and human resources to dedicate into fully securing every one of these sectors. Therefore, the sheer expanse of the space demands that they be prioritized, as all 16 sectors cannot be viewed as being equal in importance.

The National Critical Infrastructure Prioritization Program (NCIPP) was designed to help with this by informing sector ranking based on the potential consequences should they be destroyed or disrupted to catastrophic degree. By categorizing critical infrastructure into Levels 1 and 2, DHS has tried to inform protection plans to aid mitigation efforts.  The program’s list is used to inform the awarding of preparedness grants to states. But it’s evident that this hasn’t worked thus far, and with little indication that it will in the future, especially as the cyber threat landscape continues to evolve.  In March 2022, several DHS officials and infrastructure stakeholders questioned the NCIPPs “relevance and usefulness” in a Government Accountability Office (GAO) report stating that the NCIPP failed to address the more pertinent infrastructure attacks, notably, cyber attacks.  One pertinent finding from the report was that infrastructure stakeholders did not recognize how DHS’ 2019 National Critical Functions applied to infrastructure prioritization or where their organizations fell within the larger framework.  Among its six recommendations, GAO listed cited improvement in the prioritization process as the priority number one.

Is there a different way to approach prioritization?  When thinking about critical infrastructure, there is a tendency to view it through a triad prism: public security, economic security, and national security.  From a cyber perspective, prioritization focus is directly tied to the potential impacts of cyber attacks on these areas and the sectors that support them. From this standpoint, the more adverse the impact that would cause regional or national catastrophic effects, the higher that sector ranks. Arguments can be made for why a cyber attack landing a devastating blow to any of the 16 critical infrastructures is “very important” deserving of top priority focus, depending on what part of the triad prism through which you are viewing.  Complicating and exacerbating matters are the inherent dependencies all of these critical infrastructures have on one another.  Oil and gas impact transportation and energy; utilities impact energy; telecommunications impact utilities; transportation impacts food and agriculture; critical manufacturing impacts nearly all; and so forth.

So, instead of trying to rank the infrastructures, perhaps a better way forward is to prioritize the triad, as determining catastrophic effects is not a one-size-fits-all prospective, as what’s catastrophic to one of the triad (e.g., public safety) is not equal to another (e.g., economic security).  The contamination of a water supply that directly impacts the public good is not on par with a temporary halt of transportation or a temporary shut-down of some of the government. And this is where the federal or even a state government must fundamentally make its toughest decision.  As one former Israeli intelligence official stated, “not every organization is equally critical,” and this is inherently true.  The toughest job any government must do is to determine which of the critical infrastructures it’s best positioned and resourced to defend. Arguably, the protection of citizens is any government’s number one responsibility, and as such, those infrastructure sectors that directly affect the day-to-day well-being of a civilian population (e.g., water, food and agriculture, energy) should naturally rise to the forefront of concern over other industries like commercial facilities or the defense industrial base.

For those critical infrastructures not under government purview, it’s incumbent on the private sector to bear the responsibility, and this may be best led at the state level.  Here is where Estonia’s Cyber Defense League provides a good example of what can be implemented.  The CDL is a state-sponsored, citizen-led program that promotes cybersecurity in peacetime.  Funded by critical infrastructure organizations in their respective states, similar CDLs can be established to provide cybersecurity support to critical infrastructure assets, as well as mitigating and remediating threats before they escalate to regional or national emergencies.  Furthermore, these CDLs can feed information to DHS, providing it with a holistic look of cyber threats facing critical infrastructure in the United States.  What’s more, these state-level CDLs would be better positioned to work across state boundaries with their counterparts to better address interdependency problem across critical infrastructure stakeholders, regardless of sector.

This is by no means an infallible solution, but if the definition of crazy is to do the same things over and over expecting a different result, then we need to start looking at the problem of critical infrastructure cybersecurity differently. By the time critical infrastructure cybersecurity roadmaps are developed and actually implemented, the cyber threat ecosystem has already evolved, making them almost obsolete.  With hostile actors increasing their operations against critical infrastructures, perhaps government responsibility needs to be narrowed and private sector stakeholder involvement needs to be enhanced and empowered, having the requisite authorities to do oversee industries and accountability when it has missed the mark.  “Cybersecurity is everyone’s responsibility” may be a cliché expression at this point, but it’s still very pertinent today.  Partnerships work best when working on a common cause and toward a common goal, divvying up areas of responsibility, and collaborating when appropriate.  It’s time that the governments and the private sector tackle this problem as true equals.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community