Suzanne Spaulding, a Senior Advisor for the Center for Strategic and International Studies (CSIS), and former Under Secretary for the National Protection and Programs Directorate (NPPD), Department of Homeland Security(DHS), recently testified before a joint session of the House Homeland Security Cybersecurity, Infrastructure Protection, & Innovation Subcommittee and the Transportation & Maritime Security Subcommittee. 

The NPPD is the precursor to what is now CISA.  Spaulding is also a member of the Cyberspace Solarium Commission (CSC) and was involved with the Commission on Cybersecurity during the Obama Administration.  Testifying along with Spaulding:

Ms. Patricia F.S. Cogswell, Strategic Advisor, Guidehouse, Former Deputy Administrator, Transportation Security Administration

Mr. Jeffrey L. Troy, President & CEO, Aviation Information Sharing and Analysis Center, Former Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation

Excerpts from Spaulding’s Testimony

On recent DHS TSA Directives for pipeline and aviation sectors: “…planning and exercising incident response to reduce the impact of a successful hack is one of the most important, and often underappreciated, elements of managing cyber risk.”

The Need for Public/Private Partnership: “Moving forward, TSA will need to operate collaboratively with these sectors [aviation, rail, and pipeline] to ensure that the requirements and timelines drive toward actual improvements in security and resilience.  No directives or regulations will achieve perfect security. This is an exercise in risk management,  not risk elimination, which is why planning for incident response is so crucial. The objective should be to ensure that the relevant industries are putting in place a common baseline of measures to strengthen the security and resilience of the highest-risk assets”

On the Cyber Threat: “Time is not on our side. The threat environment grows more dangerous with each passing day. In  the recent words of one Administration official, ‘the overall environment is more aggressive; more  sophisticated; and more belligerent…’”

We Cannot Rely Upon Markets Alone

A central topic of the discussion with the subcommittees were the recent directives from the DHS TSA which required voluntary compliance by various stakeholders in these sectors.  Spaulding shared her perspective on the success or failure of these recent voluntary DHS regulations:

“…I have always favored voluntary, market-based solutions to cybersecurity.  Markets are generally more efficient and, important for such a dynamic area as cyber, nimbler. However, over the last couple of years, I have reluctantly had to conclude that we cannot rely upon markets alone to ensure the continuity of nationally critical functions upon which the American public relies.”

Spaulding also pointed out that the Cyberspace Solarium Commission (CSC) also concluded that “the market was not going to be sufficient to provide the level of security and resilience that is urgently needed for the most important elements of our infrastructure, particularly what CSC calls Systemically Important Critical Infrastructure (SICI).

Spaulding laid out three reasons for this market failure:

1. The purely voluntary approach has not gotten us where we need to be, despite decades of effort:  The threat is evolving much more quickly than our defense. There is an urgency to address this risk to the American public that the market simply cannot address fast enough.
2. The market has not fully addressed this challenge [due to a] paucity of information: Spaulding’s explanation is informative: “Markets need information to function effectively. For example, information about the scale, scope, and cost of inadequate cybersecurity is needed to drive a demand signal that would prompt appropriate levels of investment and balance the “first-to-market” imperative. Yet, since most cyber incidents are not reported, and those that are do not provide details on costs, this information is lacking. Furthermore, such information is needed to calculate the return on investment (ROI) for security measures. Without it, security professionals often have a hard time convincing management to make needed investments.”
3. Even in a perfect market, there are external impacts on society and the nation from inadequate cybersecurity, particularly in assets that control essential functions:  Such impacts “will not be captured in a businesses’ bottom line or ROI. Externalities have long justified regulation and mandates, such as with pollution and highway safety. In the case of pipelines, rail, and aviation, the potential risks to public health and safety, as well as the potential for cascading economic consequences, calls for a government role.”

Recommendations

In her testimony, Spaulding reinforced recommendations made by the CSC, including:

Providing better market incentives to improve the cybersecurity behavior of firms:  Mandatory reporting of relevant cyber incidents can fill critical information gaps, particularly if paired with the establishment of a Bureau of Cyber Statistics. Bolstering the capabilities of cyber insurance underwriters can help that industry play the role it does in other risk categories to encourage appropriate investments in security and safety.

More government-sponsored security testing of critical technologies and applications—like industrial control systems—can help firms understand the security characteristics of the devices they deploy.  In addition to nudging firms in the sector toward better cybersecurity behavior, the Federal government can do more to help these firms make better purchasing decisions regarding the security of the products and services they deploy as part of their business.   The CSC recommended the creation of government-sponsored critical technology security centers at places like federally-funded research and development centers or national labs to fill this gap.  Similarly, a clearer ecosystem of cybersecurity product certifications would allow procurement specialists at critical firms in the sector to more easily price security into their purchasing decisions and manage their supply chain risk.

Creation of a robust and transparent methodology for identifying SICI:  The CSC recommended building a closer relationship between SICI firms and the Federal government through a suite of benefits—like improved intelligence sharing and operational support— but also burdens—like requirements for security behavior and enhanced incident reporting.

Further Resources

CSIS Posting on Suzanne Spaulding’s Testimony:  Transportation Cybersecurity: Protecting Planes, Trains, and Pipelines from Cyber Threats | Center for Strategic and International Studies 

For more on the subcommittee testimony, see Transportation Cybersecurity: Protecting Planes, Trains, and Pipelines from Cyber Threats (house.gov)

Spaulding statement:  Spaulding_Testimony.pdf

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast