The greatest cyber risks to U.S. national security involve about a third of the country’s 16 critical infrastructure sectors, according to an FBI official.
The bureau’s cybersecurity outreach program for critical infrastructure is focused on six sectors – banking and finance, energy, transportation, information technology, communications and public health – the program’s leader, Stacy Stevens, said during a June 9 public meeting of cybersecurity professionals organized by the Department of Homeland Security in Cambridge, MA.
The FBI official's comments, as well as documents obtained by Inside Cybersecurity under the Freedom of Information Act, shed new light on how U.S. authorities view cyber risks in industry, a subject shrouded in secrecy that some argue is excessive. An Obama administration adviser, Richard Danzig, last year urged greater disclosure of cyber risks facing various sectors in the interest of enabling better policymaking.
Stevens told Inside Cybersecurity that the FBI and DHS have a shared understanding of which sectors are associated with the greatest cyber-related national security risks. This hierarchy enables the FBI cybersecurity outreach unit to prioritize its resources. The unit has focused on banking and finance, energy, transportation, information technology and communications since it was established in 2013 and added public health to the list more recently, she said.
President Obama has repeatedly urged improvements in cybersecurity for critical infrastructure, including in an executive order issued in 2013. Obama’s speech at the White House cybersecurity summit in February mentioned most of the sectors cited by Stevens.
“Much of our critical infrastructure -- our financial systems, our power grid, health systems -- run on networks connected to the Internet, which is hugely empowering but also dangerous, and creates new points of vulnerability that we didn’t have before,” Obama said. “Foreign governments and criminals are probing these systems every single day. We only have to think of real-life examples -- an air traffic control system going down and disrupting flights, or blackouts that plunge cities into darkness -- to imagine what a set of systematic cyber attacks might do.”
But DHS has been tight-lipped about which infrastructure sectors and assets face the most significant cyber risks. In response to Obama’s 2013 executive order, the agency produced an unclassified “for official use only” report in July 2013 to identify critical infrastructure where a cybersecurity incident could cause “catastrophic” regional or national damage to public health or safety, economic security or national security.
Inside Cybersecurity obtained a redacted version of the report through the Freedom of Information Act. It omits the names of the specific sectors and infrastructure deemed most vulnerable, but reveals that a DHS working group identified “61 entities in five critical infrastructure sectors where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”
The DHS study also identified “13 sectors, subsectors, or modes, where a cybersecurity incident on a single entity would not be expected to result in catastrophic regional or national effects.”
“A cybersecurity incident is possible in all sectors,” DHS wrote in its 2013 report, “but not all cybersecurity incidents would generate the catastrophic consequences required for consideration under [Obama’s February 2013 executive order].”
“As technology and business practices change, greater cyber dependence will likely increase the impact of potential consequences of cybersecurity incidents,” the report states, noting the agency would annually re-evaluate the list of infrastructure at greatest risk from a cybersecurity incident.
Non-catastrophic risks can still be significant. The electrical grid, finance sector, water supply, and telecommunications systems are the “big four targets” of cyber attacks intended to have a distinct and immediate impact, Richard Bejtlich, chief security strategist for FireEye, recently testified before Congress. But the water sector was not on the catastrophic list in the 2013 report, according to the Environmental Protection Agency.
Increased frankness about cyber risks could enable better policymaking, according to Danzig, an adviser to the White House and a former Navy secretary from the Clinton administration. Last year, he urged DHS to publicly release more details from the July 2013 assessment of catastrophic cyber risks.
“Because industries greatly vary in their incentives and disincentives, degrees of concentration, resiliency, cyber budgets and cyber sophistication, action plans need to vary industry by industry,” he wrote in a report published by the Center for a New American Security. “They also need to be accepted, indeed championed, by relevant oversight agencies, and this oversight needs to be supported by Congress. This requires declassification of important parts of the DHS study and strong White House leadership to articulate and act on its findings.”
Without greater discussion of cyber risks, the United States cannot attain the broadly shared understanding required to develop good strategies to mitigate the risks, he argued.
Exposing more information about cyber risks could have costs, Danzig added. “It may induce excessive fear, inform opponents about America’s understanding and methods and distract the nation’s energies in internal debate,” he wrote. “All these things occurred in the United States’ confrontation with the Soviet Union and in confronting terrorism, but the United States managed to limit these costs while providing significant disclosure. The need for balance underscores the importance of making these decisions outside the intelligence community, which naturally is predisposed to classification.”
Cyber vulnerabilities in U.S. critical infrastructure are hardly unique. China, Russia and other countries thought to be responsible for significant hacking also face significant cyber risks. Danzig and others have argued the importance of leveraging that point to develop international norms of behavior in cyberspace.
Daniel Russel, the State Department’s assistant secretary for the Bureau of East Asian and Pacific Affairs, stressed the global extent of cyber vulnerabilities last week amid reports that Chinese hackers were responsible for a massive breach of the Office of Personnel Management’s information systems.
“And so protecting cyberspace, protecting Internet and communications technology, protecting the integrity of the cyber system is critically important not only to U.S. businesses, but to the Chinese economy,” Russel said. “So we each have an important interest. That means that there is a need for dialogue. It means that there is a need for real transparency between us. And it means that there’s a need for cooperation. So we’re both vulnerable.” – Christopher J. Castelli (email@example.com)