The critical networks keep America’s lights on, our communications humming, and the banks open for business are insecure, and we’ve known it for a long time. From the Stuxnet virus to Russia’s cyberattack on Ukraine’s electric grid last year, hackers have shown that they can physically disable the systems that control our power, pipelines, railway switches, financial networks, and much else.
President Trump can do something about it—but only if he’s bolder than any of his predecessors. His draft executive order on cybersecurity would be a key step forward for federal systems, but it sidesteps critical infrastructure almost entirely. About 85 percent of that infrastructure is privately owned, and its vulnerability could severely limit the President’s options in a crisis if, for example, a foreign adversary threatened to take down a major U.S. bank if the President took certain action.
The White House has been issuing ineffective directives addressing critical networks like clockwork since the ’90s. In 1998, President Bill Clinton directed that “no later than five years from today the United States shall have achieved and shall maintain the ability to protect the nation’s critical infrastructures” from cyberattacks. Nothing happened. Five years later President George W. Bush reiterated the same unmet objective. In 2013, President Obama again described the threat to infrastructure as “one of the most serious national security challenges we must confront.”
Bottom line: Over a quarter-century this nation spent billions of dollars on cybersecurity for key infrastructure, yet we are less secure than we were 30 years ago. Good work on cybersecurity is being done, but most of it involves tactical fixes to immediate problems in a never-ending round of Whac-A-Mole. For a nation that is more dependent than any other on electronic connectivity, this is a losing game. We require instead a coordinated effort to address deep weaknesses in critical systems, in how those systems are operated, and in the devices that connect to them.
To break this cycle of futility, we spent two years at MIT doing just that with leading industry, academic, and government experts. Our report, published today, focuses on four critical sectors: electricity, communications, finance, and oil-and-gas.
Our most basic conclusion is that critical networks cannot be made reasonably secure unless key elements of those networks are isolated from public networks. Digital networks are here to stay, but digital networks need not be public networks. Defining those key elements, and defining acceptable degrees of isolation, will take more directive leadership on cybersecurity than we have seen from any President. It will also take close cooperation with the private sector and significant incentives to do it. But it must be done.
The challenges are not merely technological, however. They also require a re-evaluation of the laws, regulations, and policies that govern our networks.
For example, critical infrastructure operators are clamoring for more secure hardware and software but can’t buy them. That’s because suppliers find it profitable to market cheap, general purpose goods for multiple uses, regardless of differing security tolerations between, say, your teenager’s computer and an off-shore drilling rig. The chip that merely opens and closes a valve might contain 2 million lines of code, for example. That’s dangerous. Finding malware among 2 million lines of code is extremely difficult. We know how to make simpler stuff, but no one will do it unless assured of a market. If the departments of defense, homeland security, and energy would support a market for more secure versions of commercial products, the demand would be there.
Liability for unsafe devices and tax incentives for qualified investment that increases security also need attention. We have no binding standards for the manufacture and use of insecure hardware and software, even for critical infrastructure. A private accreditation bureau, the “UL,” certifies that the cord on your toaster is safe, but there is no comparable body to certify that the controls being sold to a pipeline operator are safe and suitable for that use. Insurance carriers should support this effort. It was insurers, after all, who created the model. “UL,” or Underwriters’ Laboratory, began in 1894 to reduce fire insurance claims resulting from newfangled and often faulty electric devices.
Regulatory regimes and compliance standards also need attention. There are too many of them. A publicly traded electric utility, for example, must comply with differing and sometimes inconsistent cybersecurity standards issued by the National Institute for Science and Technology, by credit card issuers, by state and federal energy regulators, and by the SEC. This is overkill. Compliance is becoming an expensive and pointlessly complex box-checking exercise. What’s more, these standards are often poorly correlated with risk. Our report therefore recommends consolidating these many standards and aligning them with real security.
The vulnerability of the systems that power our nation is a national disgrace, but the pathway to higher ground has been charted. Let’s follow it. Whether or not the forthcoming executive order on cybersecurity addresses critical infrastructure, the Trump administration has work to do here, and the American people should expect them to do it. A nation that cannot or will not defend the networks on which its security depends is a nation waiting passively for failure.