NEW YORK — Foreign adversaries are becoming more aggressive than ever before in efforts to target U.S. critical infrastructure, but owners and operators are still failing to meet basic security needs for their systems, a panel of former national security officials and leading executives warned Wednesday at a discussion co-hosted by Qrypt, World Wide Technology and the Global Cyber Innovation Summit.
That dynamic puts the nation’s most essential services, from the power grid to water treatment plants, in an exposed position against a rising tide of nation-state hackers, cybercriminals and other groups, the experts — former NSA Director Gen. Paul Nakasone, former FBI Director Christopher Wray, American Electric Power CEO and Director Bill Fehrman and Dragos CEO Robert M. Lee — said.
“A big part of this is, frankly, firewalls and hygiene and patching,” said Fehrman, adding that if “everybody had a firewall, everybody patched on time — that eliminates 90% of the risk right there for most people.”
Over the past two years, policymakers and the cybersecurity industry have buzzed with talk of leveraging artificial intelligence to improve threat hunting and defense, but the panel warned that such a focus is premature for many critical infrastructure providers. Key infrastructure sectors are still plagued by a failure to solve more basic problems, Lee said.
Describing earlier congressional testimony, he recalled lawmakers asking about emerging tech matters like quantum computing and AI.
“I was like, ‘Congressman, I‘d love to get some of the water companies a firewall,’” he said. “And I would love to be good enough to see advanced things coming from our adversaries. But right now, our infrastructure is very connected and, again, more complex than ever.”
Energy grid technology advancements to the cloud have created more openings for hackers, so critical infrastructure owners and operators still “have to do the fundamentals,” he added.
“It used to be that if you talked about taking down the grid, anybody in electric power would say, ‘There’s not one grid, and you really can’t take down the entire country,’” Lee said. “But then we started having market organizers, automatic metering infrastructure, cloud, [electricity management] systems and we said, ‘Oh, well, actually, maybe.’”
Those fundamentals that critical infrastructure operators need to get a handle on can include methods like authentication technologies, which double check if a user is masquerading as someone else when trying to access a system. Stronger authentication standards should be part of a broader plan to make U.S. networks “much more toxic” to foreign adversaries, Nakasone said.
“Toxic in the sense of [having] higher standards in terms of what compliance is going to look like in key industries,” he said. “We need to have an ability for authentication to have some meaning. We need to have a series of different sharing agreements that allow the private and public sector to be much more effective — anything that we can do that just makes it much more difficult to operate in the United States.”
Over the past five years, officials and industry have drawn closer together in information-sharing partnerships, though that rate of collaboration needs to increase, said Wray — who, in his government service, spent significant time working with both the private sector and intelligence agencies to stop hackers.
That especially goes for smaller, downstream providers like rural electric cooperatives, he said.
“[Collaboration] has to happen a lot more at scale and a heck of a lot more quickly, because … for every big, sophisticated company that absolutely gets it, there are countless other companies — smaller companies — that are suppliers, third-party investors, et cetera … who don’t get it. And so we need it at scale more,” said Wray.
Held in the One World Trade Center, a building that stands as a symbol of defiance against a catastrophic physical attack, the discussion served as a stark warning about a less visible but still potent societal threat. The U.S. has proven it can rebuild after physical destruction, though the digital security of many of its most critical services has been neglected, creating vulnerabilities that foreign adversaries could now exploit.
“So we are now in a world where you have homogenous infrastructure that’s massively connected at a time that is more complex and automated than ever before. And you have adversaries willing to create capabilities that are indiscriminate,” said Lee.
“You add those things up, and we’re rapidly facing a world where we have to have a really good understanding of what execution is necessary, and get it done fast,” he added. “We don’t have another ten years to have conferences like this.”
