The United States has long faced extraordinary levels of threats from cyberattacks targeting critical infrastructure. FBI Director Christopher Wray has so frequently and consistently sounded alarms about the dangers posed to electrical grids, water treatment facilities, and more that the warnings have become background noise.
Last week, for at least the second time, the warnings proved prescient, and Americans suffered because of a cyberattack against our critical infrastructure. One of the country’s largest prescription processors took its systems offline due to a cyberattack, forcing pharmacies to use manual procedures, causing long wait times or no service for a customer base that spans the globe, given that the impact included U.S. military clinics.
We have moved from theoretical attacks on our critical infrastructure to actual attacks with immediate and severe impacts on everyday life. Echoing the disruption seen during the Colonial Pipeline cyberattack in 2021, last week’s attack is a harbinger of things to come. China and our other digital adversaries are no longer just stealing valuable intellectual property; they are prepositioning their cyber bombs across our critical infrastructure to attack at a time and place of their choosing. But because these attacks happen in cyberspace, the battlefield is less tangible, and nation-state attacks blend in with service outages like AT&T’s, which turned out to be a software update gone awry and not a cyberattack.
With all the attention given to cyber, Americans might think we are well-defended and prepared; this is, after all, critical infrastructure. We could have been well-defended and prepared. The publicly available National Infrastructure Protection Plan is dated 2013, and the sector-specific plans for each of the 16 critical infrastructure sectors are all eight or more years out of date. The most mature of all industries in terms of a public-private partnership and enforced mandatory minimum cybersecurity requirements, the Defense Industrial Base, last published an updated plan in 2010.
The need for a robust defense mechanism is straightforward. Still, the urgency needs to be improved despite a joint statement by the Five Eyes intelligence chiefs emphasizing the global scale of the issue, stressing the need for international cooperation and public-private partnerships that safeguard critical infrastructure.
In Munich, Homeland Security Secretary Alejandro Mayorkas advocated for an approach whereby government works directly with the private sector to establish minimum requirements for cybersecurity, making it clear that regulation is inevitable, but industry has been invited to take its seat at the table as part of a thoughtful public-private partnership.
With the vast majority of U.S. infrastructure privately owned and varying widely in cyber defense capabilities, a regulated approach to cybersecurity is not just advisable but essential for national security.
Secretary Mayorkas advises that the mandatory baseline cybersecurity requirements align with existing frameworks published by the National Institute for Standards and Technology, Cybersecurity and Infrastructure Security Agency, and others. There is no need to reinvent the wheel.
We know what to do–and it’s time to do it.
Eric Noonan is the founder and CEO of CyberSheath.
More must-read commentary published by Fortune:
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
Source link
