Listen: Next in Tech | Ep. 176: Challenges in Critical Infrastructure Security

View Full Transcript

Presenters

ATTENDEES

Eric Hanselman

Josh Cornman

Rob Knake

Presentation

Eric Hanselman

Welcome to Next in Tech, an S&P Global Market Intelligence podcast where the world of emerging tech lives. I'm your host, Eric Hanselman, Chief Analyst for Technology, Media and Telecom at S&P Global Market Intelligence. And today, we're going to be talking about cybersecurity concerns around critical infrastructure. And joining me to discuss it are Josh Cornman, the Founder of I Am The Cavalry and the CyberMed Summit; and Rob Knake, cybersecurity expert and a former Federal Cybersecurity Official. Welcome to the podcast.

Josh Cornman

Good to be here.

Rob Knake

Glad to be here, Eric.

Eric Hanselman

And next I'll also point out, Josh, you're kind of boomeranging as a 451 Research Director. So great to have you back.

Josh Cornman

That's right.

Eric Hanselman

So this is for our listeners. This is actually something that Josh and Rob had put together, well, the latest iteration of this conversation was something that happened on at the RSA Conference at the America's Growth Capital parallel conferences going on out there. And there were so many interesting parts to this that it was clear that some might definitely wanted to get down in the podcast and pull it out. I guess just to start, and lay it out a little bit of some of the concerns that both of you were expressing and really what you were getting at in the talk and some of the issues that were raised.

Josh Cornman

Why don't I kick off. 11 years ago almost, I started a nonprofit group of hackers trying to save lives through security research. The idea is that cavalry isn't coming to save us. It falls to us to be a voice of reason, helping hand, wherever bits and bites, meat, flesh and blood. And my general argument was that we're putting software and connectivity into cyber physical systems like our cars, our medical devices, our power plant, our high-speed rail. And I was worried about that. We can't protect credit cards or websites, why can we protect life safety devices?

So we try to be a voice of reason and a helping hand to raise the alarm without being alarmist. And we help have material impact in growth and progress on things like medical device regulations and whatnot. And over time, we started to see some of that harm manifest, but it's largely been within the bounds of acceptable disruption, financial losses, et cetera, during the pandemic that changed and we started to see the first provable losses of life from ransom disruptions in hospitals.

As you know, degraded delayed care from any cause affects outcomes for heart rate and pulmonary time-sensitive conditions and cyber disruptions can introduce delays sufficient to contribute to loss of life. So when people start dying, there's political will. Because of that trust we've built, I got to serve on a Congressional Task Force for Health Care Industry Cybersecurity in 2016 and '17, where we said getting pretty serious. After the pandemic, we can prove loss of life, and it's gotten pretty serious.

But then if you really look across Maslow's hierarchy of needs, you've got things like water, food supply, electrical, oil and gas, schools, municipalities, the functioning government and timely access to patient care and all of them have been disrupted by criminals. And I went to Rob after the CISA COVID Task Force work I did to identify buy down risk for hospitals and vaccine supply chains, the newest federal agency. And we kind of showed in a bipartisan bicameral way that things are getting serious for the impact on critical infrastructure.

We have a lot of target-rich, cyber-poor owners and operators, where they attracted to adversaries, but not nearly prepared enough. And too much of the burden is placed on the shoulders of these less equipped, less trained, less funded victims. And Rob showed some significant leadership in the newly minted Office of the National Cyber Director for President Biden's National Cybersecurity Strategy.

And there's some pretty bold stuff in there that has been laid out, and marked only down, but we didn't have public support, and we haven't done a good job informing influencing and inspiring the public. And heading into RSA, we said, "Hey, things are getting pretty serious." Maybe it's time that we did. And we can't just look at this as private sector, for-profit local optimums even though we're talking to venture capitalists and PEs or private equity firms in the room, but everyone there still needs health care, they still need water.

And I guess the nudge for me was all 4 cyber leaders in the U.S. went to Congress in an unclassified setting in January and said, "Hey, the Chinese have been prepositioning and laying cyber compromise in U.S. critical infrastructure on U.S. soil in case they take Taiwan or have advancements in 2027 and it could rain chaos if we get involved." So whether it's a deterrent or part of a hybrid plan, I realized at the current course and speed, we're not going to be resilient and prepared enough if we don't take it more seriously.

So Rob and I went to the RSA week and said, "Let's point out how serious it's getting, how serious we need to get and see what the art of the possible is to identify buy down risk within the next 2.5 years." Not to be alarmist, but to make sure no one gets flat-footed and surprise when there's things we could do.

Eric Hanselman

Raising awareness in an environment where, especially like in the critical infrastructure side, we're seeing more awareness on the governmental aspect. Now you take a look at some of the recent activity that's taking place. We're getting better, but we've got to extend that to a point at which we get both public funding as well as public impetus to actually move this forward. Although, Rob, that's something that you've got experience working on. And actually, in some interesting form, all 3 of us happen to be New Englanders in some form or fashion. And you've actually got some background in some regional efforts.

Rob Knake

So I started my career up in New England, working in Boston during graduate school and after graduate school, working with Boston Emergency Medical Services in 2004 as they were planning a response to a terrorism activity at the Democratic National Convention that year, which is the first convention that was held after the terrorism attack of 9/11.

So what I did there was really an effort to bring the Boston region medical community together in the event that there was a catastrophic attack to develop a plan that the secret service sponsored and Boston EMS was responsible for to say, okay, how would be in the event of a bomb and chemical attack and biological attack, very -- mass shooter events, really dire potential scenarios that were on the table. How would we respond? And how will we get this whole private sector community working with this whole government community and be able to respond in a timely manner to save lives, reduce morbidity, reduce mortality?

And we put that plan together, thank God, DNC is quiet that night. I got to wander around the convention floor and listen to Barack Obama, give his famous speech. That was a great moment for me. Nothing bad happens. But fast forward a couple of weeks, depending on how old you are and what kind of music you like, you may know about a band called Dispatch, which is like one of the most popular bands that never sign a record label. New England-based on Middlebury College. They did one of their, I guess, their first farewell show at the Hatch Shell in Boston right on the river. 100,000 people showed up, it was hot, there was broken glass, turning to a literal mass casualty event, police were there, there was tear gas and the entire Boston Medical community responded to that, right?

Nobody died the literal mass casualty event just 2 weeks after the DNC and it showed, hey, we can really come together. We can really handle this. We can get all the private and public ambulance schools to work together. That kind of planning, that kind of effort and that kind of willingness by private sector entities put aside their profit margins to cancel all the surgeries of the day that aren't required and the response is exactly what we saw when the marathon bombing has happened. That was that kind of plan on bringing together with the community that I think don't quite have in cybersecurity to respond to the kind of threats that Josh introduced.

Eric Hanselman

Well, we've certainly identified what the problems are, but the difficulty is how do you get all of these private sector actors to be able to participate and to be able, as you identified, to put aside some of those pieces that their priorities and work in a coordinated fashion, not always simpler when we think about what that coordination got to look like.

Josh Cornman

So I got to emergency fed during the pandemic at CISA, the Cybersecurity and Infrastructure Security Agency 18 months in the seat, and we have 6,000 hospitals under a record high ransom attack then we realized this could also hit the vaccine supply chains. So I was often told, "Well, why aren't these organizations just doing best practices? Why aren't they just doing the necessary security risk framework? Why aren't they just doing Zero Trust?" And I said, "Guys, screw best practices." Like what are the bad practices? We have to meet them where they are, identify and buy down risk. We need some pragmatism here. We don't have 3 years. We have 3 months to make sure these targets are hardened or people die.

And it wasn't that I was throwing away all the great stuff we do in cybersecurity. It's that, unfortunately, 85% or so of the owners and operators of U.S. critical infrastructure are what I call target rich but cyber poor and they have either insufficient knowledge, insufficient motivations, incentives or insufficient resources in most cases. This is when you need the classic living below the security poverty line.

Eric Hanselman

Now I was about to bring that up because you've got that challenge of what is that minimum level and yet we've got so many of those organizations that are well below that line.

Josh Cornman

Yes. And people can debate each of these individual circumstances, but just scan your recent memory, there were water hacks where the password was 1111, post to the Internet, no hacking required, right? And what if you could shut off U.S. water facilities on mass across these or not just worse, not shut them off, but maybe dangerously high pressure levels where there's physical damage that would take either too long to repair. We don't have enough replacement parts and technicians.

We had the oil and gas pipelines disrupted on the Eastern Seaboard for a significant amount of time. They didn't even hack the cyber physical systems but for a private good was placed at a higher premium than the public good and what was right for billing was wrong for the Eastern Seaboard.

Other cases, we could go through at infinite item, but we had JBS' meat supply is a concentration of risk were way too much of the Western Hemisphere food goes through in one place and a disruption has a pronounced impact but we had 750 or so ransom attacks of U.S. hospitals in a single year with delayed degraded care, not recovered in 7 to 10 days, but often 7 to 10 weeks. And even though this was happening, and we started to see political will pass things in a law like the PATCH Act, which is mandatory minimum cybersecurity hygiene for medical devices, cleared both the House and the Senate, got signed into law.

There's no minimum hygiene for hospitals. There's no minimum hygiene for water and waste water. There's no minimum hygiene for several of these. And to their credit, the newest part of the White House, the Office of the National Cyber Director for where Rob was a huge leadership voice realized how things have gotten and tried to say we need to rebalance that public-private partnership or the accountability and shared responsibility.

Eric Hanselman

So that gets the point of how do we start to get to a situation where we can show a path forward? The challenge so often is what are those first steps that we talk about, the level of capability that most critical infrastructure facilities have, moving them out of where they are into a better posture is not a simple set of steps. Is that something that -- I mean regulations alone aren't going to be able to get them there. Yes, this is something where there's got to be significantly where mobilization or in order to make that other paths to be able to make that move forward.

Rob Knake

Yes. Well, I think the big one that for the first time in a national cyber strategy, we actually put down on paper is to say, we need to regulate and we will regulate the Biden administration, all instruments of its regulatory power to expand cybersecurity regulation where regulations not exist or are currently insufficient, to encourage independent regulators to take similar action and for congress to act can be a tough sell, particularly when you have a Republican-controlled congress.

But at the same time and going back to the Colonial Pipeline incident that Josh referenced, right? We saw the sort of remarkable moment when after Colonial Pipeline happened, and it was very clear that the voluntary approach that we had taken with the pipeline industry wasn't working, Deputy Mayorkas at DHS said, "Guess what, I have the power, TSA gets to regulate pipeline cybersecurity and they drop regulation." And they did it almost immediately.

And there was a lot of pushback from industry, not on you shouldn't regulate, but we don't think you're regulating well. We don't think these rules apply to us and there was a year-long period to kind of get that right. But there's almost not a peak in terms of opposition to actually regulate. It was just so abundantly clear at that point. Obviously, this needed to be regulated because there were people in New Jersey lining up like there was a gas shortage.

Eric Hanselman

Well, because there was a gas shortage. I wonder is how do we expand that more broadly, because when we get to municipality is, again, you look at most of the water infrastructure, maybe if we move things forward from a medical perspective, energy infrastructure, but municipalities seem like that's a much tougher.

Josh Cornman

I'll start with this. I mean I thought the President's strategy is fantastic. There are 5 pillars. Rob, specifically referring to maybe number one and three. Number one, put the crosshairs for the first time on critical infrastructure instead of federal networks? And number three was we have to play with the incentives, the carrots and sticks even introducing concepts like maybe it's time to look at actual liability in software and IT and let's use regulatory authority a light touch, no lighter than required.

And one of those light touches was to be pragmatic. White House had really like [ my CISA.gov ] bad practices, which were 3 things you should never do, the whole idea of crawl, walk, run. And then this cybersecurity framework has been voluntary for like 11, 12 years and most of the reports show that people have volunteered to completely ignore it. So they task through presidential memory and, well, when it's left up to their choice.

I don't like having big government typically voluntary alone, though, to Rob's point, only takes you so far. So the President asked CISA through a Presidential memorandum #5, I think, 12 or something, can you come up with some common baseline cross-sector minimum cybersecurity controls that could be layered upon? So what's the crawl stage of that missed cybersecurity framework with over 100 controls.

They came up with about 38 and the general conceit is, hey, each of you 16 sectors, of course, you're beautiful, unique snowflakes. But you know what you have in common, a melting point, right? So everybody should start with things like asset inventory. You can't defend what you do not know you have.

And then with the presidential strategy said, "If you're a regulator, now is the time to use your power, start with these cross-sector minimums and then layer on top your sector-specific wisdom, if finally sorted to codify the shared responsibility between, say, HHS for hospitals or an EPA for water with the horizontal investment of CISA as the cybersecurity agency for the country.

So with that, I was like, "Oh, great, we're going to finally get minimum journeys started without just do best practices and just do nothing." And the very first negative response was while the EPA, the Environmental Protection Agency put out a call that says on your annual sanitation survey for your water and wastewater site, we're not asking you to do cybersecurity. We're just asking you to inventory, which of these 38 from the CISA goals are you doing? This becomes the knowledge basis and ground truth for possible future funding and stimulus and whatnot. And the response from industry was how dare you. We're suing you.

So the brushback pitch with what private sector people are going to do and especially if it's an unfunded mandated municipal level without talent and history. That said, jumping really fast for a short podcast, part of why I brought this to AGC and RSA and asked Rob to join me and a chorus of other national security leaders is it's one thing when you think we have plenty of time and when you can just debate over what should be voluntary and what should be government-led. But the new wrinkle or at least maybe the final wrinkle for me is things are getting bad enough in health care with the Change Healthcare attack, with Ascension, with more kitchen table conversations about that just from criminal disruption.

But again, in January, the Volt Typhoon revelation is the only one declassified, but there was prior art from the NSA a year earlier called Living off the Land. But this idea that what if nation states either in preparation for a hot conflict or as part of hybrid warfare were to disrupt the soft target concurrently. And a lot of what I saw in the CISA COVID Task Force was each silo of the U.S. government was good at their silo, but where they were terrible were cross-sector cascading failures, such that maybe a disruption of a water facility, no water means no hospital.

[ Rub in ], you can't get people hydrated, you can't do laboratory tests, you can't flush toilet, you can't mop floors. So I think this era of cross-sector cascading failure with a motivated nation-state adversary. It doesn't have to be China in 2027. It might be later if you ask Dmitri Alperovitch or others. It could be flare-ups in the Middle East as we saw the Cyber Av3ngers, a hacker activist group from Iran hit U.S. water facilities in Philadelphia or Pennsylvania area. It could be Russia gets back in a corner with Ukraine, but cyber is on the table now and the whole paint color palettes of warfare.

And Rob's got some really grounded and forthright ways. We don't want to scare people, right? But there's fear, uncertainty and doubt. But when you see something like a hurricane, you got to be forthright, you got to inform people what you know and don't know. You got to influence their behavior to be as prepared as possible and take the right action in case of harm. And you need to fire them that if we work on this together, we're going to be okay.

But that inform and influence [ Inspire Trio ] has not yet been begun, and we're really focused on what we want to do or rather don't want to do instead of what we may need to do. Because the only thing worse than having some sort of mandatory minimum cyber hygiene is being without water in a community for 6 months, a year or longer.

Eric Hanselman

So Rob, in terms of some of those thoughts, what do you think are ways to approach this? How do we start moving forward?

Rob Knake

I think we mentioned regulation, but I think regulation is often seen almost from an enterprise standpoint, we hit it the right model for how do we regulate this problem with critical infrastructure, particularly when you have municipalities, nonprivate entities that are involved. I think the first thing is just to really focus on how do you focus on outcome, preventing bad incidents versus setting what the inputs are say you have to do this and you have to do that, right? And there's a couple of ways to do that, that are analogous, in other cases where we've been able to handle very difficult problems like this.

The first one is to try and get companies and critical infrastructure owners make better decisions about what they connect online. The reason that a small water municipality is going to connect their water system to the Internet, right, is to be cheaper and to be faster and to make it so they don't have to have people 24/7 monitoring systems or monitoring those systems remotely from home rather than having to be at the facility. That may not always be the best answer. If you don't have the money or the capability to secure those systems so that access is a reasonable thing to do from a national security perspective.

And so the first thing is, sometimes you don't actually want to connect things to the Internet. And you may want to set what we've done in other areas, right, just to say, look, there's a pretty high bar for this. And if you can't keep that high bar, connect to the Internet or don't actually have the ability to change controls connected to the Internet, just monitor. And so that's the kind of approach that we've taken in chemicals security. It's kind of approach that we've taken in any number of other areas. And so I would emphasize that.

Eric Hanselman

Didn't you have a great example during our chat about someone wanted to build a chemical facility in Boston or Cambridge?

Rob Knake

Yes, everything comes back to early life in Boston, I guess. Yes. I mean, so there's the chemical facility antiterrorism standards that were introduced post-9/11, where there was a very significant risk that the terrorist was going to say, okay, we crashed their airplanes into buildings, that got us catastrophic harm. Should we crash a dump truck into a chlorine plant in downtown Boston, for instance, and cause the kind of chemical release that killed people in Bhopal, India.

If we did something like that, remember, chlorine was used as a chemical weapon in World War I. We can get that sort of catastrophic impact. And so what the CFATS regulations did is, they said, "Okay, if you're going to hack a chemical plant storing large amounts of [indiscernible] in a highly populated area, you've got to protect it [indiscernible]. It's going to be more equivalent, I guess, to say, the security around a nuclear plant.

That forced companies say, "You know what, where are going to move that plant to somewhere where there's a low population and it all blow off in the wind, and you kill 6 people if you created this release, so no terrorist is going to do that or even better, we'll use an inherently safer technology, right? We will switch our technology to something else. So that really had the effect of basically eliminating this risk today in the United States. That kind of approach, I think can work in cybersecurity.

Josh Cornman

And you hear -- there's a lot of really good programs coming out of the present strategy that Rob help pen. There's a lot of decent embryonic stages coming from different agencies. In response to that strategy, they're doing an annual accountability for the implementation plan of what they've done and by when. And I think they're communicating at a level higher than we've ever seen.

It is still going slowly, though. You even see things like secure by design, secure by default from CISA, in pledges from private sector. And Eric, you might remember that its predecessors and the whole Rugged Software stuff we did a long time ago or liability even if were introduced, but these have a really long time horizon from which we're going to yield benefits.

So part of this project was if you've got 2.5 years, if you have a constraint, what could the Apollo 13 astronauts do with what they had and the time they had? What could we do during pandemic, what would Y2K could we do to identify the most critical systems to throw our [ cold ball ] engineers again. And we're really trying to use necessity is the mother of invention here. And maybe instead of slogans like secure by design, secure by default or shields up, maybe it's connections down, maybe in certain areas where the cost of wrong is just too high, maybe we should prohibit remote connectivity in less and until you can demonstrate that it can be safely done.

And we put in a workshop. All getting serious, we put some really controversial out-of-the-box ideas on the table. And maybe none of them are implementable, but we wanted to make challenge our assumptions and challenge our comfort zones and our preferences to see what we could do. And maybe to end on a positive note, most of the most actionable is, look, if you know disruptions are coming, what can you do to do drills and simulation to know in case of fire, here's your fire exit.

In case of downtime, we're good for 3 days, but maybe we start to get iffy after 7 days. So the best way to prepare for a graceful recovery is to practice what it's like to be down. And what we found is most of the people in the room have disaster recovery business continuity programs that anticipate a downtime of a week or 2 weeks, but things get really hairy afterwards.

And I like where things were headed, and I'm building upon it as we head to Vegas for Hacker Summer Camp, but we're going to try to engage the full land mass of the U.S. to challenge assumptions, play exercises, run simulations and identify where we're strongest and weakest so we can take a punch and get back up or we can fight through the pain or we can maybe harden the areas that are too fragile to encounter contact with the enemy in 2027 or beyond.

But get to that point where we've actually run the exercise so that we can build some of that understanding. So we get to a point at which at least we know what the challenges are as we try to at least walk through an implementation, not in a critical situation. But in one to hopefully we can learn. And it sounds like it comes right back to the kind of things you were doing, putting emergency medical services together. Again, giving people the idea of what could happen and allowing them to coordinate to ensure that if something does happen, at least that we know which direction we're headed towards.

Rob Knake

So I think on that, right? This is kind of what my disappointment is coming out of the strategy. Because one of the things we call for, as we said, all right, we've got really good examples of the cybersecurity community coming together over the last 15 years and responding to a specific incident, whether it's lag for a day or it's a botnet takedown.

We've done that a lot. We're good at that. But we do it incrementally, and we do it randomly. We do it when there's a driving usually force in a single company or a single individual that wants to make these things happen, sometimes with the FBI, sometimes with the secret service, sometimes at Microsoft, sometimes it's CrowdStrike.

What we don't have is any kind of persistent focused effort to make these kinds of disruptions of botnets or malware routine. And so the strategy we highlighted that. And we called out the need for creating some sort of nonprofit private sector task force organization to interface with the government and drive this forward to reduce cyber risk for everybody.

This was the model if you're familiar with the term ISAC, Information Sharing and Analysis Center. That's how the ISAC came about, right? 1998 PDD 63 says, we invite the private sector to form something called an ISAC. And they did. We got a whole bunch of them out of it. Despite some encouragement to individual organizations, we don't have anything that looks like a Disruption Task Force in the private sector a year after the strategy came out. And so that's analogous to what happened in Boston. That's not happening in cybersecurity.

Eric Hanselman

We need advanced persistent review, right?

Josh Cornman

Well, I mean, a lot of -- depending on when you grew up, Y2K was a false alarm, but it wasn't if you worked on it. It's a lot of people put a lot of work into knowing the systems that if they fail would have harm, and we put most of the effort in preparing for those. Similarly, I think part of the reason the Boston Marathon bombing, we didn't have a higher death toll is all the preparedness and proximity to world-class organizations that had done the drills and knew what to do. And I'm really hopeful that the average person in mainstream America doesn't have to know how prone we are, doesn't have to know how easy it would be to disrupt their way of life that we do our work and we prepare, and we have the courage to say uncomfortable things. And we use the next 2 years to identify, buy down the most low-hanging risk and make sure that whatever harm does come, it's less intense and for less duration than otherwise would have been.

So we have a chance here. We have more time than we did during the dynamic, but less time than I'd like. Perhaps the idea of accidents and adversaries, not just from criminals, but from hybrid conflict. I mean most people realize we're on the cusp of up to 1 to 3 wars in the next couple of years. Of course, that conflict will include electronic disruption. And we have a few years to get our act together and make sure that we are resilient in the face of that.

Eric Hanselman

Well, we've got some time and what we need on top of it is action to your point. Well, this has been great. And hopefully, we've raised a little bit of visibility, catalyze little action on some fronts, but clearly a lot more to do. Thank you both.

Rob Knake

Thank you.

Josh Cornman

Thank you, Eric. I really enjoyed it.

Eric Hanselman

Great having you on. So much more than we could be talking about, but we are at time. That is it for this episode of Next in Tech. Thanks to our audience for staying with us. And thanks to our production team, including Sophie Carr and Gary Susman on the marketing and events teams and our agency partner, The 199.

Please keep in mind that statements made by persons who are not S&P Global Market Intelligence employees represent their own views and are not necessarily the views of S&P Global Market Intelligence. I hope you'll join us for our next episode where we're going to be talking about the next stages of the research we're doing into power demand for AI. And some of the things that we looked at a few episodes ago, now we've got some more numbers against. A lot of interesting things we can dig into there. I hope you'll join us then because there is always something Next in Tech.