Friday, November 22, 2024

Chatham House Cyber 2024 – who is responsible for securing critical infrastructure?

Must read

(© Peera Sathawirawong – Canva.com)

Securing the national infrastructure from cyberattack and related disruptions is a priority for any country – especially in Election year for the UK, US, India, the EU, and others. But in a world of privatized services for many, defining what is, and isn’t, part of the national infrastructure can be tough – not to mention, who is actually responsible for it.

Some targets are more obviously national, of course. In the UK this week, a cyberattack on London hospitals was declared a critical incident and saw operations cancelled, with doctors reverting to paper records. Whether the attack was a test for vulnerabilities in the wider healthcare system is unknown.

In October 2023, the British Library was hit by a ransomware attack from which it is still recovering. Yet despite its seriousness, the incident was poorly reported in the press, in the apparent assumption that it was unimportant. (The reasons for the Library’s cyber weakness and its slow recovery from the incident were explored in my earlier diginomica report).

More widely reported this year was a hack on the payroll systems of the UK’s Ministry of Defence, in which hostile actors – thought to be from China – accessed the personal and financial data of over 270,000 staff.

While not part of the UK’s critical national infrastructure itself, perhaps, a payroll system in the cloud can be a viable route upstream into the defense of the realm – an important lesson about the security, or otherwise, of interconnected systems. It is conceivable that bad actors remain sequestered in MoD networks, using credentials obtained via the payroll system breach.

Though reported in May, the attack itself apparently took place back in February, but the system’s vendor, SSCL, did not flag up the breach at the time, according to a report in the Guardian.

This is a concern, as the company, part of French IT supplier Sopra Steria, was awarded an MoD cybersecurity commission in April – apparently before officials were made aware of the incident – and it has other central government cybersecurity contracts. 

If nothing else, therefore, this demonstrates that disclosure, transparency, diligence, and accountability must all be maintained to ensure trust and prevent further harms.

Also in February, the UK’s National Cyber Security Centre (NCSC) warned of hostile state actors “living off the land”, camouflaging themselves within legitimate network activity to gain persistent access to critical national systems – behavior observed by security specialists in both the UK and US. 

These and other issues were among those discussed at the Chatham House Cyber 2024 conference this week. The international affairs thinktank hosted a day-long event on a range of connected cyber issues, featuring speakers from world governments, academia, civil society, and the private sector.

Speaking on the record at a panel on resilient national infrastructures, Chair Joyce Hakmeh, the think tank’s Deputy Director of its International Security Program, explained:

We must ensure that our efforts are grounded in a thorough understanding of the threat landscape, and are adaptable to new and emerging challenges. 

Recalibrating our assumptions also means embracing a culture of vigilance and resilience. We cannot afford to be complacent or reactive when it comes to cybersecurity. Instead, we must be proactive in identifying vulnerabilities, mitigating risks, and responding swiftly to incidents.

Julie Johnson is attaché to the UK from the US federal Cybersecurity and Infrastructure Security Agency (CISA) – the first appointee to such a role in the world. She said:

All the decisions that [organizations] make at national level impact local infrastructure at a local one – the lights, the water, everything. We’re America’s cyber defense agency, but we’re also the national coordinator for critical infrastructure security and resilience. So, we lead that effort to understand what are the gaps? And, what do we need as far as resilience is concerned?

That mission has many touchpoints, she explained:

For example, we have an office for bombing prevention. We also employ our first meteorologist, because we want to understand extreme weather impacts on infrastructure. And we have an emergency communications division. So, CISA not only looks at what happens in the cyber community, but also at those dependencies and cascading impacts.

We have heard from the head of GCHQ and a national security director that this is not just a cyber issue. We are also seeing an increase in physical threats when there’s a cyber issue, in that it has a physical impact, or vice versa. We have to think holistically about these problems.”

A related problem is the prevalence of people in the sector treating security as an isolated technology problem demanding technology solutions, she said.

We’re making this assumption that the next generation knows it all. But they’re tech savvy, not cyber savvy. Plus, I would argue that those generational gaps are going away. We’re all getting tech savvy, we’re all using the same things. But down at a local level, we’ve mystified a lot of people. They’re not cyber savvy.”

She added:

We had a talk from the British Library. And we often don’t think about those soft but critical infrastructure targets. What happens when a grocery store goes down or a library goes down? 

Have we built in resilience, or that mantra of resilience? Or trained people on resilience? Not only to deal with the rapid, changing pace of technology, but also what happens when those everyday services go down. I would argue that those are critical infrastructure nodes too. They certainly impact national security.

The point there is that a nation’s cultural life and capacity to preserve centuries of knowledge, as well as its ability to feed itself, should all be considered alongside more traditional security targets, such as defense, energy, healthcare, and transport. 

Christiane Kirketerp de Viron is Head of Unit for Cybersecurity and Digital Privacy Policies at DG Connect, the European Commission’s Directorate General for Communications, Networks, Content, and Technology – a role that gives her an international coordination role. She said:

We are in a scenario now where a lot can be switched off by threat actors sitting behind borders in the comfort of their own home. It creates a totally different understanding of what security is for a good infrastructure.

In the old days, we had the classic ‘energy, transport, health’, and we all know those are still very important today. But beyond that, we see a lot of new targets. There’s also manufacturing, there are enormous public administrations that are targets, such as space, plus cybersecurity itself. So, we are extending into a lot of new areas.”

She added:

But you don’t have to be a large entity to be critical. So, we’ve also seen an evolution in terms of the understanding of what is actually critical for our society and our economy. 

And it is no longer enough to tell our critical entities, ‘You have to secure your supply chain. You have to make sure your products are secure!’ That’s not just the role of those guys, because they’re the clients. They’re the consumers, the ones that are buying it! We also need to put responsibility for the security of software and hardware with those who are producing it.

With tight deadlines and competitive sales imperatives, some vendors seem to have a policy of ‘release now, fix later’ – hardly a boon for securing national infrastructures that often rely on the same core technologies as non-critical systems.

Chatham House’s Hakmeh noted that the definition of critical infrastructure has expanded further in the long tail of pandemic lockdowns: even public cloud platforms became critical for our essential services to function. 

But today, what are the biggest threats? Chris Gibson is Executive Director of the global Forum of Incident Response and Security Teams (FIRST), which has over 700 members worldwide. While acknowledging obvious culprits, such as hostile states, cybercriminals, and other bad actors, he said:

In a way, the biggest threat is just trying to define what is the critical national infrastructure – trying to put a circle around it, saying, ‘This is what we defend. And this is what we don’t.’

Increasingly, these questions have a global context. Gibson explained that this was brought home to him when he worked at another organization in the UK:

We had an incident at a company in a European nation that was a supplier to a national infrastructure in the UK. Clearly that was a route into our own critical infrastructure, but [the mood was] ‘This is not in my country, so it’s not my remit.’ And I couldn’t ring them up and tell them to do things myself. 

So, it’s drawing that line about what is critical. For example, if someone is running a supermarket distribution center, that’s critical. If it goes down, nobody gets food. But if a guy is running the electric power supply and not realizing that the two are connected, he may not consider that his power station or that power grid next door is critical. 

But to me it is. So, it is about joining those dots. That’s almost where I see the biggest threat: it’s the complexity of how we do this. And it’s the supply chain that we have to try to secure. Especially when you look at the international part of it.

CISA’s Johnson added:

We tried an experiment once where we looked at a supply chain, to break it down and see where things were coming from in the hardware and software lines. We wound up with an Excel spreadsheet with 10,000 lines on it – and it was ever changing. 

We could say, ‘If everything is critical, then nothing is critical’ and we must focus on something. But understanding that interconnectivity, understanding what happens when a substation goes down [is important]. For me, what is critical now is thinking about those dependencies and cascading impacts.”

She added:

I’m really worried about that ‘tech savvy, but cyber poor’ group. How are we speaking as a government to them? How are we getting our message out there? Putting out simple messaging about passwords, multifactor authentication, and so on [is useful], but we’re still missing a large swathe of people. 

We can talk about a hospital, but that small doctor’s office with that one bit of software, that is going to have cascading impacts. So, we have to get down to an individual level!

Kirketerp de Viron added:

We have this picture of capable threat actors, but if you’re looking at what kind of defensive measures you need to put in, it’s often really simple risk-management security that we have to impose on those who operate critical infrastructures.”

Tsui-Chuan Hsieh is Director General of the Administration for Cyber Security in Taiwan. Speaking remotely in Mandarin through an interpreter, she said:

With the evolution of technology, the interface of operational technology has become more complicated and difficult to define. So, the past division of labor will not work in the current situation. Better collaboration will be an important issue, the capabilities and requirements will all be different. So, that is one challenge. 

Second, we found that investment in CNI [critical national infrastructure] is always tremendous. So, for example, if I want to replace or update systems, the cost will be too high, causing us to not be able to replace them immediately. So, we have to have an interface connecting the legacy and the new system.”

Ageing systems, which are not always supported by vendors, have certainly been one reason for security failures in the UK – at the NHS and at the British Library, for example, where tech and security professionals may often lack the budget, or simply the time, to keep critical systems up to date.

Hsieh added:

Sometimes, manufacturers provide the same equipment to many different countries at the same time, so you have to really abide by their rules. And oftentimes, you cannot be as flexible or as nimble as you might like. Again, that’s a big challenge. 

So, how do we respond later on? Simply put, I think it’s very important that we have joint defense or collaboration. And it’s also very important that you have backups, contingencies, or redundancies, so that when ‘A’ collapses, you still have B, C, D, or E. Maybe they’re not as good, but at least they’re operational.

For Kirketerp de Viron, senior responsibility is key. She said:

I’m happy that we’re having this discussion about the basic stuff that needs to be done, because it’s really where everything starts. 

But something we are doing, as a directive, is making cybersecurity a boardroom responsibility. So, we’re saying there are sanctions at CEO level, if you have not done your cyber risk management. 

[In the past] this was something that was mainly delegated to CISOs. Now, when it arrives at CEO level, and it’s a question of sanctions, then of course it comes together with financial decisions. And I think that’s the place where cybersecurity belongs.

Bold words. But Madeline Carr, Professor of Global Politics in Cybersecurity at UCL, added a different perspective. Speaking from the audience, she said:

I want to be provocative and push back against this narrative of messages not getting through [to senior decision-makers]. I think we’re not really being honest with ourselves about why that is still a problem. 

It’s sometimes because organizations don’t have sufficient pressure put on them. And this is where I think the point about CEO pressure is a good one: that it can have an effect. 

But organizations are all so different, aren’t they? We have some where security is at a very high premium. People understand they could lose their jobs if they don’t follow protocols. 

But at the other end of the spectrum, we have organizations like hospitals, where emergency-room doctors are not properly signing in and out of an iPad that holds patient records, because they’re in the midst of trying to save someone’s life who has just been in a traffic accident!

So, if we’re honest about this, perhaps with some of these solutions, the message is all wrong, and the solutions are wrong. When are we going to be open about that? And start thinking about what we need from the technical community to make our messaging work?

My take

Good questions, plus uneasy answers. In a complex, interconnected world, we must all take informed responsibility for what we can, plus look at our systems holistically. To whom are they connected and why? Where are the weaknesses? 

Latest article