The recent news of attacks by Iranian threat actors on the Municipal Water Authority of Aliquippa in Pennsylvania and other similar attacks brings to light important issues around protecting critical infrastructure in the United States:
Our model in this country, where many of our utilities and infrastructure facilities are funded and managed at a local level, poses a significant threat to the security of the nation when it comes to cyber defense, elections, and other digital crimes.
The local taxes we pay are often sufficient to subsidize our local infrastructure, pay the salaries of our municipal staff and law enforcement. They are designed to deliver enough money to operate a relatively modern computing environment for the municipal services and utilities. Over the years, those budgets have also evolved to include some basic cybersecurity capability. Yet, they are not prepared to defend our municipal services from a sophisticated, well-resourced, and organized nation-state attacker.
In the event that a foreign nation were to land on U.S. shores and march into our local towns and begin dismantling or disrupting the local municipal utilities, the U.S. federal government would spring into action. Yet the digital equivalent of this happens every single day in America, and we have no real plan. Small cities in the Midwest cannot defend themselves against an Iranian cyber offensive. Nor should we expect them to have that capability.
We see this issue playing out not just with utilities, but with cyberattacks on small businesses and organized cyber scams against our citizens. The troubling part of all this: tax-paying victims have no one to depend on in a crisis. The FBI is too busy with larger issues, and local law enforcement does not have the training or resources to investigate or protect victims of digital crime. Meanwhile, billions of dollars are being siphoned away nationwide.
This begs the question: Where is our federal government?
Consider how we manage our infrastructure. Each utility, managed in a vacuum, with barely enough resources to keep up with the changing technical landscape and vital to the sustainment of our daily lives, comes under incessant attack from foreign adversaries that intend to do us harm.
Think back to 2011 when the U.S. and its allies unleashed STUXNet, a brilliant cyber weapon targeting energy infrastructure with the intent of disrupting the Iranian nuclear enrichment capabilities. This attack was sophisticated, exquisitely executed and ultimately successful. In the kinetic warfare world, if the U.S. developed a traditional weapon that had unparalleled capabilities, the next logical step was to develop a defense against such a weapon.
At the time we developed and deployed STUXNet, it would have been incumbent on the U.S. to look at our own infrastructure and shore it up against any retaliatory, attacks. Yet, we now read weekly in the news about foreign adversaries digitally galivanting around our critical infrastructure with impunity. Meanwhile, local administrators are throwing their hands in the air in frustration.
In some states, the National Guard has taken an active role in defending these assets. While I am grateful and applaud their proactive stance, they also have limited resources and are unprepared for the cyber offensive in front of them.
Organizations like the Cybersecurity and Infrastructure Security Agency (CISA) have a mandate to protect critical infrastructure at the national level. Largely because they are underfunded, CISA’s mandate gets carried out largely in an advisory capacity to the infrastructure providers. While it’s an important advisory role, many of these utilities have very small and unsophisticated IT staffs. So, in the end, CISA’s advisories often fall on deaf ears.
It’s time for the United States to treat this problem as a national priority. Historically, the U.S. non-cyber defense strategy has been to go on offense. One could argue this makes sense in the kinetic warfare world: “Blow it up before it gets here” can work as feasible approach in some cases. However, in the digital world, physical distance and barriers like oceans do not exist, and anyone can attack from anywhere at any time.
Simply making the world’s most sophisticated cyber weapon (as we did with STUXNet) is not enough. We have to build an organized, focused, well-funded defense strategy to protect against similar attacks. Like the military (or perhaps run by the military), this defense strategy needs clear responsibility and ownership. We need to send in the “big guns” to protect our energy and water utilities, because we rely on them for life. If we fail to do this immediately, we face some dire consequences.
While local control has kept the U.S. strong for generations, we really need to rethink our approach when it comes to the digital and cyber realm. Many of our laws and financial decisions are handled at the municipal level. This can work for managing schools, maintaining police and fire departments, and garbage collection, but it falls way short for cyberattacks by global threat actors.
Kurtis Minder, co-founder and CEO, GroupSense