Cybersecurity, Emergency Preparedness, Policies and Training

Why DOD Must First Define Its Critical Infrastructure to Protect U.S. National Interests

With the introduction of the FY2023 National Defense Authorization Act (NDAA), defending critical infrastructure has been top of mind for the federal government. House-passed amendment 955 of the FY23 NDAA calls for the creation of a class of “systemically important” critical infrastructure providers. The debate and discussion about critical infrastructure continues from one started last year via section 1505 of the FY22 NDAA, which focused on identifying and reporting threats to the sector.

To maximize the impact of this act, the U.S. Department of Defense (DOD) must first properly define critical infrastructure to fully understand the boundary of its authority in protecting it. A well-articulated definition of critical infrastructure will help the department best defend against these attacks on the commercial sector, which have the potential to devastate national security.

The government also needs to be clear on how cybersecurity and broader IT apply to the space. From the Colonial Pipeline attack to SolarWinds, malicious cyber actors have shown their tendency to target critical infrastructure. A successful cyberattack on the sector can bring daily life to a halt, making the sector an attractive target for these criminals looking to get a quick payday.

Cyberattacks on the sector can also distress day-to-day operations at military installations, impacting training and overall DOD readiness. Accurately defining critical infrastructure and the unique vulnerabilities found within it can help the department best define its role in protecting the sector.

The DOD’s Role in Protecting Critical Infrastructure

The DOD is responsible for protecting national security, both at home and abroad, making it vital to understand and defend its infrastructure behind critical missions. The department has been aware of this threat for quite some time, prompting the Commander, U.S. Northern Command and Commander, U.S. Pacific Command to alert the Secretary of Defense in the February 2016 8-Star memo of the vital importance of including cyber in critical infrastructure planning.

In the years since the memo, the DOD has successfully demonstrated its capabilities to defend broader infrastructure, for example, in election security. Ahead of the 2020 election, U.S. Cyber Command (CYBERCOM) conducted more than 2,000 operations to get ahead of cyber threats. As another election cycle quickly approaches, CYBERCOM and the National Security Agency have named new leaders for its joint Election Security Group (ESG) to defend against foreign interference and ensure a safe and secure election. Using this as an example and applying the practices used to secure elections, the DOD could expand its role to the protection of other infrastructure sectors when assistance is requested by civilian authorities.

Critical Infrastructure’s Unique Vulnerabilities

A full understanding of the digital terrain and the vulnerabilities within it are paramount to defending the critical infrastructure sector. Critical infrastructure sectors are made up of a growing number of systems and tools, including IoT and OT devices in addition to the ubiquitous IT devices on which every organization depends.

However, as IT environments have continued to increase in size and variability, there has been little to no consideration for security when designing IoT and OT devices, leaving critical infrastructure especially vulnerable to malicious actors. Ten years ago, Project Basecamp found critical OT devices and protocols to be “insecure by design.”

In the years since, not much has improved with the security of those devices. A recent disclosure of 56 vulnerabilities from Vedere Labs found:

  • 38% of vulnerabilities allow for compromise of credentials
  • 21% allow firmware manipulation
  • 14% allow remote code execution

The military relies directly on this sector for much of its own infrastructure, leaving no room for downtime. According to the Department of Defense Annual Energy Management and Resilience Report (AEMRR) for Fiscal Year 2020, the DOD reported 3,018 unplanned utility outages at military installations, 649 of which lasted eight hours or longer. Thirty-five percent of those outages were due to events including cyberattacks, and the outages cost the department over $2.6 million during FY20. With the knowledge that physical impact can result from cyberattacks, the DOD must consider hardening defenses against this possibility and whether and what its role should be when these essential services are provided by largely non-DOD sources, such as power, water, or oil and gas.

As the FY23 NDAA continues to progress through Congress, the DOD must look back on how it currently protects critical infrastructure to help further expand its role in defending the sector. While the vulnerabilities that make securing the sector challenging are unique, so are the DOD’s abilities to protect it. By cooperating with government and the commercial sector, the DOD has the opportunity to defend critical infrastructure quickly and successfully from future cyber events.

Dean Hullings is Global Defense Solutions Strategist at Forescout.