Cyber-attacks on critical U.S. infrastructure pose a tremendous threat to the American population and government. For years, the threat has grown in the form of state-sponsored cyber attackers and threats via data mining and malware coming through applications and social media. The current United States infrastructure is not sufficiently prepared or resilient to withstand attacks that can cause damage to critical segments of the medical, financial, power, and governmental sectors. Experts suggest that radical updates to infrastructure and improved security practices are required to prepare adequately for state-sponsored attacks or undermining from near-peer rivals.
The United States Government has a list of 16 critical infrastructure sectors that are “so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” These sectors cover areas of vital functioning like communications, emergency services, dams, and water systems. These sectors comprise physical and virtual components that are at risk of being compromised by bad actors.
For the United States, many of the critical threats originate in China and Russia, as the near-peer adversaries seek to undermine the structural integrity of critical infrastructure systems. Experts appear to be conflicted about which state pose the greater threat, however historical data indicates that most malicious hackers operate within these two countries often with connection to government institutions. NSA cyber director Rob Joyce made the comparison between Russia and China in terms of long term and short threats by saying, “Russia is like a hurricane, while China is like climate change.” Russian hacker groups may be able to carry out devastating strikes while China is a longer-term strategic problem for the United States.
Major risks in cyber security are not solely based in direct attacks. Malware and social media data mining poses significant risks to U.S. government personnel and the population generally. In November, FBI Director Chris Wray commented that “the possibility that the Chinese government could use [TikTok] to control data collection on millions of users or control the recommendation algorithm, which could be used for influence operations.” While the application does not pose a threat in terms of direct malware attacks, it does provide the opportunity for a rival, in this case China, to gather intelligence on the U.S. population and possibly government employees that can later be used to exploit vulnerabilities. The gathering of information from open-sources has dramatically altered the battlefield over the last two decades with the advent of the Internet and social media.
Another critical threat exists with weakly protected critical assets. In May of 2021, hackers were able to gain access to the Colonial Pipeline after obtaining a single password. This pipeline, which controls vital conduits of oil transportation from the Gulf Coast to the East Coast, was shut down for several days. Access was returned only after the company paid millions in cryptocurrency as a ransom. Despite this, some financial systems took months to return to normal status. This hack was attributed to a gang called DarkSide which is located in Eastern Europe and was likely sponsored by Russia to carry out attacks on Western companies and governments. Another similar attack took place in May against JBS, the world’s largest meat processing company. They too regained access after paying an $11 million ransom to the hackers. A cyber security expert claimed that the vulnerabilities lied in the overall weak security standards of the industry.
Other high priority systems, like medical systems, have also become targets of high-risk attacks. In hospitals, cyber-attacks can disrupt the information stored on individual patients leading to a fatally incorrect dosage of medication. In other instances, medical systems shutting down can increase time for treatment leading to patient deaths. This is not solely in the United States but poses a significant problem for other allies like France and Ireland. Deputy Director of the Cybersecurity and Infrastructure Security Agency, Nitin Natarajan, remarked that one critical component to increasing security measures is cooperating between healthcare organizations and the appropriate security institutions.
The first national strategy was implemented under the George W Bush administration. Clinton did not have a national strategy but had minor contributions to policy development. Under the Obama administration, Congress was urged to implement cyber-security regulations but was successfully blocked by the U.S. Chamber of Commerce and lobbying from private firms. The National Critical Infrastructure Prioritization Program was created and implemented in 2013 to increase security and prepare for threats coming from cyber-attacks. According to the Government Accountability Project’s report, a vast majority of federal and state employees questioned the plans effectiveness and reliability. Later, Executive Order 13800, issued under the Trump administration in 2020, focused attention and efforts on improving and modernizing federal IT infrastructure. It also encouraged collaboration across private and public sector domains and increased emphasis on working with foreign allies. Despite this refocusing, the cyber-attacks of 2021 showed that there continued to be extremely high latency between planning and implementation. Currently the Biden Administration is nearing completion of a draft of a cyber-security strategy to establish regulations for security maintenance in different critical sectors. The regulations would increase accountability of private firms operating in these sectors by having established guidelines.
The United States continues to face severe risks in many of the critical infrastructure sectors across the country. Addition protections and legislative action may be required to ensure that private sector systems as well as government operated sectors are resilient and durable enough to withstand cyber-attacks from adversarial actors and states.