In 2013, Iranian hackers remotely accessed the controls of a dam in Rye Brook, New York, part of a series of nation-state-sponsored attacks that also targeted American and Israeli banks. Although the hackers couldn’t release the water—the sluice gate happened to be disconnected for maintenance—the move was characterized as a “warning shot” and clear indication of the tremendous risk that cyber attackers pose.

Privately operated infrastructure assets such as power plants and transit systems define the 21st-century digital battlefield, and governments must recognize they no longer solely own the franchise on national security issues. The same year as the Iranian hack, the U.S. government identified the cybersecurity efforts of certain private sector critical infrastructure entities as essential to U.S. national security, compelling operators of those systems to improve their resilience. In turn, operators of national critical infrastructure are now recognizing that they need help defending against cyberattacks by rival nations. Never has it been so important to find new avenues for public-private collaboration.

Governments must recognize they no longer solely own the franchise on national security issues.

As we rethink defending the nation, critical infrastructure operators must identify key risks, providing government with direction on which assets require the most rigorous protection. Government partners across homeland security, defense, and intelligence must work with industry to accomplish three goals.
First, they must analyze impacts of adversarial activities on private sector infrastructure and develop early warning systems. Second, they should exercise joint capabilities and understandings so that cooperation starts before a crisis. And they must enable better countermeasures against adversarial activities that could have significant consequences, but are still below the conventional physical thresholds of war.

The vulnerability of critical infrastructure continues to grow. And that calls for much better collaboration to bridge the defensive measures that private sector operators manage and the battlefield that government controls.

Scott E. DePasquale, F14, is president and CEO of the Financial Systemic Analysis & Resilience Center


Exposed on the Seas

By Nicholas A. Glavin

Maritime shipping, which accounts for more than ninety percent of world trade, is particularly vulnerable to cybercrime. Cyber damage to the world’s ships, ports, and support systems such as refineries, could set off a domino effect on other critical sectors, including manufacturing, food, and energy.

One of the most high-profile victims of the 2017 NotPetya attack was the Dutch shipping giant Maersk, which had to operate for ten days without information technology. Maersk replaced 45,000 computers and estimated its losses at more than $300 million.

Maritime shipping is susceptible to such attacks because of its lack of encryption, increased reliance on computers, absence of standardized cybersecurity training for crew, the sheer cost of defending its IT enterprise, and industry-wide complacency. For example, several navigation systems, including GPS, are neither encrypted nor authenticated, making it potentially easier for cyber criminals to ground ships or cause a collision and close a port for weeks.

Manual navigations training and a backup means of communication could reduce the damage from future cyberattacks. But we need to do more. A government-funded focus on prevention and response is the most cost-effective, scalable, and fastest approach to protect our ability to move essential goods. Therefore, the U.S. government should subsidize cybersecurity and training across the maritime shipping industry through the U.S. Coast Guard—and our allies should invest in similar defenses.

Nicholas A. Glavin, F19, adapted this essay from one he published on the website of the Center for International Maritime Security.