, ,

When Discussing Infrastructure, Think Security First

By Jim Richberg

Infrastructure is a word that describes a lot of things depending on whom you ask, and recently it’s been top of mind — especially in government.

Although not everyone is talking about infrastructure the same way, even the narrowest definition of the term includes transportation and, generally, utilities. Roads and bridges are undeniably infrastructure. If you’ve taken a cross-country trip, or any road trip, on the Interstate Highway System, the need to improve the nation’s highways is obvious in many places in a country as vast as the U.S.

Although people now take highways for granted, the Interstate Highway System was a tremendous achievement. The Transportation Department (DOT) says it best:

“From the day President Dwight D. Eisenhower signed the Federal-Aid Highway Act of 1956, the Interstate System has been a part of our culture as construction projects, as transportation in our daily lives, and as an integral part of the American way of life. Every citizen has been touched by it, if not directly as motorists, then indirectly because every item we buy has been on the Interstate System at some point.”

Almost by definition, infrastructure projects persist for decades. So far, it’s been 70 years for interstate highways and as long as 100 years for some water utility pipe systems. Infrastructure is difficult and expensive to upgrade, so it’s critical to do it right from the start. That means taking security into account from the outset.

The Intersection of Infrastructure and Cybersecurity

When it comes to building and improving roads and bridges, cybersecurity might not be the first thing that comes to mind. But whether we realize it or not, all these projects have a cybersecurity dimension. As soon as you have a sensor you need security. Virtually every area currently under consideration in the bipartisan infrastructure package winding through Congress has existing cyber dependencies. For example:

  • Bridges and roads have traffic and stress sensors for performance and safety.
  • Anything having to do with shipping and logistics is filled with sensors. They’re at every port and transportation hub.
  • Utilities, including everything from electricity to water to sewer. Water and power have already been targeted by threat actors, and small utilities are systemically underprepared.
  • Public transportation, rail and airports.

Failing to consider cybersecurity in infrastructure improvements heightens vulnerability and magnifies the impacts of failures, whether those failures are accidental or malicious. Cybersecurity dependencies will only grow as areas such as operational technology (OT), the Internet of Things (IoT) and edge computing technology expand.

The need for greater cyber resilience is a key element of ongoing discussions that range from implementing a national cyber strategy to thwarting malicious actors, enhancing supply chain integrity and creating greater capacity to deal with natural disasters and climate change. Additionally, a critical part of cyber resilience is foundational cybersecurity.

Going Beyond Roads

The impact of the COVID-19 pandemic has led to a realization that broadband is also a critical part of the nation’s infrastructure, including in rural areas. In discussions related to expansion of broadband, a basic level of security should be included along with service.

In other words, start talking about not just broadband, but secure broadband that ideally follows standards and approaches such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework. This facet of infrastructure will prove important not only for securing home users and educational environments, but also more broadly as IoT, edge computing and software-defined networking usage increases.

The expansion of broadband access across the country has the potential to parallel the way the Interstate Highway system transformed American life and the economy in unpredictable ways. We should shape broadband expansion to minimize the likelihood that these outcomes include negative ones due to inadequate cybersecurity.

What’s Next?

The infrastructure bills are still very much a work in progress, and it’s essential to include input from both internal (government) and non-government stakeholders on how implementation should proceed. Just saying “go build secure infrastructure” without providing adequate guidance doesn’t work, nor does being overly prescriptive and specifying every detail because needs and baseline capabilities vary widely across America.

It is also important to avoid setting specific technical standards or benchmarks in legislation or policy. It’s better to identify and prioritize well-defined functional areas where performance can evolve as technology changes. An example of this approach is the aforementioned NIST Cybersecurity Framework. It identifies functional areas and links them to existing standards, guidelines and best practices that can evolve as technology and threats change.

The infrastructure bills represent a huge opportunity for once-in-a-generation change for the greater good, much like the Federal-Aid Highway Act of 1956. Let’s do everything we can to do it securely.

Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected]. And to read more from our summer/fall 2021 Cohort, here is a full list of every Featured Contributor during this cohort and a link to their stories.

Jim Richberg is public sector field Chief Information Security Officer (CISO) at Fortinet. He formerly served as the National Intelligence Manager for Cyber in the Office of the Director of National Intelligence (DNI), where he set national cyber intelligence priorities.

Leave a Comment

Leave a comment

Leave a Reply