Enemies that threaten American national security no longer need to depend on military power. Instead of bombers, fighter planes and missiles, they can sit at a computer and deploy cheap but destructive cyber attacks on U.S. critical infrastructure.
According to the intelligence community’s Worldwide Threat Assessment, our adversaries “will increasingly use cyber capabilities — including cyber espionage, attack and influence … to threaten both minds and machines.”
{mosads}With so much of U.S. critical infrastructure privately owned, the only defense lies in a coordinated response from the government and the private sector.
The threats are real and multifaceted. Relying on proxy organizations, geopolitical rivals like Russia and Iran view cyberattacks as an effective way to target vulnerabilities in the U.S.
As Director of National Intelligence Dan Coats noted in January, countries like Russia have no hesitation using these weapons. Russian attacks on Ukraine’s electric grid in 2015 and 2016 left hundreds of thousands of Ukrainians temporarily in the dark.
According to the president’s National Infrastructure Advisory Council, hackers could time attacks to target critical infrastructure systems during an ongoing natural disaster or weather event — an attack that could have shut down heating systems during the brutal polar vortex that hit much of the U.S. earlier this year, for example.
Our adversaries’ growing ability to threaten critical infrastructure is duly reflected in the cyber strategies released last year by the White House, Department of Homeland Security and Department of Energy.
The key challenge now is ensuring that all these government actors are clear about their roles and that they synchronize with each other and the private sector to ensure a robust U.S. response.
One enduring challenge is fostering communication from industry to the government about cyber vulnerabilities. At least one problem — companies’ fear that they might face retaliation — was addressed in 2015 legislation.
Another problem — a lack of clarity within the bureaucracy about who is responsible for engaging with industry and how — has at least a partial solution in the works.
In November, the Department of Homeland Security established a Cybersecurity and Infrastructure Security Agency and created a subsidiary National Risk Management Center to help centralize and streamline information-sharing procedures.
Congress must now ensure that these entities have the necessary resources and personnel. The federal government’s inability to retain cyber talent is a serious obstacle to preparedness.
One thing that might help is pending legislation to allow private-sector or academic cyber experts to work for federal agencies for up to two years. Something that doesn’t help are the government shutdowns that leave thousands of federal workers and contractors unpaid.
A second challenge is creating new technical solutions and best practices (examples of the latter include augmenting automated control systems for pipelines with manual ones and segregating business IT systems from systems that control infrastructure), doing so fast enough to keep ahead of adversaries’ own tools and weapons and ensuring that they spread rapidly throughout industry.
These solutions must continue to evolve, advance and spread because we continue to see new and more sophisticated viruses developed by our adversaries.
Last year, the Department of Energy created the office of Cybersecurity, Energy Security, and Energy Response, in part to foster research and development that could help the electric grid survive cyber attacks.
Congress could help ease this process as well. Assistant Secretary of Energy Karen Evans earlier this year highlighted for Congress industry concerns about incurring antitrust violations if they collectively enacted certain cyber solutions.
Given the range of actors involved in critical infrastructure, there are no simple solutions here that can be imposed by government or mandated by industries.
While the administration has proposed plans to support the coal and nuclear sectors in the name of protecting the electric grid, proposals like those distract from the real solutions that would truly protect American critical infrastructure.
The threat of a destructive cyber attack that could cost lives is growing every day. Facing limited resources and adversaries that range from nation states to terrorists, government cannot do this alone.
There must be a partnership of government and the private sector if the United States is to effectively defend itself from a cyber Pearl Harbor.
Leon Panetta served as secretary of Defense, director of the CIA, White House chief of staff, director of the Office of Management and Budget and as a U.S. representative (D-Calif.). He is a senior counselor at Beacon Global Strategies.
James Talent is a former U.S. senator (R-Mo.) He is a partner at Banner Public Affairs.