Critical infrastructure is the backbone supporting not just our economy, but our way of life. From the electricity that powers your home, to the hospitals that provide healthcare, to the financial systems that keep the economy running—these systems are part of a vast, interconnected network that is increasingly dependent on digital technologies. When the Biden administration released its national cybersecurity strategy, the first pillar was crystal clear: protect critical infrastructure.
In Zscaler’s first Executive Connect Live briefing, I had the pleasure of discussing this fascinating and important topic with Chief Information Security Officer and Deputy National Cyber Director Chris DeRusha and former CIO for the State of Wisconsin David Cagigal.
As we began, Chris succinctly described the landscape as he sees it. “We’re in the digital age, and this technology underpins every aspect of our lives, from the functioning of our economy to the operation of critical infrastructure, even down to the underpinnings of our democracy.”
The Colonial Pipeline ransomware attack demonstrated how cyber vulnerabilities can have ripple effects across society. The lesson? We cannot continue to place the burden of cybersecurity on consumers and small businesses; it’s a collective responsibility that starts with the most resource-rich organizations, including the federal government itself.
Federal agencies are ramping up collaboration with the private sector, which owns the lion’s share of America’s critical infrastructure. This public-private partnership aims to create a bulwark against the ever-evolving cyber threats. But there’s more work to be done.
Here are some of my most salient takeaways from our conversation.
Ongoing approaches to cybersecurity and whole-of-state status
Moving from a siloed to a whole-of-state cybersecurity strategy is critical to evolving defenses against cyber threats. “Whole-of-state” refers to an integrated approach where federal, state, and local governments collaborate closely with private industries to create a unified cybersecurity framework. This collective aims to pool resources, expertise, and intelligence for a more effective and agile defense against cyber threats.
Under this paradigm, each entity brings its unique strengths to the table. The benefit goes beyond fortifying cyber defenses. By integrating public and private sector efforts, we become more resilient and operate in a smarter, more efficient manner. This unified strategy allows for quicker dissemination of threat intelligence, streamlined responses, and more agile operations.
Private sector collaboration with government: A must for critical infrastructure
Critical infrastructure sectors like utilities, healthcare, and finance serve as the backbone of a nation’s well-being and prosperity. Therefore, the need to collaborate with the government becomes a necessity. Chris DeRusha said it best: “Cybersecurity is a group project that involves everyone: public sector, private sector, and even the average citizen.”
The objective is to forge a defense strategy where both the government and private entities are not just interdependent but also highly coordinated. This allows for real-time sharing of threat intelligence, faster decision-making, and a unified response to cyber incidents. With the stakes as high as national security, operating in silos is not only inefficient but also risky. The aim is to create an environment where responsibilities are clearly defined and resources are optimized for the collective good.
Information sharing is more critical than ever
When facing sophisticated threats from state-backed actors and well-resourced criminal groups, open and transparent communication between public and private sectors is critical. This applies especially to threat intelligence, risk assessments, and incident response plans. Organizations like the Joint Cyber Defense Collaborative (JCDC) serve as prime examples of how effective information sharing can bolster collective cyber defense.
On the flip side, the absence of such transparent communication can slow down response times, create gaps in defenses, and ultimately make both sectors more susceptible to cyberattacks. Hence, robust information sharing isn’t just a good practice, it’s essential.
Progress and gaps at various levels of government
The disparity in resource allocation and preparedness across various levels of government represents a significant challenge. While the federal government has poured significant funds and focus into fortifying cybersecurity measures, state governments often lag behind, hindered by budget constraints.
However, the most pressing concerns are at the state, local, and education (SLED) levels, where resources are scant and expertise is often lacking. “Local governments, often underfunded and underequipped, are a part of the chain and can be vulnerable targets,” said David Cagigal.
These gaps in resources and expertise at the local level are a weak link in our overall defense strategy and must be addressed to ensure that our collective cybersecurity posture is as robust as possible. Otherwise, opportunistic threat actors may target those weak links to establish footholds in critical infrastructure with an eye toward escalation.
Zero trust is quickly becoming the non-negotiable standard
In today’s cybersecurity landscape, the zero trust architecture is becoming a non-negotiable standard. Here, the government has taken a lead role with Executive Order 14028. “Zero trust is not just a technology update; it’s a whole new way of thinking about security,” Chris DeRusha observed.
The architecture promotes a proactive approach to cyber threats by ensuring that no access is granted without rigorous verification, regardless of the source of the request.
In an increasingly severe threat landscape, implementing a zero trust framework is crucial for a robust cybersecurity posture. Not adopting this approach leaves organizations vulnerable to sophisticated cyber threats.
What’s next?
This new era of critical infrastructure cybersecurity is challenging but essential. Here are a few areas we can work toward improving.
- More collaboration: Expect to see more public-private partnerships in the cybersecurity space with the goal of more advanced intelligence sharing and incident response collaboration.
- Standardized protocols: As we gather more data and insights, we’ll likely see the development of standardized protocols for threat intelligence sharing and incident response.
- Investment by local governments: There will be a growing realization of the need to better equip local governments, bridging the resource and knowledge gap at this level.
- Wider adoption of zero trust: The zero trust model is set to become the industry standard for cybersecurity, with more organizations adopting its principles.
- Focus on education and training: As Chris aptly stated, “Be kind to yourself if you’re in this field because it’s a marathon and not a sprint.” This sentiment rings true from top-level decision-makers to everyday citizens. Cybersecurity is a collective responsibility, and education and training will play a significant role in our preparedness.
Navigating critical infrastructure cybersecurity is like steering an ocean liner through rough seas. The journey is long, the risks are high, and the conditions constantly change. Yet, with a whole-of-state strategy, the adoption of advanced models like zero trust, and a commitment to collaboration across public and private sectors, we’re better equipped to weather the storm. Ultimately, our collective strength lies in our ability to work together to stay ahead of evolving threats.
What to read next
VPNs have once again endangered our critical infrastructure. Will it be the last time?
A true zero trust approach requires federal agencies to move beyond compliance [podcast]