Last year, the Department of Homeland Security (DHS) made a strange request. It put a call out to be hacked. As explained in Forbes, hackers were essentially asked to discover the vulnerabilities existing within the DHS systems for a possible reward of up to $5,000. And it’s a good thing that they did. When all was said and done, participants in the Hack DHS program found 122 security flaws. Of them, 27 were considered “critically severe.” Beyond revealing what could have been detrimental problems for DHS, the program also reflected a larger trend. As cyberattacks become riskier and more commonplace, there has been a greater emphasis on bringing together public and private sectors in a concerted effort to address them. In fact, many organizations have already joined in on coalition building with government agencies, including Amazon, IBM, Verizon, Google and Microsoft. Also in 2021, the Office of National Cyber Director was established to further strengthen the pairing of private sector knowledge with governmental insight.
The Many Impacts of Cybercrime
Out of the industries that stand to benefit the most from this type of united front, manufacturing and critical infrastructure industries are certainly at the top. Cybercrime has already cost the global economy trillions of dollars, and cybercriminals have realized that this kind of activity can often earn them more money than illegal drug trade. But as Luis Narvaez writes at Manufacturing.Net, “When it comes to critical manufacturing, infrastructure, and transportation hardware or software – industrial cybercrime has far-reaching consequences beyond the purely financial.” A breach of these systems can cause anything from a major disruption to the distribution of goods to essential needs like public health and economic security.
One element of this that has many worrying is the growing target placed on the supply chain. While backlogs are already expanding, security analysts have been warning that this could become worse in the event of a cyberattack. In response, the National Institute of Standards and Technology recently issued a guide outlining best practices for securing supply chain operations. Plus, there is the ongoing threat associated with the war between Russia and Ukraine. From the onslaught of this conflict, those running industrial control systems (ICS) have been put on high alert, and with good reason. As Stacey Higginbotham at Stacey on IoT put it, “some nine weeks later, it’s become clear that hackers have found a soft target in industrial networks — and plan to exploit them.”
Taking a Village Approach to Cybersecurity
Although the sheer size and potential impact of these threats can be overwhelming, can the state we find ourselves in also have a positive aspect? Higginbotham’s piece posits that this may be the case. Not only is this environment forcing us all to open our eyes to the significance of cybersecurity, but it is also opening doors for more research and information sharing, which helps to equip us with the data and resources we need going forward. The government has taken steps to implement cross sector collaboration, including being more transparent about its own vulnerabilities and allocating funds for other fields to handle their own. Of course, there have also been projects such as the hacking program mentioned in the beginning as well.
There have been more serious legislative pushes too. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 was signed into law in March by President Biden. As described at Lexology, the act requires operation falling under the critical infrastructure category to report covered cyber incidents within 72 hours of when it was believed to have first occurred. Additionally, a ransom payment must be reported within 24 hours of being made. Known as CIRCIA, this piece of legislation is just one of several reporting requirements introduced in the wake of the many large-scale attacks that have unfolded. The Federal Reserve, Office of the Comptroller of the Currency (OCC) and Federal Deposit Insurance Corporation (FDIC) have put forth a notification requirement as well as the Federal Communications Commission (FCC).
Despite some debate over competing requirements, when combined with the other initiatives listed, these acts prove that there is more attention being paid to creating an informed, multi-perspective and comprehensive understanding of the persisting and yet to be determined threats.
Sources:
- “Hacking The Feds” – Evan Ramzipoor, Forbes
https://www.forbes.com/sites/servicenow/2022/05/20/hacking-the-feds/?sh=13c888ae3a02 - “Securing Systems to Reduce Cyber Threat Risk” – Luis Narvaez, Manufacturing.Net
https://www.manufacturing.net/technology/blog/22236578/securing-systems-to-reduce-cyber-threat-risk - “Top 6 Challenges of Protecting Critical Infrastructure” – Jordan McDowell, Patch
https://patch.com/missouri/stlouis/top-6-challenges-protecting-critical-infrastructure - “Cyber attacks could be the next big threat to the supply chain” – Chris Conte, ABC 7 Denver
https://www.thedenverchannel.com/news/national-politics/the-race/cyber-attacks-could-be-the-next-big-threat-to-the-supply-chain - “Industrial software is a prominent target. What should we do?” – Stacey Higginbotham, Stacey on IoT
https://staceyoniot.com/industrial-software-is-a-prominent-target-what-should-we-do/ - “Cyber Incident Reporting for Critical Infrastructure Act of 2022” – Davis Wright Tremaine LLP, Lexology
https://www.lexology.com/library/detail.aspx?g=cb167966-0280-4630-847b-61971173b92e