The U.S., along with its key “Five Eyes” intelligence partners, issued an unusual joint statement last month that a Chinese government espionage group had hacked into critical infrastructure systems in Guam. Although the systems remain intact, the agencies are concerned that the hackers’ goal could be to disrupt or prevent communications between the U.S. and Asia during a military confrontation in the region.
Importantly, the hack was discovered by Microsoft, which then shared the information with the government. This demonstrates the most important point for deterring and responding to increased challenges to our critical infrastructure’s cybersecurity: Public-private collaboration is an indispensable condition for success.
The Guam event is not an isolated threat: Microsoft has also reported that the share of cyberattacks by nation-states targeting critical infrastructure rose from 20 percent to 40 percent in just one year, from 2021 to 2022.
U.S. critical infrastructure systems’ vulnerability reflects a sobering reality: The vast majority of the nation’s infrastructure systems are privately owned and operated. Nearly 170,000 separate entities make up the country’s water and wastewater systems, for instance, and each must be secure and resilient to protect the communities they serve. But many are owned by small- and medium-sized organizations that often lack the kind of robust cyber defenses necessary to keep pace with rapidly evolving threats.
Disruption of any of those systems would threaten national security, economic stability and public health. Yet, they remain at risk as geopolitical threats rise. According to the 2023 Annual Threat Assessment from the Office of the Director of National Intelligence (DNI), nation-states — in particular, China, Russia, North Korea and Iran — and criminal groups, which are converging more and more with nation-state actors, pose the most significant cyber threats to U.S. critical infrastructure.
The recognition of that threat is rising. In January, The Conference Board (where we are trustees of the Committee for Economic Development and co-chairs of the technology and innovation committee) released a 2023 C-Suite Outlook that showed that over 80 percent of global CEOs believe that cyberattacks will intensify over the coming year outside the Ukraine war theater.
Sharing information on threat detection, mitigation and remediation is crucial to fortifying the critical infrastructure ecosystem. Forums involving both the private sector and government have shown early signs of success through the “Shields Up” initiative, which provides recommendations and resources to help keep stakeholders informed about threats and other CISA initiatives. These efforts have largely been voluntary thus far, however. There are few requirements today for reporting cyberattacks, even for breaches of critical systems. The Cyber Incident Reporting for Critical Infrastructure Act, which Congress passed in March 2022, will change that. But a final rule implementing reporting procedures is not due to be released until September 2025. We must expedite that timeline to the degree possible and ensure that the rule is developed in collaboration with the private sector.
We must also develop minimum cybersecurity standards for critical infrastructure firms. Zero Trust models, including simple steps such as multifactor authentication, should be standard practice. According to IBM’s 2022 Cost of Data Breach report, 79 percent of critical infrastructure organizations have not adopted Zero Trust, highlighting a clear weakness in security practices.
Implementing new frameworks for incident reporting and minimum requirements requires close interaction between government regulators and the private sector. We should make every effort to harmonize new standards to avoid conflicts with various preexisting federal, industry and local requirements. Harmonization also lowers the barrier to compliance and promotes quicker adoption.
It is also essential to identify and prioritize the vulnerable sites and components in each sector where a breach could cause the most significant economic damage and develop resiliency strategies to mitigate the impact of a cyberattack. Prioritizing these entities should require each to perform comprehensive reviews of their supply chains of components, assessing risks based on factors related to the country of origin, the manufacturer’s record and the component’s sensitivity if compromised. The federal government should make more resources, including technical assistance and vulnerability assessments, more widely available to address the challenges facing small- and medium-sized businesses as well as state and local governments that lack adequate resources and staff to implement robust cyber defenses.
Policymakers must also recognize that the cybersecurity challenge will not be solved by a single framework or one-time investment, but instead, will be a continuous challenge as threats evolve. Additional federal resources are needed to propel research in advanced technologies, including quantum-resistant systems and artificial intelligence applications for cyber defense, and the private sector should increase investments as well. Most urgently, the nation must scale up the U.S. cyber workforce, equipping workers with the necessary skills and tracks for continuous learning to keep pace with the evolution of threats.
As the number and sophistication of cyberattacks grow, the country must focus on bolstering the security and resilience of its critical infrastructure — before that resilience is tested on a large scale. The key to success is closer collaboration between the public and private sectors. We especially need more robust information sharing in both directions on threats and attacks, minimum cybersecurity standards, new frameworks for incident reporting and the development of minimum standards and means to identify vulnerabilities in advance, including comprehensive reviews of supply chains and building resiliency to minimize the damage and time for getting back up and operating.
Peter Altabef is chair and chief executive officer of Unisys.
Reece Kurtenbach is the president, chairman and chief executive officer of Daktronics.
The authors are trustees of the Committee for Economic Development of The Conference Board and co-chair its technology & innovation committee.