The US Must Redefine Critical Infrastructure for the Digital Era
The template being used to manage essential connectivity isn't just outdated, it's actively counter-productive.
America's definition of infrastructure has remained largely unchanged since the New Deal, when the federal government updated roads, railways, and water supplies ahead of World War II. Back then, communications technologies were in their infant stage — radio broadcasting was the FCC's sole focus — but over the past 25 years, digital communications have evolved at a rapid pace and become the foundation of daily American life. Unfortunately, the pandemic revealed major weaknesses in our modern communications infrastructure, including issues the country must address before another disaster strikes.
Despite multiple revolutionary technological advances, the US government's understanding of critical infrastructure hasn't evolved past the 20th century, leaving many modern communications assets vulnerable to cybercriminals. The US currently defines 16 critical infrastructure sectors as integral to the economy, notably including "communications" and "information technology" as separate sectors, an approach steeped in an outdated understanding of today's digital infrastructure. In the former category, the US seeks to protect "terrestrial, satellite and wireless transmission systems," while the latter focuses generally on "the internet."
In the 21st century, and particularly during a time when national security is now continually threatened by foreign and domestic actors, cybersecurity demands a holistic rather than siloed understanding of digital communications. Today's threat actors rarely target satellite dishes, cable lines, or cell towers for devastating attacks; they also don't attempt to turn off the entire Internet. Instead, they lock down hospitals and water treatment facilities, force companies or cloud services offline, and ransom future product designs stolen from manufacturers' servers.
For instance, the FBI's alarming arrest of a Texas man for allegedly planning a mass bombing of Amazon Web Services (AWS) data centers. Though privately owned data centers might not be traditional "infrastructure," an AWS outage can take down huge chunks of the internet, resulting in multimillion-dollar losses in a world where e-commerce reigns supreme.
Now, think about the economic and political impacts of just one social media platform: Twitter. Last year, a teenager used vishing techniques to simultaneously co-opt high-profile Twitter accounts for a Bitcoin scam — a huge, brazen hack that could have had much worse consequences. Before that, a hacker used Associated Press's Twitter account to falsely claim that the White House had been attacked, causing the stock market to panic and plummet. Like AWS, Twitter doesn't fall under the traditional definition of "infrastructure," but between these sorts of attacks and Twitter's growing role in political communications, it certainly has outsized importance to the US economy.
Because our digital infrastructure isn't as easily visualized as the analog, physical infrastructure it's replacing, we still harbor an old-school mentality regarding the systems our economy relies upon. The pandemic made painfully clear that our economy now relies heavily upon a robust Internet; our digital infrastructure was the lifeblood enabling people to continue living some semblance of their prior lives, facilitating everything from continuing work and school to ordering food and securing toilet paper. Quarantine and social distancing worked largely because the Internet kept everyone connected to everything, even when we weren't using the physical roads, railways, and airports we historically relied on.
There's no better example of the changing face of digital infrastructure than Zoom. Overnight, one app became a household name, enabling virtual classrooms, conference rooms, and even happy-hour venues. Live, multiperson videoconferencing was quite literally the reason many adults kept their jobs, and most kids were able to attend school for the past year. Is videoconferencing technology critical infrastructure? Bad guys certainly think so, as evidenced by the Zoom breach where hackers stole 500,000 passwords early in the pandemic, and multiple Zoombombing attacks that caught the FBI's attention, disrupting everything from academic presentations to court cases.
AWS, Twitter, and Zoom are only some examples of how critical digital infrastructure has evolved in recent years, well past prior governmental definitions of communications and information technology. Yes, hardware and software are still important, but cloud-based services and platforms are now the foundations of American life, and key targets for malicious actors of any size or agenda.
During and immediately after the Cold War, America worried so much about nuclear Armageddon and physical invasions that financial threats such as economic disruption and business ransoming took a back seat. In the digital age, however, we may have less to fear from adversarial nations than sophisticated cyber thieves. As a recent Verizon report noted, nation-state attacks account for only 10% of data breaches, while a whopping 86% of breaches were financially motivated.
Although the headlines focus on Russian, Iranian, and Chinese meddling in the digital space, they're distracting us from the real issue of hackers taking entire organizations offline and robbing them blind, then growing large enough to threaten critical communications channels. The hacker who succeeds in ransoming one hospital will likely next target a larger medical system's digital records, affecting untold numbers of patients before planning bigger future attacks.
It's time for a mind shift. Digital infrastructure needs to be understood holistically as encompassing more than just basic communications hardware and the broad Internet, with full government support for protecting cloud services and platforms that have become essential to American life. Beyond extending security funding and technology support to critically important organizations, lawmakers must zero in on hacker ties to organized crime and create stiffer punishments for those who have mounted attacks on digital infrastructure.
The Internet is a public resource — our most critical infrastructure over the past year, and most likely the foundation of everything we will build together over the coming decades. Starting immediately, we must do everything we can to protect our digital infrastructure's increasingly diverse elements, as only a holistic understanding of modern communications will enable us to stay ahead of criminals who would disrupt them for profit.
About the Author
You May Also Like
Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024The Unreasonable Effectiveness of Inside Out Attack Surface Management
Dec 4, 2024