Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/7/2021
10:00 AM
Caleb Barlow
Caleb Barlow
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The US Must Redefine Critical Infrastructure for the Digital Era

The template being used to manage essential connectivity isn't just outdated, it's actively counter-productive.

America's definition of infrastructure has remained largely unchanged since the New Deal, when the federal government updated roads, railways, and water supplies ahead of World War II. Back then, communications technologies were in their infant stage — radio broadcasting was the FCC's sole focus — but over the past 25 years, digital communications have evolved at a rapid pace and become the foundation of daily American life. Unfortunately, the pandemic revealed major weaknesses in our modern communications infrastructure, including issues the country must address before another disaster strikes.

Despite multiple revolutionary technological advances, the US government's understanding of critical infrastructure hasn't evolved past the 20th century, leaving many modern communications assets vulnerable to cybercriminals. The US currently defines 16 critical infrastructure sectors as integral to the economy, notably including "communications" and "information technology" as separate sectors, an approach steeped in an outdated understanding of today's digital infrastructure. In the former category, the US seeks to protect "terrestrial, satellite and wireless transmission systems," while the latter focuses generally on "the internet."

Related Content:

Critical Infrastructure Under Attack

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: The Makings of a Better Cybersecurity Hire

In the 21st century, and particularly during a time when national security is now continually threatened by foreign and domestic actors, cybersecurity demands a holistic rather than siloed understanding of digital communications. Today's threat actors rarely target satellite dishes, cable lines, or cell towers for devastating attacks; they also don't attempt to turn off the entire Internet. Instead, they lock down hospitals and water treatment facilities, force companies or cloud services offline, and ransom future product designs stolen from manufacturers' servers.

For instance, the FBI's alarming arrest of a Texas man for allegedly planning a mass bombing of Amazon Web Services (AWS) data centers. Though privately owned data centers might not be traditional "infrastructure," an AWS outage can take down huge chunks of the internet, resulting in multimillion-dollar losses in a world where e-commerce reigns supreme.

Now, think about the economic and political impacts of just one social media platform: Twitter. Last year, a teenager used vishing techniques to simultaneously co-opt high-profile Twitter accounts for a Bitcoin scam — a huge, brazen hack that could have had much worse consequences. Before that, a hacker used Associated Press's Twitter account to falsely claim that the White House had been attacked, causing the stock market to panic and plummet. Like AWS, Twitter doesn't fall under the traditional definition of "infrastructure," but between these sorts of attacks and Twitter's growing role in political communications, it certainly has outsized importance to the US economy.

Because our digital infrastructure isn't as easily visualized as the analog, physical infrastructure it's replacing, we still harbor an old-school mentality regarding the systems our economy relies upon. The pandemic made painfully clear that our economy now relies heavily upon a robust Internet; our digital infrastructure was the lifeblood enabling people to continue living some semblance of their prior lives, facilitating everything from continuing work and school to ordering food and securing toilet paper. Quarantine and social distancing worked largely because the Internet kept everyone connected to everything, even when we weren't using the physical roads, railways, and airports we historically relied on.

There's no better example of the changing face of digital infrastructure than Zoom. Overnight, one app became a household name, enabling virtual classrooms, conference rooms, and even happy-hour venues. Live, multiperson videoconferencing was quite literally the reason many adults kept their jobs, and most kids were able to attend school for the past year. Is videoconferencing technology critical infrastructure? Bad guys certainly think so, as evidenced by the Zoom breach where hackers stole 500,000 passwords early in the pandemic, and multiple Zoombombing attacks that caught the FBI's attention, disrupting everything from academic presentations to court cases. 

AWS, Twitter, and Zoom are only some examples of how critical digital infrastructure has evolved in recent years, well past prior governmental definitions of communications and information technology. Yes, hardware and software are still important, but cloud-based services and platforms are now the foundations of American life, and key targets for malicious actors of any size or agenda.

During and immediately after the Cold War, America worried so much about nuclear Armageddon and physical invasions that financial threats such as economic disruption and business ransoming took a back seat. In the digital age, however, we may have less to fear from adversarial nations than sophisticated cyber thieves. As a recent Verizon report noted, nation-state attacks account for only 10% of data breaches, while a whopping 86% of breaches were financially motivated.

Although the headlines focus on Russian, Iranian, and Chinese meddling in the digital space, they're distracting us from the real issue of hackers taking entire organizations offline and robbing them blind, then growing large enough to threaten critical communications channels. The hacker who succeeds in ransoming one hospital will likely next target a larger medical system's digital records, affecting untold numbers of patients before planning bigger future attacks.

It's time for a mind shift. Digital infrastructure needs to be understood holistically as encompassing more than just basic communications hardware and the broad Internet, with full government support for protecting cloud services and platforms that have become essential to American life. Beyond extending security funding and technology support to critically important organizations, lawmakers must zero in on hacker ties to organized crime and create stiffer punishments for those who have mounted attacks on digital infrastructure. 

The Internet is a public resource — our most critical infrastructure over the past year, and most likely the foundation of everything we will build together over the coming decades. Starting immediately, we must do everything we can to protect our digital infrastructure's increasingly diverse elements, as only a holistic understanding of modern communications will enable us to stay ahead of criminals who would disrupt them for profit.

Caleb Barlow is the President and Chief Executive Officer of CynergisTek, a healthcare-focused cybersecurity company that works with more than 1,000 healthcare organizations on data security, privacy, and compliance. Prior to joining CynergisTek, Caleb led the IBM ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.