Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/7/2021
10:00 AM
Caleb Barlow
Caleb Barlow
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The US Must Redefine Critical Infrastructure for the Digital Era

The template being used to manage essential connectivity isn't just outdated, it's actively counter-productive.

America's definition of infrastructure has remained largely unchanged since the New Deal, when the federal government updated roads, railways, and water supplies ahead of World War II. Back then, communications technologies were in their infant stage — radio broadcasting was the FCC's sole focus — but over the past 25 years, digital communications have evolved at a rapid pace and become the foundation of daily American life. Unfortunately, the pandemic revealed major weaknesses in our modern communications infrastructure, including issues the country must address before another disaster strikes.

Despite multiple revolutionary technological advances, the US government's understanding of critical infrastructure hasn't evolved past the 20th century, leaving many modern communications assets vulnerable to cybercriminals. The US currently defines 16 critical infrastructure sectors as integral to the economy, notably including "communications" and "information technology" as separate sectors, an approach steeped in an outdated understanding of today's digital infrastructure. In the former category, the US seeks to protect "terrestrial, satellite and wireless transmission systems," while the latter focuses generally on "the internet."

Related Content:

Critical Infrastructure Under Attack

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: The Makings of a Better Cybersecurity Hire

In the 21st century, and particularly during a time when national security is now continually threatened by foreign and domestic actors, cybersecurity demands a holistic rather than siloed understanding of digital communications. Today's threat actors rarely target satellite dishes, cable lines, or cell towers for devastating attacks; they also don't attempt to turn off the entire Internet. Instead, they lock down hospitals and water treatment facilities, force companies or cloud services offline, and ransom future product designs stolen from manufacturers' servers.

For instance, the FBI's alarming arrest of a Texas man for allegedly planning a mass bombing of Amazon Web Services (AWS) data centers. Though privately owned data centers might not be traditional "infrastructure," an AWS outage can take down huge chunks of the internet, resulting in multimillion-dollar losses in a world where e-commerce reigns supreme.

Now, think about the economic and political impacts of just one social media platform: Twitter. Last year, a teenager used vishing techniques to simultaneously co-opt high-profile Twitter accounts for a Bitcoin scam — a huge, brazen hack that could have had much worse consequences. Before that, a hacker used Associated Press's Twitter account to falsely claim that the White House had been attacked, causing the stock market to panic and plummet. Like AWS, Twitter doesn't fall under the traditional definition of "infrastructure," but between these sorts of attacks and Twitter's growing role in political communications, it certainly has outsized importance to the US economy.

Because our digital infrastructure isn't as easily visualized as the analog, physical infrastructure it's replacing, we still harbor an old-school mentality regarding the systems our economy relies upon. The pandemic made painfully clear that our economy now relies heavily upon a robust Internet; our digital infrastructure was the lifeblood enabling people to continue living some semblance of their prior lives, facilitating everything from continuing work and school to ordering food and securing toilet paper. Quarantine and social distancing worked largely because the Internet kept everyone connected to everything, even when we weren't using the physical roads, railways, and airports we historically relied on.

There's no better example of the changing face of digital infrastructure than Zoom. Overnight, one app became a household name, enabling virtual classrooms, conference rooms, and even happy-hour venues. Live, multiperson videoconferencing was quite literally the reason many adults kept their jobs, and most kids were able to attend school for the past year. Is videoconferencing technology critical infrastructure? Bad guys certainly think so, as evidenced by the Zoom breach where hackers stole 500,000 passwords early in the pandemic, and multiple Zoombombing attacks that caught the FBI's attention, disrupting everything from academic presentations to court cases. 

AWS, Twitter, and Zoom are only some examples of how critical digital infrastructure has evolved in recent years, well past prior governmental definitions of communications and information technology. Yes, hardware and software are still important, but cloud-based services and platforms are now the foundations of American life, and key targets for malicious actors of any size or agenda.

During and immediately after the Cold War, America worried so much about nuclear Armageddon and physical invasions that financial threats such as economic disruption and business ransoming took a back seat. In the digital age, however, we may have less to fear from adversarial nations than sophisticated cyber thieves. As a recent Verizon report noted, nation-state attacks account for only 10% of data breaches, while a whopping 86% of breaches were financially motivated.

Although the headlines focus on Russian, Iranian, and Chinese meddling in the digital space, they're distracting us from the real issue of hackers taking entire organizations offline and robbing them blind, then growing large enough to threaten critical communications channels. The hacker who succeeds in ransoming one hospital will likely next target a larger medical system's digital records, affecting untold numbers of patients before planning bigger future attacks.

It's time for a mind shift. Digital infrastructure needs to be understood holistically as encompassing more than just basic communications hardware and the broad Internet, with full government support for protecting cloud services and platforms that have become essential to American life. Beyond extending security funding and technology support to critically important organizations, lawmakers must zero in on hacker ties to organized crime and create stiffer punishments for those who have mounted attacks on digital infrastructure. 

The Internet is a public resource — our most critical infrastructure over the past year, and most likely the foundation of everything we will build together over the coming decades. Starting immediately, we must do everything we can to protect our digital infrastructure's increasingly diverse elements, as only a holistic understanding of modern communications will enable us to stay ahead of criminals who would disrupt them for profit.

Caleb Barlow is the President and Chief Executive Officer of CynergisTek, a healthcare-focused cybersecurity company that works with more than 1,000 healthcare organizations on data security, privacy, and compliance. Prior to joining CynergisTek, Caleb led the IBM ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30315
PUBLISHED: 2021-10-20
Improper handling of sensor HAL structure in absence of sensor can lead to use after free in Snapdragon Auto
CVE-2021-30316
PUBLISHED: 2021-10-20
Possible out of bound memory access due to improper boundary check while creating HSYNC fence in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Wearables
CVE-2021-42739
PUBLISHED: 2021-10-20
The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking.
CVE-2021-1980
PUBLISHED: 2021-10-20
Possible buffer over read due to lack of length check while parsing beacon IE response in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, S...
CVE-2021-1983
PUBLISHED: 2021-10-20
Possible buffer overflow due to improper handling of negative data length while processing write request in VR service in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearables