The May attack on Colonial Pipeline was cyber terrorism. There's no better way to label it.
Attacks on critical infrastructure have consequences beyond the financial realm. They can cause physical harm to industrial equipment, disrupt vast portions of society, and even lead to loss of life, in the case of a German hospital now pursuing cyberattackers for murder.
These attacks are tactical. They are orchestrated by rogue elements, often thousands of miles away. So don't call them espionage or hacktivism, or anything else that softens the nature of the attacks. Call them terrorism.
Sadly, cyber conflict is here to stay, and so we need to prepare for what's next — and beyond.
While the stakes are increasingly high for individuals, governments, and commerce, it's helpful to think of cybersecurity as a global contest. We have to know the players and the roles they play. And we must balance defense with offense.
Defense: The responsibility for defense lies squarely with critical infrastructure companies. They have all the motivation required to protect their assets and have made significant strides improving the defense of their systems, but more work needs to be done.
While companies have put so much focus in recent years on preventing and detecting infiltration, we still must assume that breaches will happen, regardless of how many layers of defense a company may have. A good defensive strategy must also include three key plans: incident response, mitigating and minimizing the attack's consequences, and business continuity.
The ability to recover is an essential element of keeping a business working even after an attack. Recovery in this case includes an accurate and up-to-date backup of a system's configuration, along with the ability, for certain companies, to know "what has changed" on the control systems that enable automated manufacturing. This is often the weakest point in many companies.
Offense: This should be in the government's hands.
Companies are not in the business of taking countermeasures to disincentivize or punish attackers. Doing so can cause collateral damage in cyberspace that just causes further harm to more people. It is the responsibility of the government to establish laws and prosecute cyberattackers, as well as to answer attacks. The FBI clawing back illicit earnings from the Colonial Pipeline incident was a start, but we could go further.
Our society needs both private enterprise and the public sector to operate at high levels. Our government must send a strong message to the rogue elements and the governments that enable or ignore their activities that we consider cyberattacks on our critical infrastructure to be a threat to national security.
Government must do a better job of helping small business as well. Informing industries and possible victims of intrusions, in a way that allows them to make the necessary mitigating choices, is one step toward being a partner to private industry. It will take time to cultivate the trust necessary for industry and government to work together on this sensitive issue.
Cyber is the new frontier of international conflict, and we can win. Government and industry must work hand-in-hand, offense and defense, to execute a winning game plan. The future is at stake.