Now more than ever, in the backdrop of heightened cyber risks, critical infrastructure operators have to band together. They can’t turn to the federal government to defend them against cyber threats.
Government Doesn't Defend Cyber Critical Infrastructure
The onus of defending their critical assets from cyber attacks is on the operators of critical infrastructure facilities because no government entity can or will defend them. Government entities may offer support at varying levels by sharing information about threats left-of-boom or investigating crimes right-of-boom. Still, critical infrastructure operators can’t rely on that support—it’s not enough to safeguard them against the cyber threats of today. Complicating matters more, critical infrastructure operators are generally not equipped to defend themselves against increasingly sophisticated and aggressive cyber attackers, primarily because they lack the funds to do so.
So, if the owners/operators of crucial sectors such as energy and water are at risk and ill-suited to defend themselves, what alternatives exist? Enter one approach: collective defense.
Collective Defense: Better and Cheaper
Sophisticated defenses require scale, which can be achieved by uniting many companies in similar industries and geographies. By joining together, critical infrastructure operators can achieve sufficient scale, enabling them to defend themselves in a sophisticated manner.
A similar cooperative model has existed since 1973, when the Society for Worldwide Interbank Financial Telecommunication (SWIFT) was created to provide a common banking messaging network. According to Investopedia, SWIFT was launched in 1973 by 239 banks from 15 countries, and it started offering messaging services in 1977. Through SWIFT, banks can “securely exchange information,” and today, over 11,000 banks use it.
SWIFT is operated on a not-for-profit basis, where the consumers of the service—the customers—are also the owners. SWIFT’s performance measures focus on the efficiency and effectiveness of the delivery of its core service, as overseen by a board of directors consisting of roughly 31 companies, ranging from the usual global giants to regional specialty banks.
Such a collective defense model would, I predict, simultaneously increase operators’ defense capabilities and reduce cybersecurity costs. Natural gas pipelines, natural gas distribution companies, small electrical utilities and municipal water utilities are some of the key types of operators that stand to benefit from sector-specific collective defenses. A skeptical eye could rightly identify all the challenges to multi-company cooperation, such as competitive concerns, divergent strategies, concerns about agility, etc. But those same complexities faced SWIFT 45 years ago, and yet SWIFT is thriving today.
With the level of cyber risk rapidly increasing, such cooperation may be more a factor of “when” than “if.” The stakes are high—cyber breaches can be catastrophic for citizens and can jeopardize our national security. For instance, if power grids are breached in major cities, transportation systems, hospital systems and other crucial resources would become inaccessible, and an adversary would have an easier entry point to attack.
Getting Started: Industry Sectors Must lead
Such cooperation among asset operators can only be achieved by the operators themselves. The government can’t organize and operate such a civilian collective defense, nor can technology consultants or outsourcers, though they may play supporting roles.
True cooperation and alignment must be led by the industry stakeholders. And it is important to recognize that each sub-sector has highly specialized requirements and long histories of coopetition in legal and regulatory matters, operations and engineering research, standardization, etc.
The good news? Various industry trade associations already exist and are in a natural position to lead the evaluation and launch of civil collective defenses. Strong candidates in each sub-sector are included here in an illustrative list:
Natural gas: Interstate Natural Gas Association of America (INGAA), American Gas Association (AGA).
Electric utilities: American Public Power Association (APPA), National Rural Electric Cooperative Association (NRECA), Electric Power Research Institute (EPRI).
Water utilities: American Water Works Association (AWWA), National Association of Clean Water Agencies (NACWA), Water Environment Federation (WEF), Association of Metropolitan Water Agencies (AMWA), National Rural Water Association (NRWA).
One or more of the key industry associations in each of these sectors could provide a credible—and confidential—forum for evaluating the feasibility of various options for banding together groups of like companies in that sector. While I won’t opine on which association or combination is best suited for the task of forming a collective defense coalition in each sector, I know from my decades of experience in the industry that the expertise, influence and ability exist to transition to a more mature defensive model.
The question is: does the will exist to take the initiative and band similar companies together before it’s too late?
Founder and CEO – The CAP Group
