Joe Slowik is posing some difficult—and thoughtful—scenarios about critical infrastructure protection—and the most challenging probably lies in the word “critical.”
On this episode of the Nexus Podcast, and in a recent talk at RSA Conference, Slowik, a security researcher, explained the tensions providers in the 16 critical infrastructure sectors are experiencing around adequate security resourcing and defense of their individual organizations. For example, companies in each sector would not be faulted for expecting the same level of government protection and guidance in the event of a breach or more significant incident, yet that may not be a realistic expectation depending on the organization’s bigger-picture role in maintaining national and economic security.
“Critical infrastructure defense is an interesting tension between individual organizations that operate in critical spaces are incentivized to view themselves as the most important thing going on, and defending my organization is the most important thing,” Slowik explained. “But if we take a step up in the layer of abstraction to a national government or similar, then not everything can be critical otherwise nothing is.
“So how do we start prioritizing response and resources to start ensuring we’re getting the maximum return on investment in terms of defensive resources, but also acknowledging the ethical dilemma that we cannot leave some entities behind because they’re not the most important,” Slowik said.
CI providers and the government have to tackle the question of balancing those tensions, Slowik said, pointing out that CI protection at a massive scale, for example, would spread resources too thinly across too many entities, to the point where it starts to become too diffused to have an impact anymore.
“There may not be a good way of balancing those tensions,” he conceded. “But even just acknowledging that disconnect exists is a really important first step toward solving the issue.”
The issue at heart could be several things, starting with the nebulous definition of “critical,” the Department of Homeland’s Security’s designation of 16 CI sectors, and the fear pervades information security that no one wants to be the person who missed a critical vulnerability or failed to properly respond to an incident that thus escalates quickly.
“You start digging into those 16 sectors and you start thinking about and you realize that this is basically everything anyway. So if those are all the critical things and everything is critical, then what is most important of all the things that are already critical?” Slowik said. “I’m not saying DHS is wrong, but just trying to argue that we really need to start thinking about things and prioritizing things if we really want to have the impact that we desire.”
Slowik advocates for two things: at a macro level, there’s a need to identify what is important when allocating scarce resources in order to maintain continuity of the economy and government, and providing companies in the CI sectors with a realistic understanding of what they can anticipate in the event of a major, impactful incident, i.e., will the FBI or DHS show up at your door? In most instances, the answer is likely no.
“I don’t think we’ve been as honest with organizations as we can,” he said. “CISA does the best job it can in the U.S., but it can’t respond to everything,” Slowik said, adding that even private sector contracts with commercial incident response organizations don’t guarantee available resources to respond to everyone affected by a Volt Typhoon-level of incident, he said.
“Who gets the first bite of the apple in these circumstances and is that communicated so that organizations left behind know it,” Slowik said. “And can carry out business continuity and disaster recovery plans, so that while operations may be degraded, they might still be available to some extent versus shutting down because expectation didn’t match reality.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
