This article, written by Chad Heitzenrater and published on September 21, 2023, by RAND Corporation, sheds light on the vulnerabilities in the U.S. cybersecurity infrastructure. The article emphasizes the constant risk to U.S. critical infrastructure due to the insecurity of computing systems operating essential services. It highlights instances where the very tools employed for cybersecurity have been exploited, revealing the flaws in the security systems meant to protect critical infrastructure.
The article cites the example of Volt Typhoon, a Chinese actor, targeting critical infrastructure in Guam, a significant U.S. interest in the Pacific. It was discovered that the security devices designed to protect the system contained vulnerabilities that were exploited to gain access. This raises concerns about the reliability of cybersecurity tools, as they can be as flawed as the systems they are meant to protect, falling victim to rushed delivery cycles and market pressures.
The article suggests that the U.S. needs to prepare for more nefarious cyber threats beyond espionage and crime, as the infrastructure has military value and future attacks may be more damaging. The current detection-centric defensive posture is criticized for being inadequate in the face of evolving cyber threats, as it may not support the shift from contest to conflict due to the pace and overtness of hostilities.
The author calls for a higher standard for cybersecurity, focusing on developing systems that are fit for purpose and designed to operate in hostile environments. He applauds the recent emphasis on cyber resilience by the Cybersecurity and Infrastructure Security Agency but stresses the need for additional steps, such as adopting greater standards for critical infrastructure and adherence to secure development and design principles. This proactive approach is essential to minimize vulnerabilities and maximize insight into the security and quality of systems.
However, the shift to secure development may increase cost and time initially, requiring investments in tools and techniques to enhance the accuracy, efficacy, and coverage of secure development tools and techniques. Without government investments and policies to drive transparency and a clear understanding of cybersecurity tools, the U.S. risks offering its adversaries the means to undermine its systems and, ultimately, its security.
In conclusion, the article underscores the urgent need for robust cybersecurity measures to protect U.S. critical infrastructure from evolving cyber threats and emphasizes the importance of proactive approaches and government investments in securing the nation’s cyber infrastructure.
Heitzenrater, Chad. “Cyber Attacks Reveal Uncomfortable Truths About U.S. Defenses.” RAND Corporation, 21 Sept. 2023, https://www.rand.org/blog/2023/09/cyber-attacks-reveal-uncomfortable-truths-about-us.html