Thinkers360

RESOLVING CRITICAL INFRASTRUCTURE CYBER DEFENSE THROUGH PRIVATE PUBLIC PARTNERSHIPS

Mar



In recent months, our Nation’s national security agencies have issued urgent advisories and testified before Congress on State-sponsored cyber-attacks, sabotage, and vulnerabilities embedded in the connected technologies managing life-essential infrastructure (power, gas, water, communications, transportation) in our country. While Executive Orders and guidance to critical infrastructure owners are a tangible first step to galvanize public awareness and action, more must be done to unify efforts to mitigate cyber risk across all sectors of our economy and way of life. Cyber attacks on infrastructure directly threaten human safety and property.  Cyber protections for operational technologies (OT) can no longer be considered an optional investment for C-suites and boardrooms weighing various business risks.  

A Task Force of the Tortora Brayda Institute, in partnership with the Association of U.S. Cyber Forces and the National A.I. & Cybersecurity ISAO, convened a council of 30 subject matter experts and thought leaders in February 2024 to focus nonprofit efforts on developing private-public partnerships to rapidly and sustainably improve the cyber resilience of the U.S. critical infrastructure with particular emphasis on mid-size company contributions. 

A national response to these compelling threats must include more than the top 20 organizations with existing resources in each critical infrastructure segment to invest in protections immediately. The thousands of small system service providers in each sector, in most cases operating with limited margins, must have access to funds from public resources or public-private partnerships to implement capabilities to mitigate cyber risk.

For example, a medium-sized ethanol manufacturer with 120 employees based out of Sacramento, California, is just as crucial for providing services to hospitals throughout the State as a Fortune 100 manufacturer based on the eventuality of resource scarcity. Our initial research indicates that up to 300,000 companies in the 100 to 5,000-employee segment may exist within the 16 critical infrastructure verticals in the United States. If we included NATO allies, the number would rise to more than 800,000.

Alycia Farrell, Executive Member of the Association of U.S. Cyber Forces (AUSCF) and Board Member for the Tortora Brayda Institute, works directly with small and medium-sized businesses within the Defense Industrial Base, where she is tracking cyber threats to critical infrastructure and various sectors of the U.S. supply chain. "The world of CMMC and the DIB is a microcosm of the larger issue impacting the overall US commercial industrial base. While DoD is implementing the CMMC certification process to try and get a handle on increasing cybersecurity practices and compliance, the efforts and costs associated with mandating these practices will increase the financial burden on these companies to the point where it will negatively impact our national security supply chain. These companies will seek support and assistance in completing the compliance, assessment, and audit processes.” According to data from the DoD, up to 350,000 companies in the Defense Industrial base supply chain and certainly 80,000 need to step up their audit process.

 "We need to explore all options for leveraging technology, and especially A.I., to support these companies in achieving better overall cyber protection and the associated compliance scoring that reflects their improved cybersecurity posture,” the former Senate Appropriations Professional staffer added. “In addition, we ought to ensure that consultants, MSPs, and MSSPs are supported, enabled, and adequately certified, likely bringing the overall target of Project Cyber Eagle beneficiaries to well over 300,000.”

 The current geopolitical situation presents an exceptional threat to the critical infrastructure of the United States and its allies. From State-sponsored malware placed in operational technology (OT) to sabotage essential utilities to actual attacks on small water systems across the country, the U.S. is no longer a sanctuary from foreign attacks. U.S. citizens are squarely in the crosshairs of adversaries wanting to coerce national policymakers. In particular, the midmarket is known to be especially vulnerable. The Biden Administration's Federal Cyber Security Strategy and related implementation plan emphasize the importance of securing critical infrastructure in its totality, not just the market leaders.

The National A.I. & Cybersecurity ISAO, part of the Tortora Brayda Institute, has studied this issue for 18 months. During this time, Institute leaders have been formulating solutions with members of the U.S. Government, academia, the private sector, and the NATO community to rapidly improve the cybersecurity posture of critical infrastructure.

Lucian Niemeyer, CEO of the national non-profit Building Cyber Security, with decades of experience as a former Assistant Secretary of Defense, former Senate Armed Services Committee staff Member and top defense official in the White House Office of Management and Budget, and Board Member of the Tortora Brayda Institute commented: "When do cyber sabotage and attacks by State sponsors cross the threshold of an act of war?”  As an example, in partnership with the UK, Canada, and Australia, The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI) issued a Joint Advisory on February 7th, 2024 announcing that People's Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on I.T. networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a significant crisis or conflict with the United States. 

"This is a direct act of cyber sabotage. We can't continue relying on the infrastructure operators to identify and fight back State-Sponsored attacks. We must unite all federal agencies under one lead entity with the responsibility and accountability to work with all private sector owners to close the gaps in the cyber protections of our national infrastructure at the federal, regional, State, and local levels. Continuing to rely on private companies for our Nation’s cyber defense will ultimately lead to a national catastrophe”.

The Cyber Eagle Project will commit resources and expertise in solutions to rapidly and effectively improve the cybersecurity posture of our critical industries.

Martin Hawley, Director at Angoka, a U.K. Operational Technology Cybersecurity vendor, remarked: "I think this idea has potential in the U.K., and insurers and accountancy firms could be good channels to market Cyber Eagle to get people involved.

The objectives are these:

  1. To create an industrialized proactive outreach and engagement process to carry out high-level, non-intrusive cyber risk assessments, recommendations, transactions, implementations, and ongoing monitoring with private and public entities in the midmarket critical infrastructure sectors.
  2. Achieve at least a 25% net improvement in the cybersecurity posture of the target sectors within 18 months of launch.
  3. After that, engage with critical infrastructure customers through an online proactive cyber resilience CoE (Center of Excellence).

The Cyber Eagle Project is formed around two core pillars: developing a technological framework and identifying funding opportunities. The workflow for the technological part involves generative AI-specialized chatbot outreach that will target the most appropriate people in each target company to serve them with a high-level cyber risk assessment similar to what will be provided by a Cyber Risk Assessment vendor, as well as a cyber exposure assessment of their risk on the dark web and restricted channels used by cybercriminals on platforms (e.g. Telegram.) To this effect, Mikko Niemela, CEO of Cyber Intelligence House, commented: ""I am pleased that our Cyber Exposure platform can contribute to the overall effort by providing companies in critical infrastructure with the benefit of ten years of research data collection in collaboration with INTERPOL, UNODC, and other reputable law enforcement agencies, on the explicit risk and specific vulnerabilities that companies face from cyber criminals. With generative AI, we can deliver a user-friendly summary and comparison of the current level of cybersecurity."

The next phase for the proactive generative A.I. chatbot would be to engage and recommend appropriate solutions based on the detected gap when measured against one or more standardization and compliance frameworks like NIST CSF or many others. Our A.I. engine will determine and validate the solutions by a cybersecurity professional.

Keeping data secure within the framework of the Cyber Eagle Project will be foundational, and security will be built into the AI across layers from DevSecOps upwards. Post-quantum encryption will be carefully considered, as will the newest and most effective homomorphic encryption algorithms. 

The power and speed of enabling Generative AI to engage about 1 million technology professionals virtually simultaneously in critical infrastructure make Project Cyber Eagle a remarkable proposition.

 The solution will be drawn from an ecosystem of 12 vendors and 500 partners focusing on the upper mid-market and another 18 vendors and 1000 partners aiming at the lower midmarket. These vendors would be selected on quality and complementarity criteria. We will construct a marketplace based on secure, reliable, and reputable marketplace technology vendors. The transactions would occur on this marketplace. The marketplace and the generative A.I. would ensure annual renewals and upgrades.

The second pillar is the funding element. One explored idea is providing forgivable loans for cybersecurity improvements through the Small Business Administration (SBA.) This could also be done through NIST. There are precedents for this type of funding. A company would need to be eligible for it. The funding agency would develop eligibility criteria. Companies could obtain the loan, implement the technology, upload the invoice, and have the loan forgiven.

FEMA and CISA, for instance, provide grants for tribal, State, and local governments. These programs need to be expanded and socialized more.

This end-to-end process would ensure the United States achieves unparalleled critical infrastructure security improvements in record time and could lead its allies to do the same.

Credits.

The following are all subject matter experts and Critical Infrastructure Task Force provisional members.

Co-Chairs

Steve DeSantis, Partner Ecosystems Sales Leader, Palo Alto Networks

Peter Hammermeister, Principal,  Aligned Advisory Group

Michael Thiessmeier, Executive Director, National AI & Cybersecurity ISAO

Executive Members

Alycia Farrell, Executive Member, Association of US Cyber Forces

Joe Sykora, SVP Global Channels and Alliances, Proofpoint

Lucian Niemeyer, CEO of BuildingCyberSecurity.org

Miguel Garibay, VP of Operations and Administration

Dave Treadway, Founder EduGPT

David Mauro, Konica Minolta & Cybercrime Junkies

Jason Keller, Digital Strategy Director, Vistant

Gilles Esposito, Vice-Chair, Tortora Brayda Institute

Jill Wideman, Tortora Brayda Institute

Lucian Niemeyer, CEO Building Cyber Security

Mike Crandall, CEO Digital Beachhead

Laurin Groover, CEO The Groover Group, National Security, Cyber, Attorney

Mikko Niemela, CEO Cyber Intelligence House

Carlo Brayda, Executive Chairman Tortora Brayda Institute

Shaun Boggs, Director IT & Cybersecurity, Key Capture Energy

Tim Kapp, CEO CInco AI

Tony Zirnoon, CEO Human Capital Ventures

Krishna Priya, AI/ML Architect

Adnan Khaleel, Corporate Strategy Director,  Intel

Lee Hibbert, Bamboo UK

Martin Hawley, Angoka UK

Marcus Fowler, CEO of Darktrace Federal

Guillermo Christensen, Partner  KL Gates, National Security Lawyer

Chris Hadnagy, CEO Social Engineer LLC

Mary d’Angelo, Dark Web Threat Advisor, Search Light Cyber

By Carlo Tortora Brayda

Keywords: AI, Cybersecurity, National Security

Share this article