Critical Infrastructures
Strategy
In order to develop a sound security strategy to protect critical infrastructures, cybersecurity professionals examine the seven elements of cyber risk: political, economic, policy, social, defense, criminal, and technical. Each elements causes a level of impact to countries and its citizens, contains a background and type of players involved in managing the element, and pose specific threats and risks to populations. One of the most complicated elements is the political, as it has been valued as having a high impact on the management of critical infrastructures. One of the philosophical issues taking place within the political element involves the constant debate over ideas of freedom vs. security as it relates to the Patriot Act. Most politicians want to promote policies which advance and protect the rights to free speech and other Constitutional rights. However, some policy makers believe in the creation of State and Federal policy which provide more regulation and set a standard on how companies managing critical infrastructures should conduct their operations. The political element can be a challenge because many politicians will have their own approach on how to develop policies regarding critical infrastructures. These politicians may find it difficult to agree on the types of investments needed into the area of critical infrastructures by the Executive and Legislative branches of government. There is also debate on if the government should set standards which could potentially restrict growth from companies within the private sector. For these reasons, it is difficult for policy-makers to see common ground in order to effectively manage the development of policies for critical infrastructures. There are several players involved in the political elements: Federal and State governments, political parties, lobbyists, think-tanks, academic advocates and others. The significant threats involving the political elements include: lack of cohesive focus, wasted investment, wrong priorities, and impact of lost time. The political elements is one of the most significant barriers for the implementation of policy regarding critical infrastructures.
Economics
For governments and companies, the economic element is one of the most important factors of cyber risk. The economic elements could have a medium to high impact on nations depending on the effect it has on populations. The element focuses on the loss of revenue for the American commercial sector, individuals and investors. It also features the “Deter Cyber Theft Act” which allows the President to restrict imports in order to protect IP rights. The players involved include: IRS, businesses, families, all level of governments, and virtually every organization and individual. The threats include loss of revenue and intellectual property, confidence in commercial transactions and use of credit. The economic element could be a factor for governments that prevent them from implementing policies for critical infrastructure due to the possibility of having a negative effect on populations. It is also one of the most essential factors for the private sector, as they will want to implement policies that will not negatively impact the financial viability of companies that manage critical infrastructures.
Policies
The policy elements possess a high impact on populations. The element involves the creation of a National Security Strategy for Cybersecurity with participation from Federal, State and International bodies. The players involved include: nation-states, alliances, U.S. States, Federal agencies, legal foundations, as well as business and industry. Threats include lack of cohesive standards, policies, priorities, and investment. According to Clarke, the absence of the policy element containing a national cybersecurity policy within the United States, represents an area in which the government could reduce the impact of threats and promote stronger security standards within corporations throughout the country. The policy element is one of the most difficult factors to overcome as policy-makers hesitate to adopt any policy which many interfere with growth in the private sector.
Social
The social element has a medium to high impact on populations. The expansion of social media and the technology use by Millennials presents significant challenges to cyber risk. The players involve anyone who uses social media platforms on their various devices. Threats include loss of privacy, intrusion into lives, physical and virtual security, as well as related activities that lead to criminal acts. The social element has become one of the most important over the last couple decades; the use of social media can provide attackers with another section of technology in which they can exploit in order to compromise networks and potential gain control over technologies managing critical infrastructures at private corporations.
Defense
The defense element has a high impact on cyber risk. The defense element involves the National Security of the United States, the idea that protecting against cyberattack is just as important as physical ones, the concept that cyberwar will be a major component of future war, and it may be the key element which protects nations and citizens from cyberattack. The players involved are nation-states and non-state actors. Threats include significant loss of life from cyberattack on military infrastructure, weapon systems, water, communications, food financial institutions, electric grid and related areas of daily life. Even though Clarke suggests that the United States can do more, the country has done a relatively effective job of managing the defense element of cyber risk by developing the Department of Homeland Security to respond to domestic cybersecurity initiatives and allowing Cyber Command to address international security issues around the world. A National Cybersecurity policy could improve the defense element within the United States and thereby reduce the impact of the associated risks.
Criminal
The criminal element has a medium impact on populations. It is the most active element and concerns the impact of criminal activities on individuals, governments and corporations. Players include criminals, non-state actors motivated by making money, and state-actors. Threats include significant loss of life from cyberattack on military infrastructure, weapon systems, water, food, financial institutions, electric grid and related areas of daily life. The criminal element is one of the most visible for individuals, as attackers may seek to compromise personal computers and smartphones in addition to trying to penetrate corporate and government networks. The criminal element has a direct correlation with the security of individual, corporations and governments as well their financial and physical well being.
Technical
The technical element has a high impact on populations. It involves the methods and technologies used to commit cybercrime, spying and destruction. Due to Moore’s law stating that technology doubles its computing capabilities every 12 months, there presents a challenge for policy-makers and corporations to adopt strategies for protecting the technical elements as cyber criminals are constantly implementing efforts to compromise new technologies as they advance over time. The players include all technology users, governments, industries, individuals, criminal organizations, terrorists, and the general public. Threats include individuals and organizations being one-step behind cyber criminals when it comes to developing a sound strategy for protecting networks, the leveraging of technologies to respond to specific instances of cyberattack, potential access to SCADA controls. Since most people have access to technology, especially those that can connect to the internet, cyber criminals will constantly seek for new methods of gaining access to networks and critical infrastructures. The use and dependency of technology among today’s user’s presents a significant challenge in that should cyber criminals gain control of their networks it could lead to a widespread negative impact among populations.
Conclusion
I believe the three most significant elements of cyber risk include: economic, policy and defense. Each possesses a significant impact on nations in terms of physical and virtual security as well as protection of financial assets. Even though it is probably true that governments and corporations should concern themselves less with money and more with developing effective models of security, the economic element is something that is present in both entities as well as individuals. One of the major issues for government officials when deciding how much to invest in security is the amount of available funds and where they should be appropriated across a security strategy. Also, the financial impact of cyberattack for individuals and corporations represents billions of dollars each year worldwide. It would be a great solution to consider the economic elements as a top priority to assist entities and individuals from the financial burdens that could take place due to a cyberattack. The policy element is the strongest component of creating a National policy for cybersecurity which can protect networks and critical infrastructures. The absence of national policy makes the nation more vulnerable to cyberattack, but a reversal in the ideas presented by policy-makers could help the country and its citizens and corporations adopt sound strategies even though there may be tradeoffs. For example, a National policy may somewhat restrict growth at a private company, but it could be argued that they will keep more of its money if it has to spend less to defend itself against cyberattacks over time. The defense element is responsible for keeping us safe domestically and abroad, without it there could be devastating impact on cost and potential loss of life within the country. The appropriate management of the defense element provides the country with laws on how to handle cybercriminal activity should it happen to individuals, organizations, governments or corporations. It also pinpoints how the nation should respond to acts of cyberwarfare. For example, if a state-actor were to penetrate critical infrastructures like the power grid as a part of a military strategy to negatively impact the United States before physically attacking them, the US would respond making it a priority to patch the network, protect the critical infrastructure, and counterattack the state-actors as a part of the defense element and component of National Security strategy. For example, the United States could effectively handle the threat of cyberwar by focusing on the economic, political and defense elements which will highlight the appropriate resources and counteractivity necessary to effectively defend the nation against cybercriminals and provide maximum protection for networks and critical infrastructures in the process.