This Month in Critical Infrastructure: June 2024
This month's top stories highlight critical issues affecting national security, public safety, and infrastructure. Key developments include efforts to harmonize cybersecurity regulations, the impact of severe weather events, rising global disinformation campaigns, significant healthcare cyberattacks, the Pentagon's new drone production initiative, increasing threats of doxing, and the potential effects of climate change on voting accessibility.
White House Issues Cyber Harmonization Announcement
The Office of the National Cyber Director (ONCD) is leading efforts to harmonize cybersecurity regulations amidst a fragmented landscape of federal and state rules, and recently shared a summary of the responses it has received from stakeholders. In 2023, ONCD released a request for information (RFI) to gather input from industry associations, owners, operators, and other stakeholders on how to streamline these regulations. The feedback from 86 respondents highlighted significant concerns about regulatory inconsistencies affecting cybersecurity outcomes and business competitiveness.
In response, ONCD is developing a pilot reciprocity framework to better align regulations, seeking Congressional support to unify relevant agencies. This initiative aims to reduce the administrative burden on regulated entities while enhancing cybersecurity readiness. The framework works like this: if an organization has met the harmonized requirements of one regulator, it will meet the requirements of another regulator.
Federal agencies issued an array of new cyber rules and proposals in recent years. The SEC’s new rule requires public companies to disclose material cybersecurity incidents and their risk management strategies. The TSA updated its cybersecurity directive for oil and gas pipelines, and the DOD is advancing its Cybersecurity Maturity Model Certification program. CISA is in the midst of rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Additionally, the FCC launched a Privacy and Data Protection Task Force, and Congress is pursuing H.R. 4552 to the Federal Information Security Modernization Act (FISMA) to improve federal cybersecurity practices. Competing cybersecurity models make it difficult for industry to respond adequately or consistently to each.
These developments underscore the increasing complexity of compliance burdens faced by organizations. ONCD’s harmonization efforts are a promising step towards creating a cohesive cybersecurity regulatory framework, encouraging industry stakeholders to participate in shaping these policies. Congress will need to assist in creating a reciprocal framework for industry and critical infrastructure partners to buy into. Senator Gary Peters (D-MI) has laid the groundwork for harmonizing cyber regulations with the drafting of the Cybersecurity Regulatory Harmonization Act, which may see inclusion in the 2025 National Defense Authorization Act. Harmonizing cyber regulations is a critical step towards reducing undue burden on owners and operators and achieving the consensus necessary to protect U.S. critical infrastructure.
Severe Weather Continues as Hurricane Season Starts
June 1st marked the start of what NOAA predicts will be an active hurricane season, with Tropical Storm Alberto bringing significant storm surge to towns in Texas and Mexico. The country’s extreme weather pattern continues with tornadoes, wildfires, and flooding, as well as a long-lasting heat wave impacting over 90 million people.
Maryland experienced a series of rare tornadoes that touched down across the state, including one in Montgomery County that prompted a Particularly Dangerous Situation (PDS) tornado warning, given the heightened risk to life and property due to possible “long-lived, strong, and violent tornadoes.” Though each of the tornadoes contained low wind speeds, these storms caused significant long-range damage.
The National Weather Service (NWS) is issuing the PDS warning, once a rare occurrence, more often, as tornadoes and other hazards increase in frequency and severity. This is part of a larger effort from the agency to present warnings and advisories earlier, in both English and Spanish, and with strong and specific language to identify the accompanying dangers.
This NWS campaign is especially pertinent to heat waves, the number one weather-related cause of fatalities in the United States. Recent years have shown increased and extended extreme heat events globally, including the current heat dome in the central and eastern United States. Many areas reached their first official heat wave of 2024, with the most extreme heat still to come.
Elsewhere in the country, wildfires in New Mexico resulted in the evacuation of entire towns, which only days later suffered flooding after a storm cell stalled over the already devastated area. As the month ends, multiple midwestern states are strengthening their levee systems as communities and farmland face extreme flooding from rising rivers. In Iowa, a railroad bridge collapsed into the Big Sioux River and Minnesota’s Rapidan Dam is in “imminent failure condition.”
As the pattern of severe and frequent weather hazards remains throughout the country, heightened information campaigns to protect life and property continue, leaving communities wondering what and when is the next threat.
Read more: https://www.washingtonpost.com/weather/2024/06/19/heat-wave-east-coast-temperatures-updates/ ?
Influence Campaigns are Becoming a Global Industry
The United States has been prioritizing its counter-disinformation programs ahead of the presidential election this November. Last month, the Director of National Intelligence Avril Haines warned Congress about the potential threat of Chinese, Russian, and Iranian use of AI to interfere in U.S. elections and emphasized election security as an “absolute priority” for the intelligence community. This month, the United States signed a memorandum of understanding (MoU) with Poland to counter foreign-sponsored “information manipulation.” The State Department is even thinking of novel ways to “pre-bunk” (teach people to recognize disinformation before they see it), including through video games.
As the national coordinator for critical infrastructure resiliency and as the sector risk management agency (SRMA) for the election infrastructure subsector, CISA has been leading efforts to bolster election systems across the country by working directly with state and local officials. The threat of influence campaigns is on CISA’s radar as well, with the agency promoting its #Protect2024 campaign and recently publishing a joint guidance on “foreign malign influence operations.”
Recent reports of a disinformation campaign originating in Israel and targeting U.S. and Canadian officials exposes a growing global industry for influence operations. The campaign was executed by STOIC, an Israeli political marketing firm with ties to the Israeli Ministry of Diaspora Affairs. OpenAI and Meta disrupted operations attempting to push pro-Zionist and Islamophobic narratives on Instagram, X, and other platforms. The Israeli government is known for its robust cybersecurity efforts and counter-disinformation operations, and even collaborates with the Department of Homeland Security (DHS) on a research and development program to improve the cyber resilience of critical infrastructure. Its recent conduct, which includes targeting at least 128 members of Congress, comes as a major surprise and adds to growing fears of foreign attempts to sway the upcoming presidential election and interference in American politics in general.
Israel’s actions, along with heightened Chinese, Iranian, and Russian threats, come at a challenging time for America’s cyber defense agency. Though CISA recently resumed talks with social media companies to address disinformation on their platforms (after being legally barred from coordinating with them), the agency is careful to avoid any notion that it monitors Americans’ speech online or is working too closely with tech companies. Addressing disinformation originating in all corners of the world will be CISA’s main task and challenge as it prepares for the November election.
Healthcare Hacks Cause Lasting Disruption
by Tiba Shlash
Just one year after CISA Director Jen Easterly identified the healthcare sector as target rich and resource poor, the nation was hit with the most significant cyberattack on healthcare systems in its history. The February cyberattack on medical software company Change Healthcare continues to have a lasting effect.
The initial ransomware attack lasted over two weeks, during which payment systems needed to fill prescriptions, process insurance claims, and manage patient files were completely inoperable. This incident brought to light a key pillar of risk management: critical systems must be able to function even when one feature within the system has been disrupted.. Exploits of vulnerabilities are bound to occur whether from criminal hackers or foreign adversaries; however, a system that is secure by design incorporates security measures such that it can handle a disruptive exploit before it becomes a zero-day event.
The White House is convening with executives from across the healthcare sector to accelerate the voluntary adoption of Secure-by-Design technology. Towards this end, the Universal Patching and Remediation for Autonomous Defense (UPGRADE) program allocated $50 million in funding to develop robust IT tools specifically tasked with defending hospital environments, and companies such as Microsoft and Google are providing free and discounted cybersecurity services to some of the most vulnerable, particularly in rural areas.
Beyond the development of IT features and tools, there is the human aspect of security. The second principle of Secure-by-Design is to “embrace radical transparency and accountability,” and Congress has begun investigating how Change Healthcare notified affected patients of the breach in compliance with the Health Information Portability and Accountability Act (HIPAA), which mandates that healthcare providers notify individuals within 60 days of discovering a breach of data.
领英推荐
Senator Maggie Hassan (D-New Hampshire) and Senator Marsha Blackburn (R-Tennessee) penned a letter accusing the firm of failing to take accountability for the breach. If Change Healthcare is found to have failed to meet its obligation to notify, the Department of Health and Human Services can use HIPAA to fine them upwards of $4 million dollars.
The ransomware attack on Change Healthcare was a new catalyst for heightened efforts to bolster the healthcare sector, demonstrating the potential consequences of disruptions to under-resourced sectors. Even further, the disruption highlights that national security is not just about deploying the right resources, but about shifting the culture within industry to promote transparency, accountability, and the voluntary adoption of cybersecurity principles.
Pentagon Partners for Mass Drone Production
The Pentagon is seeking to adapt to modern warfare by partnering with four defense contractors to develop inexpensive drones as they loom larger for battlefield tactics. The companies—Anduril Industries, Integrated Solutions for Systems, Leidos Dynetics, and Zone 5 Technologies—were selected to produce drones that can be built quickly and cheaply, according to an press release from the Defense Innovation Unit and the Air Force Armament Directorate.
The press release indicates that the partnership offers the best chance at achieving goals related to cost-per-unit, project timelines, and production quality. It also acknowledges that the Pentagon’s prior drone manufacturing method was problematic due to labor-intensive building processes and expensive materials. Additionally, the announcement outlined an intent for vendors to leverage modern design and incorporate commercial components to keep production costs low.
The companies will begin drone test flights during summer and fall 2024. After demonstration flights, at least one prototype will be selected to develop toward readily scalable manufacturing. In addition, some may be candidates for the Pentagon’s Replicator program, which aims to mass produce inexpensive drones. Details on the Replicator program have been scarce but Deputy Defense Secretary Kathleen Hicks recently stated that the first wave of Replicator program drones have been delivered to the Indo-Pacific region. ?
The Pentagon’s partnership with defense contractors is pivotal for enhancing technological innovation and ensuring national security at a low cost. This collaboration fosters advancements in modern warfare as well as robust aerial defense systems. By leveraging expertise and defense contractor resources, the Pentagon is aiming to accelerate the development of the next generation of drones and enhance war preparedness. This new partnership may also have implications for U.S. critical infrastructure by strengthening U.S manufacturing capability and developing new production techniques that could carry over from the defense industry into the small and commercial drone market.
Read more: https://www.defenseone.com/business/2024/06/pentagon-looks-beyond-primes-cheaper-drones/397074/
Doxing Concerns Rise Ahead of 2024 Election
Doxing has become a powerful weapon, used against everyone from anonymous social media accounts to public figures and politicians. The term, which derives from the abbreviation “dox” for “docs” or “documents,” refers to the public disclosure of an individual’s private documents or information. This information release can lead to targets being stalked, harassed, and in some cases swatted and killed. Swatting is another internet-born practice where heavily armed swat teams and police respond to hoax bomb threats at an innocent, unsuspecting victim’s home. These violent harassment tactics have made their way from certain corners of the internet to front page news.
After Trump’s conviction in the beginning of June, former Trump lawyer Michael Cohen and his family’s addresses and phone numbers were posted on a doxing website. This came on the heels of doxing attempts targeting jurors on this same Trump trial.
As protests over the events in Gaza continue, groups like Accuracy in Media wage doxing campaigns against college students and faculty that are involved in the pro-Palestine movement. Scammers even threaten to dox people if they don’t pay a certain amount of money. This month, two men pleaded guilty to accessing a law enforcement portal to acquire personal information for doxing and extortion schemes.
As election season nears and political tensions rise, these campaigns will likely continue to target public officials and their families. In February, two dozen current and former election officials penned a letter to congress encouraging anti-doxing legislation ahead of the upcoming election. While some states have passed this legislation, the fact remains that staff and poll workers have been doxed and threatened at particularly high rates.
This issue highlights the need for heightened cybersecurity efforts to secure personal information on the part of individuals and big tech. These intimidation tactics not only attempt to influence our political and justice systems, but also put the average citizen at risk as data security concerns rise.
?
?
Climate Change and Voting Accessibility Raise Questions of Election Integrity
by Ashley Hopko
With the November 2024 election quickly approaching, national security experts have warned that climate change could threaten voting accessibility, potentially undermining America’s democratic process. Extreme weather events, exacerbated by climate change, can disrupt voters’ ability to reach polling locations and safeguard necessary voting documents.
In a recent article for Foreign Affairs, former senior director for resilience policy on the National Security Council Alice Hill described how floods can damage election and transportation infrastructure and wildfires can destroy personal documents and identification required for voting in some states. “The disenfranchisement of even a few voters can make a profound difference in election outcomes,” the article notes, referencing the 2000 presidential election that was decided by just 537 votes.
To safeguard election infrastructure and protect voters, Hill recommended that election officials increase their collaboration with emergency managers, ensure backup power at polling sites, and introduce more flexible voting methods. However, remote voting continues to be a contentious issue. Although Donald Trump recently encouraged his supporters to embrace mail-in ballots, the Republican National Committee continues to oppose efforts to ease the mail-in voting process.
Adding to the obstacles around remote voting, the Safeguard American Voter Eligibility (SAVE) Act, introduced by Republican lawmakers in May, would restrict remote voting by requiring voters to submit citizenship documentation in person when registering to vote.
High voter turnout, a crucial part of a healthy democracy, is reliant on factors such as voter registration and identification laws, early voting allowances, and polling place accessibility—all affected by severe weather and laws like the SAVE Act. While studies show that poor weather has always affected voter turnout, the heightened effects of climate change and severe storms have the potential ?to turn what was once a minor inconvenience into a significant barrier to voting.
CISA recognizes climate change as a threat to critical infrastructure, noting increased severe weather impacts all 16 critical infrastructure sectors, requiring improved resiliency. Ahead of the 2024 general election and with the uptick in threats against polling workers, election security is a primary focus for CISA, which earlier this year launched its #Protect2024 campaign to safeguard polling locations, which may soon need to expand to include challenges related to climate change.
?