Thoughts on preventing a cyber 9/11.

During a panel discussion centered around “Preventing a Cyber 9/11,” Karen Evans, Assistant Secretary for Cybersecurity, Energy Security, and Emergency Response at the Department of Energy, described how the DOE deals with securing infrastructure that’s owned by the private sector. She pointed to Hurricane Dorian—at the time a Category 5 storm heading up the coast—as an example of a natural disaster situation in which the response is primarily reliant on industry partners. Evans said her role in the newly formed office at the DOE has given her a deeper appreciation of public private-partnerships, and she said these relationships are necessary “to keep the lights on.” She emphasized the value of communicating with the energy sector, because these organizations “really listen” when the DOE shares information with them.

Jerry Perullo, CISO for the New York Stock Exchange, warned that sabotage is a major threat to all industries, especially for critical infrastructure. He said that the adverse impacts on the market is a side effect that shouldn’t be ignored. A destructive cyberattack in one sector could cause a domino effect that hurts all industries. He noted that Saudi Aramco and Sony—two very different companies in different sectors—were both vulnerable to cyberattacks intended to hurt their business. He added that some ransomware attacks should fall under the definition of sabotage as well. Looking to the future, Perullo said a pervasive theme for both the attackers and defenders is automation. Everyone needs to be working towards automation, he said, not because it’s going to put us out of a job, but because there are other things coming down the pipeline that we’ll need to focus on. Automation is a necessary part of keeping pace with attackers. He also urged increased communication between private-sector organizations, such as sharing threat intelligence, which can help inform vulnerability assessments across industries.

Geoff Brown, head of New York City Cyber Command, said that New York and other cities are reliant on a whole ecosystem of critical infrastructure, and if one sector begins to fail, it can cause a ripple effect. There are already a variety of currently existing emergency management teams, but cyber incident response is a relatively new field, and cyber professionals can often feel isolated. He said it can be helpful and heartening to talk to others who are in the same boat. Brown predicted that more secure, free, publicly provided resources will be available in the future. New York City, for example, is working toward implementing secure, city-provided WiFi.