At a glance.
- Critical infrastructure and insider threats.
- British thinking about cyber deterrence.
The insider threat to critical infrastructure.
The National Counterintelligence and Security Center published a report titled “Insider Threat Mitigation for U.S. Critical Infrastructure Entities: Guidelines from an Intelligence Perspective.” For the purposes of the report, critical infrastructure is defined as the sixteen sectors, like energy and communications, outlined in Presidential Policy Directive 21. An insider is a “trusted member of the workforce” who can “use their authorized access to facilities, personnel, and information to cause harm…intentionally or unintentionally.” This harm can take the form of “economic espionage, sabotage, workplace violence, fraud and other misuse of corporate resources.”
Insider threat awareness is particularly timely given global adversaries’ novel interest in a wide scope of non-government targets, which places the private sector “squarely in the geopolitical battlespace.” The report warns that threat actors are harvesting vast troves of organizational data to mine for weaknesses. Critical infrastructure is a primary target since it can be used as leverage in international conflicts.
In addition to the following solutions, the Center recommends a “whole-of-organization” response to the threat that promotes “organizational citizenship” and “a culture of security”:
- Differentiating the insider threat program, to which human behavior is central, from other cybersecurity initiatives.
- Building a program that flags “anomalous behavior” while nurturing trust and respecting civil liberties.
- Cultivating a culture of “robust internal communications” where employees are empowered to share observations.
- Involving stakeholders from diverse departments like security and human resources in addition to specifying accountable senior leadership.
- Implementing red team and tabletop exercises.
- Integrating technological solutions like User Activity Monitoring.
- Prioritizing the organization’s “crown jewels.”
- Taking advantage of the National Insider Threat Task Force’s numerous resources.
- Incorporating a “security intelligence program” to track threats, vulnerabilities, and incidents.
The US faces “an unprecedented imperative,” the report concludes, “to collectively ‘raise our game’ in protecting U.S. critical infrastructure.”
Deterrence, as seen from Whitehall.
SecurityWeek reviews the implications of the “rather bellicose” statement in the UK’s 2021 Defense Review that a nuclear response might be considered to significant threats from emerging technologies—which the article understands to include cyber capacities. The triggering cyberattack would need to jeopardize “critical industries” to meet the threshold for a kinetic reply. SecurityWeek fears three global and technological movements increase the likelihood of such an attack. Relations with Russia and China are deteriorating, and informational technology and operational technology are increasingly interconnected, as are different critical infrastructures.
Another cause for concern is the difficulty of attribution, and of distinguishing governments from gangs with intermittent government connections.
While at first blush Britain’s position “appears to be a major escalation in the possible effects of cyberwar”—as the first public statement setting the nuclear option on the table—the piece points out a “saving grace” qualifier in the Review. The UK’s policy is to “remain deliberately ambiguous” about the conditions under which a nuclear response would be considered, for strategic reasons. Through this lens, the new policy amounts to a “warning,” not a “threat,” and is probably “meant to have a deterrent effect.”
Nevertheless, SecurityWeek worries less responsible nations will follow suit, some of whom could “be less hesitant to follow through.” Deterrence, the article concludes, only works if the adversary is rational.