Disruptions in gasoline supplies due to the cyberattack on the Colonial Pipeline in May 2021 transformed cybersecurity attacks from an “online problem” to a national security concern. This seminal event resulted in the release of the National Cybersecurity Strategy (NCS) on March 2, 2023. The NCS brought into focus the potential for serious economic damage and disruptions to our daily lives from cyberattacks on critical infrastructure. Congress and government agencies are acting with urgency to advise organizations in critical infrastructure sectors such as aviation, water and sewage utilities, education, and healthcare to rapidly address cybersecurity concerns. For this strategy to be successful, however, there is no reason to reinvent the wheel. Our path forward should be informed by lessons learned from successful cybersecurity and risk management programs that have proven track records.

Moving from Voluntary Approaches to Mandatory Requirements

There has been much progress over the last ten years in bringing cybersecurity issues to the forefront of organizations, lawmakers, and government executives. However, the speed of change and investments necessary to deliver “cyber resilience” have not kept pace with the velocity, volume, and variety of continued cyberattacks. We continue to read daily about ransomware attacks and cybersecurity incidents in schools, local governments, and healthcare facilities causing disruptions and hardship. The NCS recognizes that voluntary approaches are not working fast enough and seeks to change the status quo by driving policy changes. One of these changes includes transferring liability for cybersecurity from the user to the technology manufacturers of digital products and services. It also seeks to enforce minimum cybersecurity requirements from voluntary adoption to mandating their implementation under the supervision of government agencies. The goal is to accelerate cybersecurity investments to drive cyber resilience. These policy changes are especially important for the critical infrastructure sectors that include essential services that we all depend on.

Securing Critical Infrastructure is a Big Deal

Protecting our critical infrastructure will require the best and brightest minds to come together  because the problem is large and complex. A quick back of the envelope calculation reveals a $20+ billion market opportunity in the United States alone. According to Cybersecurity and Infrastructure Security Agency (CISA), there are 16 critical infrastructure sectors whose assets, systems, and networks are considered vital to the United States. Just to get a sense of the numbers, CISA provides the following data:

• The defense industrial base consists of 100,000 firms that provide products and services to the Department of Defense. Assuming an average spend of $100,000 per year on cybersecurity solutions, that is a $10 billion market for Cybersecurity Maturity Model Certification (CMMC) 2.0.
• On March 7, 2023 the Transportation Security Agency (TSA) issued guidance to the aviation sector on the need to improve their cybersecurity posture. There are around 19,700 organizations in the aviation sector alone – which includes aircraft, air traffic control systems, airports, heliports, and landing strips as well as ancillary service providers like aircraft repair stations, fueling facilities, navigation aids, and flight schools. Assuming these organizations on average spent $100,000 per year, then that sector equals a $2 billion opportunity.
• On March 3, 2023 the Environmental Protection Agency (EPA) advised water and waste water utilities on the need to shore up their cybersecurity defenses. There are approximately 153,000 public drinking water systems and more than 16,000 publicly owned wastewater treatment systems in the United States. More than 75 percent of the U.S. population depends on these systems for their potable water and sanitary sewerage needs. Assuming these organizations on average spent $100,000 per year on cybersecurity, then that amounts to a $17 billion market.

Clearly, the 16 critical infrastructure sectors have a wide variety of cybersecurity needs and will require tailored solutions. Developing the right cybersecurity risk management model and mandating adoption are urgent priorities. To make rapid progress, we should consider leveraging cloud computing, the Federal Risk and Authorization Management Program (FedRAMP), and secure commercially developed innovations.

This is a guest post published on Meritalk – Improving the Outcomes of Government IT. Read the full article on Meritalk.com.