Jason Healey, Senior Research Scholar at Columbia University’s School for International and Public Affairs, discusses 25 years of White House cyber policies, the evolving nature of threats, heavy-handed regulations on critical infrastructure, and the shift of cybersecurity responsibility. They also explore collaboration between the technical and policy communities and ideal changes to the internet and cybersecurity.
Cyber attacks can have physical consequences, taking down infrastructure made of concrete and steel, not just digital assets.
The changing geopolitical landscape and the use of cyber capabilities for territorial gain pose increasing risks and impacts on critical infrastructure.
Deep dives
The Growing Dependence on Computers for Critical Infrastructure Systems
Critical infrastructure systems such as electricity, finance, transportation, and water supply are increasingly relying on computers. However, this dependence also poses a significant cybersecurity risk, as seen in incidents like the ransomware attack on the Colonial Pipeline and the failure of the Texas power grid. This season of Hack the Plant explores the challenges arising from increased investment in renewable energy and highlights the need for robust cybersecurity measures in critical infrastructure sectors.
The Evolution of White House Cyber Policies
Over the past 25 years, the White House has been developing and adapting cyber policies to address the security of critical infrastructure. Starting with Presidential Decision Directive 63 in 1998, the optimism of achieving secure critical infrastructure within a short timeframe has evolved. The increasing presence of intelligent adversaries and the continuous evolution of technology make securing critical infrastructure an ongoing challenge. The recent National Cyber Security Strategy emphasizes the need for regulation and recognizes the market failures in ensuring cybersecurity. Operational technology (OT) security is also given more attention, considering the potential impact adversaries can have on critical infrastructure through OT systems.
The Under-Learning and Potential Risks in Cybersecurity
One concern highlighted in the podcast episode is the under-learning of lessons from cyber attacks on information technology (IT) and operational technology (OT) systems, particularly evident in the case of Ukraine. The dynamic nature of cyber threats and the changing geopolitical landscape indicate that the use of cyber capabilities can become more dangerous and widespread. The focus on intelligence contests and the perception that cyber attacks are non-lethal can lead to complacency and a failure to recognize the potential for significant harm. As states increasingly resort to cyber operations for territorial gain, the risks and impacts of cyber attacks on critical infrastructure, especially OT, become more substantial.
The Need for Collaboration and Innovation in Cyber Defense
The podcast emphasizes the importance of collaboration and innovation in cyber defense efforts. It highlights the significance of bridging the gap between technical expertise and policy-making to ensure effective cybersecurity strategies. Encouraging information sharing between the technical and policy communities and fostering dialogue through events like Hack the Capital can lead to better understanding and cooperation. The focus on regulatory approaches and liability for software manufacturers indicates a shift towards holding accountable those with more power in the cybersecurity landscape. The podcast also recognizes the potential of artificial intelligence (AI) in both aiding defenders and assisting attackers, highlighting the need for continued research and development in the field.
I’m joined by Jason Healey, a Senior Research Scholar at Columbia University’s School for International and Public Affairs, for this episode of Hack the Plant. Jason is a pioneer of cyber threat intelligence, with experience spanning fifteen years across the public and private sectors.
Today, we discuss a recent article Jason published at Lawfare, looking at 25 years of White House cyber policies, from the Clinton to the Biden administrations. We explore how regulatory policy has become more sophisticated over time, and the evolving nature of threats.
“One of the biggest debates right now amongst the international affairs community – is cyber really dangerous? You've got some people that look at how cyber capabilities have been used over the past two decades, how it's currently being used in Ukraine, and say, ‘it’s difficult to use this stuff, and frankly it’s not as dangerous as we think.' I tend to be on the more pessimistic side … if you're targeting things made of ones and zeros or things made of silicon, cyber can often not be that big a deal. But with smart grids, industrial control systems, and other things connected to the internet, it's not just things made of ones and zeros and silicon. Cyber attacks can take down things made of concrete and steel.”
To what extent is cyber necessary as part of a defense strategy? How has our regulatory approach changed over 25 years? Join us to learn more.
Remember Everything You Learn from Podcasts
Save insights instantly, chat with episodes, and build lasting knowledge - all powered by AI.
