Cyber Security Derailed? Recommendations for Smarter Investments in Infrastructure


A state-owned Chinese company receives a contract to build and maintain the next generation of railcars that service Metro stations at the Pentagon, near the White House and Capitol Hill, and throughout the Washington, D.C., metro area. What could possibly go wrong?

Possibly nothing, but maybe something. Commuter trains have come a long way from the unconnected transit assets that moved through and between cities independently. Modern rail cars are nodes in complex transit communications networks, extensions of a transit authority’s information and operational technology infrastructures, and even WiFi hotspots. Procurement announcements for the next generation of cars, like the one recently issued by D.C.’s Washington Metropolitan Area Transit Authority (WMATA), illustrate the complex, connected technologies that underpin promised improvements in automation, safety, and commuter experience.

Next-generation infrastructure projects will increasingly rely on smart sensors, sophisticated processing, and complex networks. These smart, connected technologies promise greater safety, reliability, and efficiency, if deployed properly. But they also present new and potentially serious cyber security risks. Connected infrastructure presents potentially target-rich environments for malicious cyber actors. For example, a bad actor could use malicious code to lock down and disable a critical system, and then demand payment as ransom for unlocking it — a common attack known as ransomware. A terrorist group might hack infrastructure to cause accidents and sow fear. Countries such as China, Iran, North Korea, or Russia might seek to use smart, connected infrastructure as a platform for espionage or even as the target for destructive cyber attacks against America.

These risks have two related dimensions. As we become more reliant on smart, connected technologies to reliably deliver safe services, we also create more pressure points for malicious cyber actors to threaten American lives and property. Meanwhile, the supply chains for sourcing and maintaining infrastructure assets are increasingly global and complex, which gives adversaries additional opportunities to corrupt or sabotage infrastructure by inserting malicious code at various points in the supply chain.

The starting point for addressing both dimensions of risk is for owners and operators of infrastructure to manage cybersecurity risk as carefully as they manage more traditional risks such as safety. This means crafting a comprehensive, enterprise-wide plan for managing cybersecurity risks, including supply chain risks; investing resources in implementing it; and holding managers and executives accountable for their performance. There is even a popular tool available that organizations can use to perform these functions, the Cybersecurity Framework (CSF), developed by the National Institute of Standards and Technology (NIST) and its partners in industry and civil society. According to Gartner, 30 percent of U.S. businesses, infrastructure owners and operators, and other organizations already use the CSF to manage cyber risk, with 50 percent projected to use it by 2020.

Unfortunately, adoption of these practices by infrastructure owners and operators is mixed at best — despite the fact that the CSF was originally designed with them in mind. As the Senior Director for Cyber Policy on the National Security Council in both the Obama and the Trump White House, I had a bird’s eye view of the threat landscape, and the view was not pretty. Some sectors, most notably financial services, are more dialed in than others, because the costs of cyber incidents are relatively clear to managers and investors — banks, for example, have an easier time putting a dollar figure on losses from cyber incidents since these often involve stolen money, which helps them calibrate security investments against losses. They also have the resources to invest in risk mitigation. There are pockets of competence in other sectors as well.

Outside of those areas, preparedness drops off pretty rapidly. WMATA’s cybersecurity woes are a case in point. This past summer, the transit authority’s inspector general concluded a classified investigation that reportedly documents significant shortcomings in WMATA’s enterprise-level cybersecurity posture.

Red flags also appear in a Request for Proposals (RFP) that WMATA issued in September. The RFP seeks a supplier to design, build, deliver, and maintain up to 800 next-generation railcars. Whoever supplies the railcars for WMATA will not be merely a node in the agency’s supply chain, but will become an essential partner in sustaining the day-to-day safe operation of Metro trains, with routine access to infrastructure responsible for moving thousands of people around the nation’s capital every day. As explained in the NIST CSF, which was updated earlier this year in part to address supply chain issues, an organization’s enterprise-level approach to cybersecurity ought to inform how it evaluates supply chain risk and procurement decisions. For WMATA to manage cyber security risk across its entire enterprise, it must account for the risk that such a vital supplier could introduce to the reliability and availability of Metro.

Yet the RFP does not convey a strategic focus on managing the cyber risks associated with hundreds of smart, connected railcars racing around the D.C. metro area. Maybe Metro will find a way, but in general, procurement decisions are supposed to reflect the evaluation criteria presented in RFPs and their supporting documentation. Otherwise, the decision is vulnerable to legal challenges, inspector general investigations, and oversight inquiries from elected officials. If cyber security is not presented as a criterion for evaluation, it is unlikely to be a meaningful factor in the procurement decision. CCRC, the state-owned and heavily subsidized passenger rail provider from China, is winning contracts across the country as it undercuts competitors on price. If it were to submit a bid, how would Metro identify and weigh the cybersecurity risks? It is not at all obvious from the RFP how Metro would go about this, for CRRC or any other vendor for that matter.

If this is a problem for a vital piece of infrastructure in our nation’s capital, imagine what the situation must be like around the country.

And these risks are not hypothetical. Earlier this month, the Department of Justice indicted seven Russian military officers for, among other crimes, attempting to hack into the American nuclear energy company Westinghouse, presumably to gain a foothold for espionage and possibly launching attacks later. And adversaries’ efforts to penetrate U.S. electric utility infrastructure, where increased use of “networks and communication protocols … pose vulnerabilities that will continue to provide attack vectors that threat actors will seek to exploit for the foreseeable future” are well-documented. These attack vectors expose grid operations to disruptive attacks that could knock out power.

For decades, vital infrastructure investments in the United States have been stalled, but there are promising signs of movement. Boston, Chicago, Los Angeles, and Philadelphia have major projects underway to modernize their commuter rail infrastructure, with New Jersey, New York, and the Washington, D.C. metro area set to join them in the coming years. The Rhode Island Public Utility Commission recently approved a grid modernization plan, with California, New York, and other states pursuing grid updates as well. There continues to be an undercurrent of bipartisan support for ambitious federal infrastructure investment plans, and the leading engineering society has warned that the U.S. economy risks losing nearly 2.5 million jobs and $7 trillion in lost business by 2025, if action isn’t taken before then to close a nearly $1.5 trillion investment gap. Major infrastructure investments are coming, maybe even as soon as the upcoming session of Congress.

I have little confidence that infrastructure investments will consistently be made with cyber security in mind, unless infrastructure owners and operators are incentivized to do so. Fortunately, the federal government has tools at its disposal for driving change. The federal government already provides one-quarter of the roughly $400 billion spent on infrastructure each year in the United States, and also furnishes considerable indirect support through taxes and other measures. A powerful, and as yet untapped, incentive would be to condition the availability of federal support for infrastructure projects on the recipient adopting the NIST framework and providing periodic reports on risk to the Department of Homeland Security and/or its federal regulator, if it is subject to one. The Trump administration could reinforce this message by insisting on this approach to federal support for infrastructure projects in its budget requests for FY2020 and beyond.

These federal measures would go a long way towards encouraging infrastructure owners and operators to approach cyber risk management with the same degree of seriousness typically accorded to safety and reliability. These measures would also help prevent federal taxpayer dollars from being spent on projects with heightened cybersecurity risks.

But federal action won’t be enough. Some infrastructure projects are structured to avoid the strings that often come attached to federal dollars. The WMATA next-generation railcar procurement is a case in point: It will not receive any federal funding. State and local lawmakers should therefore also enact laws requiring that infrastructure owners and operators subject to their jurisdiction adopt the NIST CSF, including for procurement decisions.

The Internet and much of the hardware and applications in use today were not originally designed and deployed with security in mind. This lack of foresight is a major reason that the cyber threat environment is so hostile, and why the United States continues to grope for cost-effective solutions to its cyber challenges.

Let’s not make the same mistake again as the country moves to digitize its infrastructure. The choice boils down to this: Invest in security now, knowing that it will add some margin of cost to an infrastructure project but result in better security from day one. Or, defer investment, but inevitably pay dearly later in the form of security improvements bootstrapped on at substantial expense and possibly even in lives and treasure lost as a result of a cyber incident. The choice is obvious.


Andrew Grotto is a William J. Perry International Security Fellow at the Center for International Security and Cooperation and a Research Fellow at the Hoover Institution, both at Stanford University. He is also a fellow of the Stanford Cyber Initiative. He previously served as Senior Director for Cybersecurity Policy on the National Security Council at the White House in both the Obama and Trump Administrations.

Image: Ben SchuminCC BY-SA 2.0, via Wikimedia Commons