PerspectiveClosing a Critical Gap in Cybersecurity

Published 20 December 2019

Last year, following the rising threats in cyberspace, Congress established the U.S. first civilian cybersecurity agency—the Cybersecurity and Infrastructure Security Agency (CISA). Christopher Krebs, who serves as the first director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), writes that “Unfortunately, too often we come across cybersecurity vulnerabilities sitting on the public internet and are unable to act because we cannot identify the owner of the vulnerable system.”

Last year, following the rising threats in cyberspace, Congress established the U.S. first civilian cybersecurity agency—the Cybersecurity and Infrastructure Security Agency (CISA). Christopher Krebs, who serves as the first director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), writes in Lawfare that CISA serves as the nation’s risk adviser, that is, the agency is responsible for working with partners throughout government and industry to improve America’s cybersecurity. One of CISA’s main responsibilities is protecting the U.S. critical infrastructure by sharing information about vulnerabilities on networks which, if left unmitigated, leave them susceptible to attack, putting national security and economic prosperity at risk.

Krebs writes:

Unfortunately, too often we come across cybersecurity vulnerabilities sitting on the public internet and are unable to act because we cannot identify the owner of the vulnerable system. One key area of concern involves industrial control systems and other networks that operate the nation’s critical infrastructure. Among many examples, CISA is currently aware of a system that controls water pumps, one controlling an oil and natural gas facility, and one controlling emergency management equipment that can be accessed without a password and modified by anyone with an internet connection. Unless Congress acts, systems that support critical functions that everyday Americans rely upon could remain wide open to attack, but there’s little we can do to protect them.

For these vulnerable systems and countless others like them, CISA is unable to determine the identity of the owner or operator of the system and, therefore, cannot contact the entity to advise it of the vulnerability. Many of the vulnerable systems CISA finds are identified only by a numerical internet protocol (IP) address. The name and contact information are held by the organization’s internet service provider (ISP). Current law, however, prohibits ISPs from sharing the identity of their customers with the federal government without a legal mechanism requiring it. This leaves systems with known critical vulnerabilities exposed to potential abuse. Hearing directly from CISA will help owners and operators of vulnerable critical infrastructure better understand the risk and appropriately prioritize vulnerability mitigation.