This past winter, cold weather took down the Texas energy grid. Residents across the state had no electricity and no heat sources as temperatures plummeted. Everything that could fail did fail at a time when demand was at its highest. The energy grid was not able to survive extreme weather, and the losses were catastrophic.
What happened in Texas may be our best example at what a full-throttle cyberattack against critical infrastructure would look like if businesses and government don’t improve their approach to cybersecurity.
On the positive side, it appears that the Biden administration has made cybersecurity a priority for the nation’s critical infrastructure. The United States has taken significant steps to better defend against nation-state backed attackers. But just as foreign governments fund and enable their offensive teams, the U.S. federal government should help fund and coordinate the efforts of the security industry to better defend American companies, universities, and other organizations.
As we all know, startups are typically at the center of innovation. Today, there is little to no coordination with any government program or entity to help enhance a startup’s chance for success – it is a fairly Wild West environment.
This lack of coordination is not just between young companies and the federal government. It also exists between startups and the more established security players. This creates a situation where the typical CISO must defend against well-financed, well-trained, and motivated attackers, leveraging a perceived best-of-breed patchwork of security products to defend their organization. But how does that CISO know if their security architecture choices are really optimized?
Steps forward in cybersecurity
It is a given that today, most security defenses are anything but optimized. In the first half of 2021, cyberattacks on industrial control systems (ICS) increased by 41% over the previous six months, according to research from Claroty. The cyberattacks on Colonial Pipeline, JBS Foods, and the Oldsmar, Fla., water treatment facility showed the fragility of critical infrastructure and manufacturing environments that are exposed to the internet.
These are the types of attacks the White House is trying to prevent. To protect our critical infrastructure, President Biden signed a national security directive addressing the ransomware attacks that have already impacted energy and food supply chains. The directive is voluntary (it would require legislation through Congress to be mandatory), but the goal is to have the companies responsible for keeping the critical infrastructure work toward the State goals to improve security from ransomware.
The Biden administration is also working with NIST (National Institute of Standards and Technology) to develop a new framework aimed at the security of the technical supply chain. And this past May, an Executive Order was signed to improve cybersecurity and protect federal government networks. Federal agencies are now required to use a zero-trust approach and institute improved incident reporting plans. President Biden continues to talk to Big Tech companies, holding cybersecurity summits to discuss threats facing organizations and to strategize on ways public and private entities can work together.
This is all positive movement toward addressing a growing national security problem. But more could certainly be done to better coordinate the defenses required to protect our country.
I am not suggesting that we regulate the security market, as the FDA does with the pharma industry – an industry that has often been considered a good analogy to the cybersecurity world. But to ensure the U.S. is on the front lines, government encouragement, coordination, and funding of the startup community must be a part of the battle plan.
Why investment in cybersecurity startups must stay strong
The recent cybersecurity summit that President Biden hosted included the usual suspects, Amazon and Alphabet/Google, and other large corporations like JP Morgan. The little guys weren’t ignored, with two venture-backed cybersecurity companies included in the conversation. But if the government is serious about tackling cybersecurity, then their focus should be on talking with and investing in the startup community and the entrepreneurs who are developing frontier technology to cope with what is yet to come.
The need to do this is twofold. First, without restraint, the Big Five tech companies will continue to get bigger and more powerful. Cybersecurity is a default setting for these guys, something they have to offer as their customers become more aware of the risks of a data breach and want to know tech companies are doing something – anything – to protect their personal information. Instead, their focus is developing tech products aimed at getting users to share more data and coming up with ways to monetize those products. As these companies get larger, cybersecurity could stagnate.
This leads to the second reason why there should be engagement with the entrepreneurial ecosystem. Innovation is born in startups. These small companies in their earliest stages begin with an idea, with a problem they want to solve. They can focus on those problems because they don’t have large numbers of customers to satisfy. Cybersecurity startups are agile and can shift to address emerging threats quicker.
And often, these venture-backed startups become some of the most respected and biggest names in the cybersecurity industry. The best recent example of that over the past decade is CrowdStrike, but it is hardly the only success in the market. Cybersecurity venture capital is seeing record numbers in funding this year as the concern surrounding ransomware and other cyberattacks rises.
Unfortunately, instead of encouraging more of these innovative investments needed to protect the country, Congress is potentially creating a disincentive to embracing the risks of launching and funding more startups with its proposed changes to tax policy and small business incentives.
The White House would be wise to take advantage of what cybersecurity startups have to offer to defend against attacks on our most critical infrastructure. CISOs should also pay attention to emerging cybersecurity companies that are raising or have raised venture backing. These are the companies that aren’t looking only at existing cyber threats; they are looking at the future, at what cyber threats will evolve into, and how to develop innovative ways to protect from the attacks of the future. These are the companies looking at ways to focus security on data in ways to keep it from being impacted by a ransomware attack, and they will be the companies that have the solution ready to go for whatever attacks cybercriminals come up with next.
Even with a better-coordinated industry, including positive government involvement, the market will require a new generation of startups to create innovative technologies that have a holistic view of an organization’s increasingly complicated security stack. Fortunately, some of these companies are already underway, creating AI-based solutions to better manage and integrate the hodge-podge of other third-party solutions. But the industry is still in need of more of these innovative companies to be spawned to provide an optimized level of defense.