National Cyber Director Chris Inglis said he views the current cybersecurity threat landscape as an evolution that is increasingly impacting confidence in systems, rather than just focusing on critical functions or data.
Speaking on May 20 at an event organized by the Institute for Security and Technology, Inglis defined the first wave of attacks as one that targeted physical systems and data, followed by a second wave that targeted critical functions. A third wave is now impacting system confidence, he said.
“It’s not a new wave, but it’s a new manifestation or perhaps a new outcome associated with [the cyber community],” Inglis said during a keynote address. “It’s really not about the critical functions anymore alone; it’s about the confidence,” he said.
Inglis pointed to one of the biggest effects of the Colonial Pipeline ransomware attack in 2021 –confidence in the system was shaken, leading to a consumer run on gasoline in the days following.
Breaking down the Colonial Pipeline hack, Inglis said the attackers’ success on the IT front was followed by a failure of doctrine that then led to the public and private sectors failing to communicate roles in defending the supply chain properly. The end result, he said, was a failure in confidence in the supply chain of oil and gas on the East coast, leading to long lines at the pump.
“What happened at that point was perhaps surprising to everyone, not least of which the transgressors, which is it became an attack on confidence,” the NCD said.
“The American people dependent upon petroleum flowing through that pipeline went to the darkest possible corner in the room,” and “imagined that the petroleum would never again be available and therefore showed up on this in lines, exhausting what few stocks had already left the pipeline and showed up in the tanks.”
“And therefore, that attack on confidence was perhaps something that was even worse, even more pernicious than an attack on those first two levels,” he said.
He said that in order to defend against attacks on confidence – whether it’s confidence in pipeline operations or elections – it’s crucial to be able to defend data and systems, as well as critical functions.
“If we’re to defend ourselves against attacks on confidence … we have to defend the data and systems [and] we have to defend the functions, but we also have to make sure that we address where confidence comes from,” he said.
“Confidence doesn’t simply come from knocking down somebody else’s idea or blunting somebody else’s attack,” Inglis said. “It comes from actually having confidence that what you do is manifestly important enough, inspirational enough that you get up in the morning and think about that first and foremost. It’s the power of your idea, as opposed to knocking down somebody else’s.”
Inglis compared the current cybersecurity threat landscape to climate change in that it took years to get to this point, and will take a concerted effort to change the landscape.
“This isn’t a new phenomenon; it’s a little bit like climate change,” Inglis said. “It took a long time for us to get to this roiling moment in history. It won’t be something we turn around in a fortnight, maybe a month, but not a fortnight.”
“But in thinking about that, so often people despair, obsess about the threats and therefore get lost in what they will do to respond to the initiative that’s established by others,” he added. “And therefore, come to the conclusion that what we’re experiencing is perhaps fate.”
Adding that he doesn’t mean to be alarmist and does not believe that cyberattacks rise to the level where the use of force as retaliation is on the table, Inglis said that sort of obsessive despair about cybersecurity without choosing to act would, ironically, lead to a more bleak threat landscape.
“How we should think about this is it’s a choice,” Inglis said. “If we choose not to make the investments, … if we choose not to kind of undertake doctrinal changes, upskilling of people, bending technology to those two purposes, then we’ll continue to go down the road that we’ve been on. Which is that we will experience one horrific threat after another, in a way that I think is borderline existential,” the NCD said.