The same themes resonate when discussing the cybersecurity of critical infrastructure. Officially, critical infrastructure can be any of 16 sectors ranging from the expected, such as nuclear and chemical, to the perhaps more unexpected, such as agriculture and rail car manufacture. But the proper functioning of these sectors doesn’t stop at just the companies involved—there are many critical functions that require the support of a wide range of stakeholders, from software companies to internet and web-hosting service providers to regulators.2 The success of security strategies such as defense in depth or layered defense depends on all of these stakeholders working toward a common goal. But importantly, each of these stakeholders has a different set of incentives pushing and pulling on their behavior. Even adversaries are incentivized by different trends to increase or decrease their attacks. The challenge is that in such a complex environment as critical infrastructure, the incentives of one player may combine with the incentives of other players in unexpected ways, often leading to actions that look individually rational but have irrational effects at the industry level.
Securing critical infrastructure from cyberattacks takes more than defending critical infrastructure assets; it requires an understanding of the incentives of all those stakeholders and then shaping them. If we can harness the positive incentives toward collaboration and social connection, then, just like the children in the experiment, we can enjoy the reward—perhaps not a marshmallow, but more resilient critical infrastructure that is available when citizens need it most.
Threats to critical infrastructure are outpacing protections
Attacks targeting critical infrastructure are nothing new. From cutting off the water supply to a besieged city to the Allied strategic bombing campaign in World War II, adversaries have always sought to use critical infrastructure as leverage against opponents. However, the need to physically attack infrastructure typically limited these attacks to wartime. Today, trends in digital technology and international relations have come together to make the threat to critical infrastructure not only more common, but also potentially more dangerous as well.
Threats to critical infrastructure are increasing
Tech trends driving increasing vulnerability. The increasing computing power and falling size and cost of processors, memory, and batteries mean that the physical and digital worlds are blending. Objects that had been purely physical, such as pumps and valves, may now have digital sensors or controls. Those digital devices at the edge (sensors, controllers, Internet of Things) are then often linked to the core IT networks (data storage, enterprise software) that may themselves be connected to the wider internet. This convergence of information and operational technology (IT and OT) can make every valve, switch, and pump in a critical infrastructure operation a computer potentially accessible to the internet, vastly increasing the challenge of securing them.
While these physical-digital devices help boost efficiency, they can also make security more difficult in two ways. First, they have led to a proliferation of devices that must be protected. With an estimated 46 billion connected devices in 2021, a number that doubles just over every three years, it is not much of an exaggeration to say that the attack surface that must be defended is nearing infinity.3 While only a small percentage of those end points may belong to critical infrastructure, the trend of a growing attack surface impacts the cybersecurity of critical infrastructure. Not only does it increase the technical challenge of trying to secure all of those end points, but it also increases the human/organizational problem of having to collaborate with even more manufacturers, vendors, and contractors to maintain the security of all those systems. This translates into a significant increase in the risk faced by critical infrastructure, given that about 85% of all data breaches result from human error.4
Second, the convergence of physical and digital worlds makes the consequences of attacks harder to predict and, potentially, more damaging. While the security of information and operational technology is different, increased connectivity is driving their security considerations together. In a world where digital systems can control physical outcomes, digital attacks can have catastrophic consequences in the physical world as well. The first recorded cyber-physical attack against critical infrastructure saw a disgruntled former employee use radios to send faulty commands to industrial control systems at a wastewater plant, resulting in the release of 800,000 liters of sewage into a local community.5 Even more concerning is that the interconnections of modern commerce and the difficulty in attribution of cyberattacks blur the lines between what is simply one company’s problem and what is a national security crisis. For example, a criminal gang knocking a school district’s network offline may be a matter for law enforcement, but a nation-state cyberattack causing physical damage to a steel plant, for example, could be seen as a clear act of war.6
Economic and international trends encourage actors to act on those vulnerabilities. More than just technology is driving the increase in cyberattacks. Rising geopolitical tensions, difficulty in attribution, and the increasing balkanization of technology ecosystems encourage nation-states to see cyberattacks as an effective tool below the threshold of armed conflict.7 International tensions give nation-states the motivation to attack, while balkanized tech ecosystems allow them to attack with greater assurance of avoiding the consequences of either adversary responses or unintentional blowback on their own systems. These drivers have played a role in the significant increase in nation-state–sponsored attacks in recent years, an increase that some researchers have measured at up to 100% over the past three years.8
But nation-states are not the only threats. The critical nature of this infrastructure also makes it a lucrative target for cybercriminals who see owners as being more likely to pay ransom to avoid disruption.9 Not only has the potential benefit of attack risen, but the means of attack are also becoming more available. The emergence of malware-as-a-service, along with the escrow and dispute resolution services that facilitate deals on the dark web, have effectively lowered the barrier to entry into cybercrime. Attackers no longer need to be skilled hackers; rather, they just need access to criminal marketplaces and a few dollars to buy readymade malware from thriving businesses that sell malware as a service.
Defensive efforts to date have largely been ineffective
While technology and international trends may be driving an increase in cyberattacks against critical infrastructure, the threat itself is not new. The Federal government has been working on the problem since 1996, when Executive Order 13010 defined “critical infrastructure” for the first time and established the National Commission on Critical Infrastructure to protect it. Successive executive orders and policy directives further refined the structure and responsibilities for protecting critical infrastructure.
However, even with that early focus on both critical infrastructure and cyberthreats specifically, the number and severity of attacks have increased.10 The question then is “why?” Why haven’t we been able to protect the national critical infrastructure, despite the resources and talent at our disposal? National cyber director Chris Inglis sees this as a problem of how we all work together. “We don’t actually defend these systems as a collaborative endeavor such that they have to beat all of us to beat one of us … It’s not to say we don’t have some very talented people and we don’t have some really great technology, but we’re not really joined up to solve this problem in a way that’s required.”11
In critical infrastructure sectors, the idea of working together is not new, and the concept of “collective defense” is well-known in cyber circles. So, what is standing in the way of progress toward that vision of defending collaboratively? The very incentives that push and pull the different players involved.
A tangle of incentives may be the problem
If cybersecurity of critical infrastructure is a known and important problem and yet progress toward greater security has been slow, it implies that there are other pressures on peoples’ decision-making. In other words, there are incentives tugging many stakeholders—including owners of critical infrastructure—away from actions that support security.12
There are clear incentives for individual stakeholders to act in ways that may not support the long-term security of critical infrastructure. Take attackers for example. The sheer amount of money that can be made from ransomware attacks alone provides a strong incentive for criminals of every stripe. In fact, our research into ransomware has found a clear correlation between the size of ransom demand and the volume of attacks. The more money to be made, the more attacks.
Despite the fear of being the target of such attacks, critical infrastructure owners may see little incentive to improve security beyond the bare bones. Profit motives and thin margins in many of these industries often mean there’s little money left for costly investments in cybersecurity. And when incidents do happen, incentives to protect brand or minimize liability can often lead owners or operators of critical infrastructure to be reluctant to share information about vulnerabilities and incidents, further increasing the risk to other owners/operators. Nor are infrastructure owners the only group whose incentives can lead to more insecure behavior. Incentives to be first to market and maintain low costs can even lead manufacturers in some tech sectors such as Internet of Things and embedded systems to market insecure products.13
Incentives driving individual stakeholders may make their choices difficult, but these incentives are known and can be managed. The real challenge is the swirl of incentives when all stakeholders begin to interact. Incentives can add up in odd ways. An individual actor making a rational choice based on its own personal incentives can unwittingly impose higher costs on itself due to the incentives of other players. This is the generalized form of the tragedy of the commons: It was rational for each individual owner to graze their sheep on common land as much as possible, but the sum of those incentives was an outcome no one wanted, the destruction of the common lands.
The exact same phenomenon can occur in cybersecurity. The national cyber director, Chris Inglis, describes it as “proactive ambivalence.” The confusing nature of the cyber ecosystem can mean that even in the face of massive, disruptive cyberattacks, individual stakeholders can have little incentive to change. “We’re generally aware as a society that something is amiss,” says Inglis. “You can’t miss this. You can’t stand there and watch the news reports and believe that nothing is amiss. Where the proactive ambivalence comes in is, we all believe it’s somebody else’s problem.”14
While the traditional solution to such “tragedies of the commons” is government regulation, that can be difficult in an ecosystem with as many players as cybersecurity. Rather, government may be able to shape the incentives of stakeholders to indirectly encourage them to take appropriate actions. Just like changes to Section 401K of the tax code encourage personal retirement savings, government can help jump-start new action on cybersecurity. But shaping incentives first requires a clear understanding of how the actions of all stakeholders influence one another. Using the analytical tool of causal loop diagrams (see the sidebar, “Using causal loop diagrams to tease apart complex problems”), we have created a simplified picture of those interactions. With that picture, we can begin to identify where incentives are adding up in unintended ways, and even where changes can begin to reshape those incentives to help improve cybersecurity.