| | November 20188CIOReviewIN MYPINIONOn September 20, 2018, President Trump signed the National Cyber Strategy of the United States. The Strategy has four pillars, the first of which is to protect the American people, the homeland and the American way of life. Securing critical infrastructure is a key component of that effort. That strategy recognizes that information and communications technology underlies every sector in America and calls for managing cyber security risks to increase the security and resilience of the nation's information and information systems. The May 2017 Presidential Policy Directive 21 sets forth 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. The National Cyber Strategy states that the government will use a risk-management approach to "mitigating vulnerabilities to raise the base level of Cybersecurity across critical infrastructure. We simultaneously use a consequence-driven approach to prioritize actions that reduce the potential that the most advanced adversaries could cause large-scale or long-duration disruptions to critical infrastructure." The Administration will prioritize risk-reduction activities across seven key areas: "national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation."Such a focus is fully justified in that selected facilities make attractive targets given that any attack would likely have huge impact with significant externalities. The National Cyber Strategy appropriately continues to rely on government-private sector cooperation and coordination and utilizes best industry practices developed in the global marketplace. Nevertheless, increased government attention to these sectors is also appropriate given they tend to be concentrated in fewer number of larger firms, nearly all of which have previously established relationships with the government, and are often currently regulated. Moreover, critical infrastructure sectors (and their industrial control systems) are today connected to public communication and internet infrastructures that while greatly improving efficiencies and effectiveness, also dramatically increase vulnerabilities. One important way in which the government proposes to increase protection is through greater deterrence: "We will also deter malicious cyber actors by imposing costs on them and their sponsors by leveraging a range of tools, including but not limited to prosecutions and economic sanctions, is part of a broader deterrence strategy." Thus on the same day that the President signed the Strategy, the Trump Administration also adopted a new classified Presidential directive authorizing "offensive cyber CRITICAL INFRASTRUCTURE CYBER PROTECTION:STRONGER DETERRENCE HELPS BUT ISOLATION AND MITIGATION ARE ESSENTIAL By Bruce J. Heiman, Partner - Public Policy and Law, K&L GatesBruce J. Heiman
< Page 7 | Page 9 >