Around the world, people’s everyday lives depend on the critical infrastructure which supplies us with food, water, financial services, communications and power. As October’s National Cyber Security Awareness Month focused on, a disruption to these systems can have huge consequences on society.
For example, last year’s WannaCry attack affected more than 10,000 organizations in 150 countries, and crippled the UK’s National Health Service. It also affected industrial organizations like Spanish Telefónica and Deutsche Bahn. Without careful planning, protection and resource, such an attack is likely to happen again and have even darker consequences.
In the UK and US roughly 80 - 85% of critical national infrastructure is owned by the private sector, a statistic similar in major countries all over the world. With cyber-attacks on the rise and growing increasingly sophisticated in nature, it is imperative that the public and private sectors not only work together, but collaborate flexibly and cohesively in order to be as prepared as possible to deal with cyber-attacks.
The financial industry is particularly vulnerable to strategic cyber-attacks due to the potentially lucrative result for hackers. In the first half of 2018, financial cyber-attacks had a 1 in 3 success rate in the UK alone, totaling nearly £503 million in losses. Last year Equifax, one of the largest consumer credit reporting agencies in the US, suffered a massive security breach which impacted as many as 143 million customers – this meant that 44% of the American population were at risk of having their credit card details stolen.
The security of the financial industry for any country is vital, but perhaps even more so for prominent world powers, and cyber-attacks on major world banks could have disastrous repercussions both domestically and internationally. With the ability to cripple both everyday citizens and national economies, cyber-attacks must be approached in unison by the public and private sectors.
A common area of disparity between the two sectors is the sharing of information and intelligence. The private sector lacks the authority and resources to analyze foreign cyber threats and mass monitor potential attacks, while the public sector often lacks deep industry specific expertise and an understanding of the specific systems at risk of attack. Without reliable information from both sectors, it is impossible to gain an accurate picture of what potential threats might look like.
In order for the two sectors to achieve this, there must be legislated systems and processes put in place that intrinsically link the public and private sectors. This could take the form of intelligence collaborations across classification lines including real-time data sharing and, most importantly, working together to develop plans that define what resources are needed to combat potential threats and the specific roles and responsibilities within each sector should an attack take place.
In 2016 the EU passed the first piece of Europe wide cybersecurity legislation with the Network and Information Security Directive. The NIS directive requires operators of essential services to establish a high level of security for critical infrastructure, and to report serious incidents to their designated national authority. However, like many global legislative requirements, there is a focus on information sharing instead of physical and technical incident response. Both the government and private sector must be proactive in preventing cyber-attacks before they occur, rather than focusing on the aftermath.
It is clear that in order to safeguard national critical infrastructure, the public and private sectors must deepen their connectivity and intelligence sharing. Even more importantly, they must take an active role in combating cyber-attacks before they strike, and be ready to work in unison when they do.