Trust and collaboration between the private and public sectors is more important than ever for guarding against cyberattacks on U.S. critical infrastructure, according to participants in Edison Electric Institute’s 2020 Virtual Leadership Summit.

Southern Co. CEO Tom Fanning, who participated in the government-sponsored Cyberspace Solarium Commission last year and moderated a panel Wednesday on its findings (See Solarium Team Urges Long-term Cybersecurity Focus.), observed that while the U.S. is “effectively at war in cyberspace,” mustering the necessary defense is challenging because the conflict is almost invisible to the average citizen.

“It’s almost like going to a beach and watching a submarine war,” Fanning said. “You really can’t see anything until something cataclysmic happens, and yet we know that the threat is ongoing and lethal.”

King: Cyberattacks Cheap, Low-risk

Also on the panel was Sen. Angus King (I-Maine), who served on the commission with Fanning. King predicted that cybersecurity is likely to remain a pressing issue because it represents a “cheap way to attack.” He speculated that Russia’s government could hire 800 hackers for the cost of one jet fighter.

Cyberattacks are cheap in an additional sense because foreign adversaries have not had to feel that “there’s some cost they’re going to have to bear if they attack us.” Another complicating factor is the asymmetric nature of the threat, with King echoing previous complaints by Fanning that utilities “don’t have the authority to go and punch North Korea on the nose.” (See NERC Planning Level 2 Supply Chain Alert.)

“This problem is not strictly a governmental problem; 85% of the cyber target space is in the private sector,” King said. “And so really, deepening the relationship between the federal government, which has some extraordinary capabilities, and the private sector is a huge opportunity and something that we really have to work on.”

King admitted that establishing the necessary trust between the public and private sectors will take consistent effort, particularly in the realm of information-sharing, where both sides have been historically reluctant to share information because of concerns for privacy on the part of industry and national security for the government. The senator insisted that this state of affairs has to change for the good of all.

“We’ve got to get over this [viewpoint] that the U.S. government … owns the information and doles it out reluctantly. I’m on a mission to make them think more broadly about who their customers are,” King said. “By the same token, [utilities] have to think of them as a resource [and] share the information that you have. … If Southern Co.’s getting attacked, and you tell [the government] that this is going on, they can then warn the other major utilities around the country.”

CISA Lauds Utilities for Collaboration

In a separate panel, Christopher Krebs — director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) — offered an upbeat assessment of the level of collaboration between public and private entities. Krebs held up his agency as a friendly middle ground where the intelligence community and utilities have come together to find a common purpose, leading each to redefine their roles in a manner that makes sense for a changing world.

“What we’ve been doing for the last couple of years [is] getting away from this almost monolithic approach to critical infrastructure, where you have a sector that’s defined by the companies,” Krebs said, referring to CISA’s National Critical Functions framework released in 2019. “Instead, we’re taking an approach where the critical infrastructure community is defined by the services and functions it provides.”

Krebs praised the electric industry in particular for setting a powerful example of public-private collaboration, citing the participation of utility CEOs — including Fanning — for their willingness to work with their peers and the federal government on solutions in both emergency situations and long-term planning. However, he warned that this is just the starting point, with “lesser-resourced organizations” in particular needing more help to ensure that the broader community is prepared for any threat.

“I really can’t think of a sector where we get this kind of CEO-level engagement and participation,” Krebs said. “Time is money, and to get this kind of CEO participation on operational activities, I can’t tell you that there’s another sector that engages at that level … [but] no organization, no sector is going to be able to stand on your own against a dedicated adversary with a nation-state capability. So we’ve all got to work together.”