CISA (Acting) Chief Says Hacks Causing Disruptions are Inevitable
Nick Andersen, acting director of CISA publicly admitted something all security pros know. We are NOT going to be able to stop sophisticated threats from China and other adversaries.
But what Mr. Andersen is saying is that the winners are going to be the organizations – public, private, critical infrastructure, whoever – that are able to “weather major disruptions”.
“We are going to see an adversarial disruption of our critical infrastructure,” Andersen said. “It’s going to have significant not just technical impact, it’s going to have a significant psychological impact on the safety of the American people. … We need to start operating like that’s the reality of where we’re at — that we’re not going to be able to keep everything persistently online and available as much as we would like.”
This is different from what the president has been saying which could mean that Mr. Andersen won’t be the CISA director for long. He wants to stop adversaries. Mr. Andersen suggests that is not possible in the foreseeable future.
He said that we need to make some assumptions. There will be disruptions such as telecommunications. And probably power and water.
But fixing that is hard and expensive. I have three telecommunications providers, including terrestrial and space based. I am hoping that at least one of them will be operating at all times, but that is expensive.
He also admitted that water infrastructure security is a mess. From personal information I have, I know that is a fact. But most of us would like water to come out of our faucet when we turn the handle.
Since we know the Chinese are inside any number of our critical infrastructure providers, how do we protect ourselves?
While CISA would like Congress to re-fund their outreach program that was abandoned last year that would allow them to help a few critical infrastructure entities, no one is suggesting that CISA is going to help you.
That means that you need to design a resilience strategy that works for you. That is a tradeoff between availability, data integrity, cost and other factors. Can you tolerate a 4 hour outage? What about a day? What is solving that problem costs a thousand dollars? Or a million dollars? It is not simple. And, it is a bit of a moving target.
What is true is that ignoring it, while that seems effective, means that your “strategy” is “hope”. Hope is not a great strategy.
If you need assistance, please contact us. Credit: Cybersecurity Dive
by 