Professor Charles Harry, an Associate Research Professor at the University of Maryland’s School of Public Policy and the Director of the Center for Governance of Technology and Systems (GoTech), recently presented his research on air infrastructure cybersecurity to the National Risk Management Center (NRMC), a division of the federal Cybersecurity & Infrastructure Security Agency (CISA).
The NRMC is the organ within CISA that works with critical infrastructure sectors to shore up security and resiliency against cyber threats. That includes working at multiple levels of government to protect the roughly 85 percent of critical infrastructure in the United States that is owned by the private sector. This mission dovetails with GoTech's work on critical infrastructure technologies, in particular Harry and co-author Skanda Vivek's research on cyber effects on the U.S. air transportation sector and cyber targeting on road transportation networks.
“GoTech’s work in strategic cybersecurity is primarily focused on delivering practical tools supported by rigorous research to enable better decision making for policy makers," said Harry. "By collaborating with organizations like CISA, we can both learn about the central challenges facing the nation’s critical infrastructure while also contributing to the approaches taken by the federal government to help manage risk."
In his talk, Harry discussed the Cyberspace Solarium Commission report, a key-document for understanding the United States’ current cybersecurity posture. In an executive summary, the Solarium Commission’s co-chairmen, Senator Angus King (I-Maine), and Representative Mike Gallagher (R-Wisconsin), described the Solarium strategy as a system of “layered deterrence,” designed to make the United States “into a hard target, a good ally, and a bad enemy” in cyberspace.
The three “layers” referenced by the Solarium Commission are “Shape Behavior” (training ourselves and our partners to use smarter, more sophisticated cybersecurity practices), “Deny Benefits” (increasing resiliency to make attacks less effective and worthwhile for threat actors), and “Impose Costs” (going after adversary operations and countering them in ways consistent with international laws). Harry's talk focused mostly on the second layer, denying benefits, which requires the creation of risk management plans upon which resilience strategies can be based.
For the talk, Harry leveraged his work with Nancy Gallagher, Director of the Center for International and Security Studies at Maryland (CISSM), from a co-authored paper titled “Classifying Cyber Events,” which outlines a taxonomic system for understanding the effects of cyber events. The system classifies attacks based on “primary” effects (those that can be measured in terms of direct impacts on IT systems), “secondary” effects (those that include impact on revenue, remediation costs, and brand), and, finally, “second-order” effects (which can range from physical damage to to reputational damage and impact on the broader economy.)
Professor Harry went on to describe potential primary, secondary and second order effects of attacks on the air transportation system. For instance, sophisticated threat actors can cause quantitatively higher levels of cascading failure attacking an airline than they can by attacking an airport. Reservation systems, flight planning systems, and refueling infrastructure are all potential attack surfaces, according to Harry.
“National level cyber impacts to air infrastructure are largely driven by third-party vendors that can serve to ‘ground’ large numbers of aircraft,” Professor Harry said in the wrap-up portion of the talk. “Prioritization of defensive investments must account for attacks on airport, airline and vendor systems.”