Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
10:00 AM
Caleb Barlow
Caleb Barlow
Connect Directly
E-Mail vvv

The US Must Redefine Critical Infrastructure for the Digital Era

The template being used to manage essential connectivity isn't just outdated, it's actively counter-productive.

America's definition of infrastructure has remained largely unchanged since the New Deal, when the federal government updated roads, railways, and water supplies ahead of World War II. Back then, communications technologies were in their infant stage — radio broadcasting was the FCC's sole focus — but over the past 25 years, digital communications have evolved at a rapid pace and become the foundation of daily American life. Unfortunately, the pandemic revealed major weaknesses in our modern communications infrastructure, including issues the country must address before another disaster strikes.

Despite multiple revolutionary technological advances, the US government's understanding of critical infrastructure hasn't evolved past the 20th century, leaving many modern communications assets vulnerable to cybercriminals. The US currently defines 16 critical infrastructure sectors as integral to the economy, notably including "communications" and "information technology" as separate sectors, an approach steeped in an outdated understanding of today's digital infrastructure. In the former category, the US seeks to protect "terrestrial, satellite and wireless transmission systems," while the latter focuses generally on "the internet."

Related Content:

Critical Infrastructure Under Attack

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: The Makings of a Better Cybersecurity Hire

In the 21st century, and particularly during a time when national security is now continually threatened by foreign and domestic actors, cybersecurity demands a holistic rather than siloed understanding of digital communications. Today's threat actors rarely target satellite dishes, cable lines, or cell towers for devastating attacks; they also don't attempt to turn off the entire Internet. Instead, they lock down hospitals and water treatment facilities, force companies or cloud services offline, and ransom future product designs stolen from manufacturers' servers.

For instance, the FBI's alarming arrest of a Texas man for allegedly planning a mass bombing of Amazon Web Services (AWS) data centers. Though privately owned data centers might not be traditional "infrastructure," an AWS outage can take down huge chunks of the internet, resulting in multimillion-dollar losses in a world where e-commerce reigns supreme.

Now, think about the economic and political impacts of just one social media platform: Twitter. Last year, a teenager used vishing techniques to simultaneously co-opt high-profile Twitter accounts for a Bitcoin scam — a huge, brazen hack that could have had much worse consequences. Before that, a hacker used Associated Press's Twitter account to falsely claim that the White House had been attacked, causing the stock market to panic and plummet. Like AWS, Twitter doesn't fall under the traditional definition of "infrastructure," but between these sorts of attacks and Twitter's growing role in political communications, it certainly has outsized importance to the US economy.

Because our digital infrastructure isn't as easily visualized as the analog, physical infrastructure it's replacing, we still harbor an old-school mentality regarding the systems our economy relies upon. The pandemic made painfully clear that our economy now relies heavily upon a robust Internet; our digital infrastructure was the lifeblood enabling people to continue living some semblance of their prior lives, facilitating everything from continuing work and school to ordering food and securing toilet paper. Quarantine and social distancing worked largely because the Internet kept everyone connected to everything, even when we weren't using the physical roads, railways, and airports we historically relied on.

There's no better example of the changing face of digital infrastructure than Zoom. Overnight, one app became a household name, enabling virtual classrooms, conference rooms, and even happy-hour venues. Live, multiperson videoconferencing was quite literally the reason many adults kept their jobs, and most kids were able to attend school for the past year. Is videoconferencing technology critical infrastructure? Bad guys certainly think so, as evidenced by the Zoom breach where hackers stole 500,000 passwords early in the pandemic, and multiple Zoombombing attacks that caught the FBI's attention, disrupting everything from academic presentations to court cases. 

AWS, Twitter, and Zoom are only some examples of how critical digital infrastructure has evolved in recent years, well past prior governmental definitions of communications and information technology. Yes, hardware and software are still important, but cloud-based services and platforms are now the foundations of American life, and key targets for malicious actors of any size or agenda.

During and immediately after the Cold War, America worried so much about nuclear Armageddon and physical invasions that financial threats such as economic disruption and business ransoming took a back seat. In the digital age, however, we may have less to fear from adversarial nations than sophisticated cyber thieves. As a recent Verizon report noted, nation-state attacks account for only 10% of data breaches, while a whopping 86% of breaches were financially motivated.

Although the headlines focus on Russian, Iranian, and Chinese meddling in the digital space, they're distracting us from the real issue of hackers taking entire organizations offline and robbing them blind, then growing large enough to threaten critical communications channels. The hacker who succeeds in ransoming one hospital will likely next target a larger medical system's digital records, affecting untold numbers of patients before planning bigger future attacks.

It's time for a mind shift. Digital infrastructure needs to be understood holistically as encompassing more than just basic communications hardware and the broad Internet, with full government support for protecting cloud services and platforms that have become essential to American life. Beyond extending security funding and technology support to critically important organizations, lawmakers must zero in on hacker ties to organized crime and create stiffer punishments for those who have mounted attacks on digital infrastructure. 

The Internet is a public resource — our most critical infrastructure over the past year, and most likely the foundation of everything we will build together over the coming decades. Starting immediately, we must do everything we can to protect our digital infrastructure's increasingly diverse elements, as only a holistic understanding of modern communications will enable us to stay ahead of criminals who would disrupt them for profit.

Caleb Barlow is the President and Chief Executive Officer of CynergisTek, a healthcare-focused cybersecurity company that works with more than 1,000 healthcare organizations on data security, privacy, and compliance. Prior to joining CynergisTek, Caleb led the IBM ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file