Source: Jochen Tack via Alamy Stock Photo

COMMENTARY

The Francis Scott Key Bridge collapse in Baltimore, Md., in late March sent shockwaves through the country. Almost immediately, there was widespread speculation and conspiracy theories regarding its cause, including fears of a cyberattack. Although investigations ruled out deliberate sabotage, the incident raised public concern about the vulnerability of physical infrastructure. Some members of Congress even called for further investigation into the possibility of malicious code being involved.

The incident rightly drew attention to the potentially devastating impact of cyberattacks on US infrastructure and human safety. However, it also highlighted a broader issue: a general lack of awareness regarding the reality and scale of cyber-risks to critical infrastructure. Beyond this incident, whether it was the result of foul play or not, there is a ticking time bomb of risk to critical infrastructure that is very real and potentially imminent if not addressed. While this physical attack may have brought the possibility of cyberattacks to the public consciousness, there are many more threats that we cannot physically see lurking beneath the surface that are equally damaging. 

While physical incidents capture headlines and public attention, silent, invisible attacks on critical infrastructure remain poorly understood. The MITRE breach, for example, was not an attack that caused visible physical damage, but a breach through Ivanti zero-day vulnerabilities. Despite affecting 1,700 entities, it flew under the radar of most Americans. While the breach did not result in visible damage, it led to unauthorized access to sensitive data. This can undermine national security, compromise intelligence operations, and expose confidential information, leading to long-term repercussions just as significant as any physical system attack. 

The disconnect between public perception and cyber threats is real, and we cannot let fear paralyze us into inaction. Combating misinformation and raising awareness about cyber-risks facing critical infrastructure is crucial to enhancing our collective resilience against evolving cyber challenges. 

Public Perception vs. Reality

Theorizing can distort public understanding of cyber threats, undermine trust in legitimate news sources, and complicate efforts to educate the public and stakeholders about the fundamental nature of cyber threats and the necessary precautions to mitigate them. The public's reaction to the Francis Scott Key Bridge collapse demonstrates the collective anxiety about cyber threats to critical infrastructure. This fear was fueled by references to fictional scenarios like the Netflix movie Leave the World Behind, in which a cyberattack on the US disables power grids, the Internet, and telecommunications services, sending the country into an apocalyptic world. With parallels drawn with the recent collapse, this heightens public anxiety and shifts focus away from real-life cyber threats.

However, this is an opportunity for public reckoning, prompting a much-needed focus on improving critical infrastructure security. Physical attacks resulting in immediate and visible damage, such as property destruction or loss of life, will always catch the eyes of US citizens and evoke strong emotional responses. It's also clear that society tends to attribute physical events to deliberate human actions more readily than cyberattacks, which are commonly perceived as accidental or impartial. This bias can impact the severity and urgency of responding to cyber threats — one of our nation's greatest challenges today. 

As we approach the election season, this moment is a critical opportunity for voters to advocate for policies that enhance critical infrastructure security. By recognizing the connection between cyber and physical threats and understanding that cyber incidents can have real-world consequences, we can push for greater investment and action to protect our nation's infrastructure.

Educational Gap

According to a recent poll, 81% of Americans are worried about how secure our critical infrastructure is. It's promising that securing critical infrastructure is already top of mind for average citizens. However, this event revealed a need for more awareness surrounding what constitutes a cyber-risk to critical infrastructure. This lack of understanding can be attributed to several factors, including insufficient education and training and limited public discourse on the sophistication of cyber threats. 

To best address the educational gaps, all citizens, policymakers, and infrastructure operators must work together to better understand the state of our threat landscape. Luckily, the government is taking steps to improve education through initiatives like the Cybersecurity Education and Training Assistance Program (CETAP), enhancing the quality and accessibility of cybersecurity education at all levels. The Cybersecurity and Infrastructure Security Agency (CISA) also launched public awareness campaigns to inform citizens about best practices for cyber hygiene. While encouraging, additional steps need to be taken.

More policy changes prioritizing cybersecurity must be implemented across critical infrastructure industries. This is how we hold our nation accountable, increase education and attention, and keep our critical infrastructure secure. For instance, after the Colonial Pipeline attack, the Transportation Security Administration (TSA) released new regulations, prompting the oil and gas industry to take security much more seriously. Advocating for similar regulations in other critical infrastructure sectors, such as energy, transportation, and healthcare, is crucial for enhancing the cyber posture of these essential services, especially as we approach an election year.

Securing Our Tomorrow

The root solution lies in leading with a proactive versus reactive approach to cybersecurity. Proactive measures, such as implementing a zero-trust strategy, continuous monitoring, rotating credentials, and regular updates, can prevent incidents before they occur. In contrast, reactive measures often only address the damage after it has been done. By fostering a culture of cyber literacy and proactive risk mitigation, we can empower stakeholders at all levels to recognize and effectively respond to cyber threats before they escalate into catastrophic events or misinformation.

In a world where the lines between the physical and digital realms blur, widespread understanding of cyber threats to critical infrastructure is paramount. If we don't double down on it now, misinformation will continue exacerbating these national security threats by distorting public perception and undermining trust in reliable information sources. By bridging the gap between psychological perception and cyber reality, staying educated, and taking proactive steps, we can build the secure future we are all striving for.