I'll recite what Mark Montgomery said today during the FDD meeting with Jen Easterly "How do we prevent from being the Titanic".
To all of my colleagues working across critical infrastructure; "Do you really want to end up like this guy?"
Also, keep in mind that critical infrastructure operations are highly inter-dependent so it's imperative that all critical infrastructure operators recognize that they are also impacted when a dependent entity is impacted. Harmonization of cybersecurity baseline practices will be essential to securing all critical infrastructure operations. Collaboration among industry operators is key to success.
"A threat to one is a threat to many", Jen Easterly 2025-01-5, FDD meeting.
Touche Madam Director, well said.
Indeed, the PRC is largely taking advantage of known product defects. The truth is that the technology base upon which our critical infrastructure depends is inherently insecure, because of decades of misaligned incentives that prioritized features and speed to market over security. That must stop. Technology companies must help ensure the PRC and other adversary threat actors cannot exploit defects in technology products to target our critical infrastructure. These weaknesses—and the resulting risks to our national security—can only be addressed at scale by companies building and selling products that are secure by design.
- Every critical infrastructure organization should double down on their commitment to resilience. CEOs, Boards, and every business leader must recognize that they own cyber risk as a business risk and a matter of good governance. They must expect disruption, continually testing the continuity of critical systems and functions to ensure they can operate through disruption and recover rapidly from an attack.
- Finally, every technology manufacturer and software producer should design, build, test, and deploy their products using the practices outlined in our joint Secure by Design guidance. We must drive toward a future where technology products are safe by design and defective products are not present in critical infrastructure systems.
These concerns and issues have been known for a long time, and still there has been very little in the way of implementation to stop these cyber-attacks "foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services, which store and communicate vast amounts of sensitive information, facilitate the digital economy, and support critical infrastructure and vital emergency services, in order to commit malicious cyber-enabled actions, including economic and industrial espionage against the United States and its people." -
Donald Trump
Executive Order 13873 of May 15, 2019
Securing the Information and Communications Technology and Services Supply Chain