By: Aaron X. Sobel, YLS ‘23

On February 8th, 2021, a hacker attempted to poison a Florida city’s water supply. Luckily, an operator was present at the time of the hack and witnessed the water’s sodium hydroxide level multiply a hundred times, and manually reduced it back to normal. But had the operator been less vigilant, consequences for the city of Oldsmar could have been catastrophic.

Cyber-attacks on our critical infrastructure are not going away: 56 percent of utility companies in the U.S. reported at least one shutdown in 2019, with 25 percent targeted by “mega attacks” – which are “frequently aided with expertise developed by nation-state actors.” Thwarting such attacks is crucial to maintaining our national security. But to accomplish that, the federal government needs a strategy for bolstering state and local cyber capabilities.

Cyber-federalism is an underappreciated area of the national cyber conversation, but embracing it is crucial to preventing a catastrophic breach. The federal government has greater cyber sophistication than most states, so federal agencies – particularly the Cybersecurity and Infrastructure Security Agency (CISA) – are the point-people for dealing with most critical infrastructure cyber-attacks. Yet, a vast majority of critical industries are regulated or managed by local governments. Municipalities, for example, own over 80 percent of U.S. water systems. They are thus charged with the day-to-day administration of the water supply. But according to CISA, state and local governments lack the requisite cyber-intelligence capacity to detect major threats to critical infrastructure, nor do they have the funding to develop comprehensive responses to cyber-attacks. This invites a vital question: what can the federal government do to address a national threat that targets state and local governments?

The Federal Response so Far

The federal government has resolved to improve coordination mechanisms with private actors. Dr. Arthur House, Connecticut’s seasoned former cybersecurity czar, explained in an interview that when a breach is discovered, the federal government pulls in members of the affected infrastructure company, issues a one-day clearance, and notifies them of the breach.

Through a 1998 presidential directive, the government also established various Information Sharing and Analysis Centers (ISACs) to facilitate information-sharing between private operators of critical infrastructure, and to promote cooperation between the private and public sectors. ISACs are organized by industry (e.g., energy, automotive, aviation), and companies must pay a membership fee to join any particular ISAC. Additionally, the federal government has offered cyber-defense guides for the private sector.

Federal initiatives, then, have been focused on private sector coordination. But combating cyber-attacks on critical infrastructure necessitates a more robust, self-sufficient cyber-defense at the subnational level.

Supporting Local Cyber Capacity

In the wake of 9/11, the federal government established a national strategy on working with states to combat terrorism because counterterrorism was often outside their ordinary capacities. Now, we need a national strategy on cooperating with subnational government to shore up critical infrastructure cyber-defense.

First, the federal government can support subnational efforts to create comprehensive cybersecurity commands. In 2018, California founded the Cybersecurity Integration Center. New York City created an integrated Cyber-Command. Ohio, West Virginia, and Kansas have similarly established cybercommands by statute. The federal government can expand such efforts by incentivizing and standardizing the creation of new local cybercommands.

The federal government can establish roadmaps for the creation of cybersecurity commands, rather than letting vendors lead the way. According to the head of New York City’s Cyber Command, Geoffrey Brown, cultivating a uniform approach to vulnerabilities is crucial to “streamlining and accelerating” cyber-defense of critical infrastructure. Having vendors lead the way means different cities would have different cyber-defense mechanisms. Lessons learned from cybersecurity practice in Los Angeles would not necessarily translate neatly to New York systems.

To incentivize the creation of cybersecurity commands and to cultivate uniform vulnerability, the federal government could make funding available for cities and localities who follow the federal roadmap, so long as they meet minimum federal standards. Doing so would facilitate more effective sharing of best practices and lessons learned across localities on cyber-defense techniques (since the federal government can only offer so much help if different municipalities have different vulnerabilities). Consequently, said Mr. Brown in an interview, the dynamic zero-trust architecture implemented by New York City’s Cyber Command for its own technical environment could be expanded to endpoints in other New York localities.

States and localities could also emulate the most effective practices and characteristics of other cybercommands, through inter-municipality learning sessions organized by the federal government. Thus, broader lessons on forging cybercommands in New York City can be applied to smaller towns like Oldsmar, the target of the attack discussed at the outset of this article.

Streamlining Information-Sharing

As states and localities build cyber-capacity, the federal government can streamline information-sharing with states. This will allow the government to collectively improve its understanding of the critical infrastructure threat landscape, and enable states to strengthen defensive capabilities. To do so, CISA could build on the existing institution of Fusion Centers.

After 9/11, the federal government established several Fusion Centers, where the private sector and local, state, and federal governments could share technical information on terror attack trends, particularly those targeting critical infrastructure. But as cyber emerged as a threat to public utilities, several states decided to split their Fusion Centers, dedicating one to traditional law enforcement and counterterrorism activities, and the other to cyber-defense. Dr. House, for example, helped establish the New England Cyber Fusion Center, based in New Hampshire.

Through these centers, private sector and local government officials can focus on sharing intelligence about cyber-threats they have encountered with the federal government. The federal government, with access to such data, can then piece together a more complete view of the critical infrastructure threat landscape. This enables the federal government to identify broader cyber-attack trends.

Streamlining information-sharing through Fusion Centers could then bolster local capacity to address critical infrastructure cyber-threats. In Dr. House’s eyes, the federal government’s “prime value” is in “supplementing the states.” It can do so by sharing nation-wide patterns of intrusion in critical infrastructure by sophisticated actors and nation states. Disseminating such information through Fusion Centers would help states and localities granularly understand how a particular form of malware was managed and contained elsewhere (provided that localities have uniform vulnerabilities). Mr. Brown concurs, explaining that without Fusion Centers, it would be “difficult to see and operationally collaborate across the wider cyberthreat landscape.”

Finally, the federal government can improve information-sharing by promoting cross-ISAC cooperation. ISACs are a key way that governments and companies within the same industry can share information on cyber-threats. But as it stands, information-sharing occurs only within ISACs. Companies and municipalities in a telecom ISAC can only quickly share information with each other; to share information with municipalities in a water ISAC requires certain disclosures that take time to process. Thus, if the energy sector is impacted, the water utility is unlikely to find out about it through ISAC mechanisms in time.

Toward Cyber-Federalism

The cyber-federalism conversation cannot end here. Other cyber issues also naturally fall under the purview of the states, like election cybersecurity, since states are ordinarily tasked with running elections. But the stakes are especially high when it comes to critical infrastructure. We urgently need the federal government to institutionalize its support for state and local cyber-defense to prevent a calamitous attack.