U.S. critical infrastructure sectors face a “stunning challenge” amid intensifying cyberthreats paired frequently with a lack of understanding about what assets they possess and whether those assets are being protected, according to former U.S. National Cyber Director Chris Inglis.
In a recent interview with CRN, Inglis said that while “this is not a time to engage in fear-mongering,” it’s most definitely a moment where “we have to educate people — decision makers and businesses — to help them understand how [security] works.”
Cybersecurity experts have “an obligation to help people understand what hangs in the balance, what choices they can make,” he said.
[Related: In Wake Of Change Healthcare Attack, MSPs Say Health System Is Far Too Vulnerable]
Inglis spoke with CRN alongside Yaniv Vardi, the CEO of cyber-physical systems protection vendor Claroty. Inglis, who served as the White House’s inaugural National Cyber Director from 2021 to 2023, joined the advisory board at Claroty in January.
ADVERTISEMENT
During the interview, Inglis and Vardi pointed to the troubling realities at many organizations in critical infrastructure, with these key sectors heavily targeted by hackers and frequently under-resourced when it comes to IT and security.
Meanwhile, digital transformation has pushed these companies to accelerate their connectivity, Vardi noted.
“Obviously, they’re doing it to be more productive, more competitive,” he said. “But the bottom line is that they expand the risk and the attack surface.”
In the wake of widely felt attacks including the Change Healthcare ransomware attack and the Volt Typhoon attacks targeting critical infrastructure, Claroty last week announced raising a growth funding round of $100 million, bringing the company to a total of $735 million in funding raised since its launch in 2015.
Prior to being named National Cyber Director, Inglis spent eight years as deputy director and COO of the National Security Agency and three years in the role of Special U.S. Liaison to London. His three-decade military career included service in the U.S. Air Force and Air National Guard, and he retired as a Brigadier General.
What follows is an edited portion of CRN’s interview with Inglis.
Why does the U.S. have such a major challenge in terms of addressing security for critical infrastructure / OT (operational technology)?
We’ve focused a lot on information technology [security] — and most of the models and the focus have been on, how do we actually bring some order, discipline, resilience to that space? But the operational technology space has been greatly underserved. What we’ve experienced in the last five years is a very strong integration of what used to be independent, bespoke operational technology, into traditional classic information technology. And yet we still focus on the information technology. But most of the things I depend upon to safely conduct my life are strewn across both the operational technology and the information technology. It’s both a stunning challenge and a great opportunity.
What prompted your decision to join the advisory board at Claroty?
As I left the White House from my most recent position, I was looking around for what further work I could do. In the private sector, I was looking for organizations that were bringing innovation and a high degree of leverage to the center of this problem — which is how do we actually address the totality, not just operational technology, but its increasing integration into information technology? There are few companies that I know of that have done it as well as Claroty has. It helped that [former NSA director] Mike Rogers was already here, somebody I’ve known for many years from my National Security Agency days. And the sum of those things make this a natural commitment for me, to help them do what I think must be done — which is to bring some resilience and robustness and some optimization to the slice of architecture that is increasingly existential for us.
Is there a specific misunderstanding out there about security that you’re hoping to correct in the future?
We need to help people understand that this is not a moment where fate takes over. There are choices to be made. People obsess about hiring the next CEO or COO or CFO. That’s a very significant decision, but they don’t think about the IT or the OT that they would employ to the same degree. They delegate that. They don’t think about, what are the consequences of that particular technology that I bought? They don’t really understand how the architecture is constructed, what the dependencies are. And so I think that all of us — but particularly those of us that are in the business of building and deploying solutions — have an obligation to help people understand what hangs in the balance, what choices they can make.
This is not a time to engage in fear-mongering. We can’t actually scare people into doing the right thing. But this is a moment where we have to educate people — decision makers and businesses — to help them understand how [security] works.
Could you say a bit more about what has made Claroty stand out to you in terms of its technology offerings?
I’ve found Claroty to be very good in terms of describing what they intended to do to solve not just the OT problem, but to solve the OT problem in the context of the larger digital infrastructure as it merges with information technology. I also ask the question about whether the people at a place like Claroty are on the leading edge of innovation, and whether they know their game, whether they’re actually operating at a high level of performance — clearly they are. Their track record is remarkable in terms of what they’ve already done. I think that there’s a high degree of potential here that I don’t see in other organizations.
With critical infrastructure threats, how does third-party risk play into that? And do you see that as a major issue you’re focusing on?
I think that increasingly, you have to make sure that if you’re managing a business, you understand what assets are actually playing a role in what you do and how you do it. And there are many organizations and individuals who don’t know the answer to that question. And so job No. 1 is to figure out, what are the assets that are in your estate? What’s the current status of those assets?
You have to start with instrumenting the system so that you know what’s actually operating on your behalf. And then you can begin to look for anomalies in those behaviors and begin to then address those anomalies. But [first] you have to have a larger view of what that architecture looks like. When you understand what’s operating in your environment, [you can then] make choices about what risks you can accept, and what to do about the ones you’re not willing to accept.