As a fellow at the Institute of Critical Infrastructure Technology (ICITA leading cybersecurity think tank in the United States. ICIT provides objective, nonpartisan research, advisory, and education services to stakeholders in the legislative, commercial, and public-sector fields of cybersecurity. The institute emphasizes the importance of collaboration among various stakeholders to enhance cybersecurity and national security. See More... See Less... ) and co-author of the book Securing the Nation’s Critical Infrastructures: A Guide for the 2021-2025 Administration, I was honored to be asked to speak at the RSA ConferenceThe RSA Conference is a leading cybersecurity conference where industry professionals gather to share knowledge, insights, and trends in cyber protection. Named after the RSA encryption algorithm, this conference is more corporate and professional in nature compared to DEFCON. It typically features keynote speeches, training sessions, and exhibits from technology vendors. The RSA Conference focuses on a range of topics, including cyber threats, data security, cryptography, and risk management strategies. It serves as a platform for cybersecurity professionals, businesses, and vendors to network, learn about the latest advancements in technology and security practices, and discuss strategies to tackle the ever-evolving challenges in the cyber world. See More... See Less... 2023 in San Francisco on the topic of “Digital Supply Chain Security: What Happens When an Organization's Trusted Solutions Can No Longer Be Trusted?” Many thanks to SafeBreach, who sponsored the event, and for hosting the reception and book signing afterward.

Joining me were Joyce Hunter, the accomplished executive director of ICIT, who was appointed by President Barack Obama as the deputy Chief Information OfficerA Chief Information Officer (CIO) is a senior executive in charge of the information technology (IT) strategy and systems of an organization. The CIO's primary role is to oversee the development and implementation of IT to improve business processes and increase efficiency. They are responsible for managing the IT staff, budgeting for IT expenses, and aligning IT-related projects with business goals. The CIO also plays a key role in digital transformation, leveraging technology to drive innovation and competitive advantage. As technology becomes increasingly integral to business operations, the CIO's role involves more strategic planning and less direct management of IT operations. They often collaborate with other executives to integrate technology into broader business strategies, ensuring that the organization's technology infrastructure supports its overall goals. See More... See Less... for policy and planning at the Department of Agriculture, serving as both co-author and moderator, and Jerry Davis, a distinguished cybersecurityCybersecurity refers to the practice of protecting computers, networks, programs, and data from unauthorized access, damage, or attack. It involves a range of strategies and technologies designed to safeguard digital assets from cyber threats like hacking, viruses, and data breaches. Cybersecurity measures are essential to prevent sensitive information from being stolen or tampered with, and to ensure the smooth functioning of digital systems. This field is increasingly important in our connected world, where a lot of personal, financial, and business activities are conducted online. See More... See Less... expert with a wealth of experience in the public and private sectors. Jerry has held key positions at the U.S. Department of Veterans Affairs (VA) and NASA, focusing on cybersecurity in transportation, both ground and space-based. As a fellow at ICIT, he shared his expertise on these topics. The format was a fireside chat, with thought-provoking questions expertly moderated by Joyce.

Together, we collectively talked about the following:

• The current state of digital supply chain security
• Importance of supply chain integrityIn the context of information security, integrity refers to the assurance that data is accurate, complete, and has not been tampered with or altered in an unauthorized manner. It ensures that information remains intact from its source to its destination and isn't changed inappropriately. Methods like checksums and cryptographic hashes are commonly used to verify data integrity. See More... See Less... to cybersecurity to national security and critical infrastructure
• The impact of cybersecurity on agriculture and transportation
• The challenges involved in securing the supply chain, and some specific examples of supply chain attacks
• Recommendations for the future, including national responsibility and how government can engage

One of the key aspects of supply chain attacks is their ability to compromise systems on a large scale. For example, the recent multi-level supply chain attack on 3CX demonstrated how one compromised vendor could be leveraged to infiltrateTo secretly enter or gain access to an organization or system, often with the intention of acquiring confidential information, causing harm, or conducting espionage. Infiltration can occur physically, digitally, or through social engineering tactics. See More... See Less... the next vendor in the chain. While supply chains are often perceived as linear, they are, in reality, complex webs of interconnected products and services.

Supply chain attacks fundamentally undermine trust, as the targeted organizations inherently trust their vendors and grant them access to sensitive systems or information. These attacks exploitA method or piece of code that leverages a bug, glitch, or vulnerability in software or hardware to trigger unintended or unforeseen behavior. This behavior often includes gaining control over a system, acquiring elevated privileges, or accessing restricted data. While the term "exploit" can imply malicious intent, in computer security, it specifically refers to the act of using vulnerabilities, not necessarily the intent behind it. Exploits can be used for malicious purposes, but they can also be used for testing or protective measures by security professionals. See More... See Less... this trust, causing damage even when the organization believes it is dealing with a trusted supplier.

It was fantastic to connect with Joyce and Jerry at the RSA Conference 2023, and I thoroughly enjoyed the conversations we had both before and after the speaking event. 

About ICIT

The Institute for Critical InfrastructureA leading cybersecurity think tank in the United States. ICIT provides objective, nonpartisan research, advisory, and education services to stakeholders in the legislative, commercial, and public-sector fields of cybersecurity. The institute emphasizes the importance of collaboration among various stakeholders to enhance cybersecurity and national security. See More... See Less... Technology (ICIT) is the nation’s leading 501(c)3 cybersecurity think tank providing objective, nonpartisan research, advisory, and education to legislative, commercial, and public-sector stakeholders. Its mission is to cultivate a cybersecurity renaissance that will improve the resiliency of our Nation’s 16 critical infrastructure sectors, defend our democratic institutions, and empower current and future generations of cybersecurity leaders. ICIT programs, research, and initiatives support cybersecurity leaders and practitioners across all 16 critical infrastructure sectors and can be leveraged by anyone seeking to better understand cyber risk, including policymakers, academics, and members of the business community. ICIT’s support extends to any organization, regardless of size, which is impacted by digital threats.  

About the book

Securing the Nation’s Critical Infrastructures: A Guide for the 2021–2025 Administration is intended to help the United States Executive administration, legislators, and critical infrastructure decision-makers prioritize cybersecurity, combat emerging threats, craft meaningful policy, embrace modernization, and critically evaluate nascent technologies. The book is divided into 18 chapters. Each chapter focuses on one of the critical infrastructure sectors identified in the 2013 “National Infrastructure Protection Plan (NIPP)The National Infrastructure Protection Plan (NIPP) is a strategic framework developed by the United States to manage and reduce risks to its critical infrastructure. The plan encompasses various sectors like energy, transportation, and water, and focuses on enhancing resilience and security. It involves cooperation between government, the private sector, and other stakeholders to protect essential systems and assets from threats such as terrorism, natural disasters, and cyber-attacks. The NIPP guides the national effort to manage risks and ensure the reliable functioning of infrastructure critical to public safety and economic stability. See More... See Less... ”, as well as election security, and the security of local and state government. 

Why the Book was Written 

Major cybersecurity incidents involving public sector systems occur with jarring frequency; however, instead of increasing vigilance against the threats posed to our vital systems, the nation has become desensitized and demoralized. 

This publication was developed to deconstruct the normalization of cybersecurity inadequacies in our critical infrastructure. We examine some of the historical disconnect between cybersecurity and its impact on national security which has led to gaps in safeguarding our critical infrastructures. It was important for us to capture a holistic and comprehensive outlook on each critical infrastructure. To this end, each chapter includes a foreword that introduces the sector and perspective essays from one or more reputable thought-leaders in that space, on topics such as:

• The State of the Sector (challenges, threats, etc.)
• Emerging Areas for Innovation
• Recommendations for the Future (2021–2025) Cybersecurity Landscape

While the current situation of gaps in cybersecurity may seem overwhelming, the book also aims to make the challenge of improving our cybersecurity health and national security posture less daunting, and pave a tangible way forward.