Where Cybersecurity Starts in Region 2

If there is one element crucial to securing every sector of the nation’s critical infrastructure it is cybersecurity. The water flowing from our taps, the energy powering our homes, businesses, and transportation, and the functioning of our communications, healthcare, and financial systems all rely on the connectivity and cyber processes inherent in today’s complex technological landscape. But what if those systems and processes were disrupted not by a cyberattack, but an attack on the physical structures that make them possible?

This is a question that Region 2 Regional Protective Security Advisor Julie Johnson is exploring through a Regional Resiliency Assessment Program (RRAP) assessment of the physical infrastructure that underpins most of the communications and internet connectivity Americans and our critical infrastructure rely on but rarely think about: the complex network of data hubs and undersea cables that connects us with each other and the world.

“It is easy to forget the very physical network of bundled wires that carries most of our data in our modern age,” Johnson said. “This network of undersea cables and the data hubs they connect to are the backbone of our entire global economy and impact every facet of our national critical infrastructure.”

RRAP assessments examine specific critical infrastructure within a region to identify security and resilience issues that could have regionally or nationally significant consequences. As approximately two dozen undersea communications cables land in Region 2 and their disruption would have nationwide or even global impacts, Johnson is working to build on existing regional knowledge and take a closer look at the security and resilience of the cables, landing sites, major data hubs, and their power sources.

The potential risks and threats to this physical infrastructure include aging architecture, unstable power sources and power loss, offshore or nearshore physical attacks, and climate-related risks. Region 2 is home to legacy sites not purpose built to house these critical installations, Johnson explained, with some cables landing on beaches, running alongside highways, and other “hidden in plain sight” unsecured locations. This leaves them vulnerable to attack by any threat actor, including foreign nation states and activists, seeking to strategically disrupt international networks by damaging the cables or their data hubs using unmanned aerial vehicles, electromagnetic pulses, severing cables, and a host of other potential attack scenarios.

“The majority of today’s physical internet structure is in the hands of the private sector and there is limited redundancy in these systems,” Johnson said. “Modeling and testing disaster scenarios is needed to accurately identify and project outages and cascading failures, and the impact those would have to the region and country. What this RRAP will put in place is a framework through which we can ultimately begin table-topping how these scenarios could unfold, and determine how we can better prepare for them and build resilience into the system.”

A current positive outcome of the RRAP is the partnerships it has fostered between the region and key internet infrastructure stakeholders. While the communications sector has traditionally been a bit more reticent to partner with CISA, according to Johnson, the conversations her research has facilitated with those stakeholders have both raised awareness of the need for more coordinated partnership as well as encouraged better information sharing. With recent invitations to speak on the subject to core network engineers at both the North American Network Operators Group and the New Jersey Fiber Exchange, that dialogue seems poised to grow.

“After those briefings, one stakeholder now affectionately refers to me as Doomsday Julie,” Johnson joked. “But I’ll take it! Anything that keeps us all talking and working to better understand the risks is a win in my book. This has been one of most fulfilling and eye-opening projects I have tackled in my entire career and building those relationships has been the highlight. The internet doesn’t live ‘in the cloud,’ it lives in a very tangible physical network under the sea and in buildings throughout Region 2. It’s up to all of us to keep it secure and that starts on the ground, not in the cloud.”