Concerns have mounted in recent weeks that the U.S. could fall victim to a targeted cyberattack, particularly in the face of Russian aggression in Eastern Europe. But a top cybersecurity expert said it is not the attack he fears, but rather the reaction of the American populous.
U.S. security agencies have alerted government entities and private companies alike to be on high alert of a potential cyber-attack and take precautionary steps.
But Robert Lee, a member of the Department of Energy (DoE) Electricity Advisory Committee and the founder and CEO of cybersecurity firm Dragos, told Fox News he is concerned how "the fear around infrastructure attacks could be politically used."
"Our infrastructure is going through a digital transformation — that’s true in every industry. The ability to attack our industrial infrastructure is more significant than ever before. At the same time the threats are becoming more bold," he said. "My nightmare scenario is actually not taking down the power grid — there’s more than one electrical system anyway — and it’s not about poisoning a town’s water system.
"The thing that really concerns me is the fear around these events and the overreaction that can occur," he added.
The Biden administration on Thursday announced a 100-day plan to bolster cyber protections for the U.S. water industry.
The White House took similar steps last year to better protect U.S. energy industries, including the electric sector and natural gas pipelines, following an attack on the Colonial Pipeline.
Lee applauded the move, but warned that securing the water sector would not be an easy task given the "scale and economics" of water systems across the U.S.
"Water is seen as one of the hard places [to secure] because, quite frankly, there’s just so many water systems around America — around 50,000 to 55,000," he explained. "And they tend to be some of the most under-resourced infrastructures."
Lee said that 95% of guidance in the private sector is preventative in nature, which means less than five percent of resources are being utilized for proactive defenses, which has led to an imbalance in how cybersecurity needs to be managed.
The cyber specialist, who served as a former U.S. Air Force Cyber Warfare Operations Officer tasked to the National Security Agency (NSA), said industries need to be able to detect, respond and prevent attacks.
Though larger companies have been able to better protect their resources, the problem lies in local facilities, he explained.
"Your smaller, hometown facility — usually it’s very difficult to get in front of your town and say, ‘Hey, we want to raise your water bill by 20 cents to be able to do cybersecurity in case a Russia or China type adversary attacks us.' That’s not generally going to get voted on at a town hall meeting," Lee pointed out.
Most of these water utilities don’t have IT staff, let alone the needed security staff to patrol more sophisticated cyber-attacks, he explained.
Lee said the majority of cyber-attacks are from private ransomware groups. But more concerning are the quiet actions being pursued by state actors to identify how they can steal intellectual property and carry out disruptive operations to further influence geopolitical strife.
The cybersecurity expert argued the best way to address the growing threat of cyber-attacks is by improving Americans’ understanding of the threat at hand.
"The Public Utility Commission of every state needs to understand the importance of investing in [Operational Technology] security and why it’s necessary," Lee added.