As cyber threats continue to evolve in complexity and sophistication, protecting critical infrastructure must be a priority. Governments, the private sector and individuals should collaborate to identify vulnerabilities and implement robust strategies to counteract potential cyberattacks. ICSP talked to Victor Atkins of 1898 and Co. about critical infrastructure. Listen to the full podcast here.
The following was edited for clarity.
ICS Pulse: Let’s start at the beginning. How did you get from where you started to where you are now?
Victor Atkins: Thanks for asking. I spent about 15 years in the U.S. intelligence community, in various roles from the Central Intelligence Agency to the White House to the National Security Council. I started most of my career in nuclear terrorism, countering nuclear terrorism, countering state proliferation, but always as a U.S. Department of Energy employee. For 15 years, I was a DoE employee.
Starting around 2017, I was asked to start up the Cyber Intelligence Mission for the Department of Energy because we were required by law as the sector-specific agency to help the energy sector deal with cybersecurity risk. Part of that responsibility for the department was to have a robust intelligence program that would be able to share information about nation-state threats to the power systems.
Starting around the middle of 2017, I was asked to come back to DoE to start up that mission. I didn’t know much about cyber at the time, but I did know a lot about intelligence analysis and building teams. I had the fortunate misfortune that the first week I was on the job was the Russian intrusion into the power systems in 2017. That got a lot of attention for our department and my role specifically.
It was good for me because I got to learn a lot about the questions, the information needs that policymakers and the energy sector needed to know about threats like that. It helped me sharpen the focus of what we needed to deliver as an intelligence analysis group to support the sector and the government.
ICSP: What has the transition been like for you, going from the government to the private sector?
Atkins: I was lucky because during those five years, I spent a lot of time interacting with utilities and energy sector private entities, discussing the questions they had and the concerns they had about the threat. Whenever we would give a threat briefing to them, almost always, the executives would come back afterward and say, “This is really interesting information, but what do I do about it? How am I supposed to deal with this information?” The intelligence community is geared toward giving policymakers information to support policy. It’s not necessarily geared toward giving executives in an organization tactical information about how to reduce their risk. So I had a lot of experience dealing with the questions they were asking.
At the midpoint of my career, I felt like I needed to make a change. I was motivated by this idea that while the government is responsible for national security, in this problem, they own almost none of the assets. They have no responsibility over the private sector critical infrastructure. So we, as the government, are limited in what we can do in terms of securing these systems long term.
Coming to Burns & McDonnell and 1898 was a real opportunity for me. Burns & McDonnell is an architecture, engineering, construction firm that has been building critical infrastructure for over 100 years. They are one of the key elements of the systems we’re trying to protect in terms of design and construction. I wanted to come to a firm where I could bring my knowledge about the threat and the risk to help inform the way these systems are designed and engineered long term. I felt like I could make a greater impact on the whole system by being in the private sector.
For me, it’s been a learning process about the business and the way consulting is different than being a government employee. But a lot of the questions that I was already thinking about how to answer, and a lot of the questions that I’m now having to answer for clients, were very similar to the things I was asked when I was in the government.
ICSP: It’s an interesting point because a lot of people, when they think about critical infrastructure, especially government actions to protect critical infrastructure, so much of it is not in the government’s hands. You need that public-private partnership, or you’re really not protecting the systems and critical industries.
Atkins: I think there’s an incredible sea change happening philosophically within the government and the private sector about how this isn’t just the public side giving people regulatory guidelines and then making them comply. That’s been the natural relationship. “We tell you what to do. You do it. If you don’t do it, we fine you.” I think in this case, critical infrastructure has been a target for nation-state adversaries for over 100 years, going all the way back to the U.S. Civil War. The idea that in democratic institutions, critical infrastructure is a prime target because you can degrade public support for a warfighting effort if you can harm critical services like power, water and everything else.
The government, I think, realizes that this partnership with the private sector is a national security imperative. It’s no longer just a regulatory relationship. Over the last five years, mostly driven by the threats we’ve seen in the critical infrastructure space, the government has realized that this must be more of a give and take, and that we’re really in this together. I think we’re in this period of time where everyone on both sides of this divide is trying to figure out what the relationship really needs to be. It’s much more of a partnership, which means if one side fails, the other side fails, too. We’re all trying to figure out the rules of this engagement, but it’s changing even as we’re talking right now.
ICSP: The level of threat on critical infrastructure has also increased. I think a stat from your company was that it’s gone up 400% since 2020. What do you attribute this to, and what can be done about it?
Atkins: I think our adversaries, including national security adversaries, realize that our country is vulnerable to influence if they can affect public opinion about the government. We’ve seen this with elections, but critical infrastructure attacks in particular can really harm our government’s ability to fight a war or sustain our warfighting ability by attacking logistics.
Or public support for a war effort can be impacted if the public is suffering as a result of critical infrastructure attacks against things like power and water. If major metropolitan areas go down for weeks or months at a time in the winter, it’s going to be hard to have a two-front war where you’re trying to take care of an adversary and the homeland simultaneously. They know that.
They also know that the attack surface is getting bigger because we are getting more digital in our control system environments and more connected by communication systems. We’re moving toward generation systems with renewables, which are creating even more digital and communication connectivity. So that attack surface is getting really attractive from an adversary perspective. They know they can have an asymmetric impact for a relatively low investment. From a cost perspective, they can create payloads and weapons that can have enormous effects, and they can deny that they did it. So there’s a nonattributional part to cyber that no other system in a military toolkit affords an adversary. They know that this is a really advantageous way to get to us, and it’s also cheaper than other options.
As we get more connected in control systems, adversaries will likely get more aggressive in that environment, as well. And because there are no international norms around what constitutes a cyberattack as an act of war versus an annoyance, I think that there’s always just pushing those lines about what is an acceptable act of aggression, short of an act of war. As long as those things are ambiguous, I think that adversaries will continue to push that envelope.