EDITORIAL:  DENIS ČALETA, JAMES F. POWERS JR.

        (2018) Cybersecurity and Infrastructure Security Agency has responsibility to coordinate
        efforts from the federal government level to the local level—and includes owners/operators
        and all stakeholders.

        Since sufficient resources to physically protect critical infrastructures will never be availa-
        ble, the imperative to ensure due diligence in appropriating federal, state, local and private-
        sector funds for protection efforts is paramount. Today’s protection efforts are multidimen-
        sional—not simply armed guards and barriers protecting a building or system. Protection
        efforts are characterized and prioritized by human, physical & cyber considerations; the
        National Planning Scenarios; determination of criticality; intelligence; and risk (stated as a
        function of threats, vulnerabilities and consequences). Moreover, it is a dynamic rather than
        a passive process—what is critical today may not be critical tomorrow. And intelligence
        informs all stakeholders of emerging concerns. The factors and considerations previously-
        mentioned are interlinked like a watchwork. When one factor changes, the others are im-
        pacted to some degree.

        Considering what practitioners have learned since 9/11, here’s where the focus should be:
        1. Historically-based (national planning scenarios) versus crime-related (this includes ter-
        rorism) threats. For example, cyber-systems are much more vulnerable to weather and natu-
        ral disasters than to terrorist threats.
        2. Monitoring of cyber intrusion attempts and determining origin for possible prosecution.
        3. Developing threat-based cyber capabilities to detect, deter, mitigate, respond to and re-
        cover from cyber intrusions
        4. Investing in personnel surety versus software. Aside from personnel costs, the second
        largest expenditure for most companies is information technology. It’s time to re-evaluate
        the expenditures for physical protection versus the costs required for personal surety. Why?
        It’s easier to gain access to a cyber system via someone on the inside than hire a cyberhacker
        to break into the system. Background checks must become more comprehensive—and this
        may include periodic and unannounced polygraph tests, drug testing, and personal financial
        reviews. The weakness of any cyber system lies not in the software, but in the integrity of
        those operating the system. Owners/operators of CI should establish Red Teams—teams of
        company-owned, experienced cyberhackers—whose sole mission is to hack into the com-
        pany’s systems. The intent here is to hire better hackers than the adversary.

        Nation-states will forever endure extremist and radical ideologies—and these labels are all
        culture-based. Disagreement in beliefs and ideologies does not necessarily constitute crimi-
        nal motivation or likelihood of criminal behavior. When actions of any group—ideology
        notwithstanding—become violent and break the laws of that sovereign nation-state, then
        those acts, however, constitute criminal behavior.

        It is unlikely that any nation-state permits identification theft, cyber hacking, cyber intru-
        sions, etc. Whether these violations are considered as violent is a matter for the particular
        nation-state. Many Americans do not consider cybercrime violent but rather something less
        than violent—a white collar crime—but a crime, nonetheless.

        As threats increase, so should protection efforts. And the greater the assets, the greater the
        need for cybersecurity systems. The very nature of being designated critical usually infers
        that the site has vast assets—and an information technology system to help facilitate opera-



       10