Insights from a high-level roundtable held in March 2024 in Washington, D.C.

By FP Analytics, produced with support from Oracle

The rapid development of artificial intelligence (AI) presents a range of opportunities and risks for the security of America’s digital ecosystem, particularly as they relate to critical infrastructure. The nation’s interconnected and increasingly digitized energy grids, water, gas, transportation, and space systems, which are the foundation of the U.S. economy, can be optimized through this technology but are also vulnerable to—and increasingly targeted by—malicious actors seeking to undermine security. 

The Biden-Harris Administration addressed the evolving cyber threat landscape in the March 2023 National Cybersecurity Strategy (NCS) and the October 2023 White House Executive Order on safe, secure, and trustworthy AI, which place particular emphasis on critical infrastructure. Vital to the United States’ cybersecurity strategy is fortifying critical infrastructure defense by updating and establishing cyber regulations, scaling public-private collaboration, and upgrading government information, communication, and technology (ICT) systems. In addition, following the Executive Order on AI, the Administration recently announced the policy directive which tasks agencies to implement concrete safeguards against AI risks by December 2024. Notwithstanding these initiatives, questions remain about the most urgent and cost-effective means to strengthen cyber-defense. 

Against this backdrop, Foreign Policy, in partnership with Oracle, convened a diverse group of leaders and experts from across government, industry, academia, and civil society for a candid and balanced Chatham House Rule discussion on the threat landscape and the investments and partnerships needed to ensure cost-effective NCS implementation and network resiliency.

Foreign Policy’s Pentagon and national security correspondent, Jack Detsch, moderates the discussion on securing critical infrastructure in an era of AI-enabled cyber threats.

The discussion focused on:

  • Understanding the cyber and artificial intelligence threat landscape and identifying which actors pose the most significant threats
  • Mapping key vulnerabilities across critical infrastructure networks
  • Assessing core components of the NCS and alignment with other public and private cybersecurity strategies 
  • Identifying policies, regulations, and investments needed for NCS implementation and enhanced resiliency.

This synthesis report, produced by FP Analytics, the independent research division of The FP Group, distills key insights and takeaways from the discussion.

A participant shares insights at the high-level roundtable held in Washington on March 26, 2024.

Key Insights

1. Critical infrastructure sectors have yet to meet basic cybersecurity hygiene, although advances have recently been made to establish minimum cybersecurity standards across sectors.

The United States has been making progress in establishing minimum cybersecurity requirements in critical sectors, including, for example, transportation and health care. However, the infiltration of U.S. critical infrastructure systems by a China-based hacker group has exposed the sectors’ enduring vulnerabilities to potential cyberattacks. Implementing basic cybersecurity best practices or “cyber hygiene” – such as requiring multifactor authentication and maintaining updated software – is not yet systemically practiced across critical infrastructure sectors, despite being a fundamental step to strengthening cybersecurity. The need for ensuring data security before adopting AI tools was highlighted during the discussion, emphasizing that cybersecurity protocols must keep abreast with technological advancements.

2. Harnessing AI’s potential and minimizing its risks in critical infrastructure will require bridging the skills gap and strengthening critical infrastructure systems.

Artificial intelligence is set to escalate the speed and scale of cyberattacks in the near term, but it can also aid in preempting security breaches by detecting vulnerabilities in code and anomalous behavior within the system. AI can be deployed to bolster security and resilience in critical infrastructure. However, participants expressed concerns over limited budgets and capacity to implement adequate measures against AI-enabled cyber threats. Furthermore, there is an urgent need to bridge the skills gap relating to cybersecurity and AI within critical sectors, which in turn could spur the emergence of a specialized field for experts in both cybersecurity and AI domains.

3. Embedding a “secure-by-design” approach in manufacturing software and hardware systems is essential to ensuring critical infrastructure cybersecurity.

Technology manufacturers can help secure the building blocks of cyberspace by designing software and hardware products that integrate robust cybersecurity features from the start. The responsibility to ensure cybersecurity borne by end users from critical infrastructure sectors should be shared with manufacturers that create software. By factoring in cybersecurity outcomes in the manufacturing process, this proactive approach reduces the attack surface in cyberspace and increases the costs of cyberattacks by malicious actors. However, implementing secure-by-design features can disrupt production processes and increase production costs, which may discourage vendors from adopting such recommendations. These considerations need to be accounted for when implementing a “secure-by-design” approach.

4. The government needs to craft incentives and leverage market forces that prioritize the adoption of robust cybersecurity standards across technology-based solutions.

The federal government, having significant buying power in technology markets, has the capacity to influence the market and foster developers and vendors to prioritize the inclusion of more robust cybersecurity features in across products. Leveraging this market power could help to ensure that secure-by-design becomes a standard industry practice. Developing clear metrics for assessing the strength and robustness of cybersecurity tools will also be vital to increasing the understanding of secure-by-design principles and establishing measurable goals that can guide industry practices. In addition, a range of government policy tools can be explored to strengthen cybersecurity, such as tax incentives and cyber insurance.

5. The private sector, especially small-sized companies, need to be prepared for risks associated with the dual-use nature of their products.

Technology companies are increasingly finding themselves on the front lines of cyber warfare, emerging from the dual-use nature of some of their technologies. As the lines between commercial and military purposes blur in cyberspace, companies need access to resources and guidance to responsibly manage the dual aspects of their relevant technologies, especially as their operations can carry serious national security implications. Meanwhile, open-source models, which are made publicly available, provide opportunities for small-sized companies and researchers to develop applications but also increase their exposure to cybersecurity risks. Smaller companies often lack cybersecurity resources and personnel, which make them more vulnerable to cyberattacks and in need of training and risk mitigation support.

6. Collaborative approaches, such as building local and global communities of practice, are integral to raising cybersecurity awareness.

Building communities of practice – where cybersecurity practitioners exchange knowledge – can raise awareness and adoption of cybersecurity standards within critical infrastructure sectors. Private-public partnerships play a vital role in fortifying cyber defense of companies that lack cybersecurity resources or those that produce dual-use technologies. Moreover, monitoring the diverse approaches countries use in strengthening cyber defense is critical for discerning policies that work in containing cyber threats. For instance, the United Kingdom conducts safety tests for AI systems, which the US has recently partnered on, and the EU’s AI Act prohibits certain high-risk systems to be deployed within its markets.

Participants discussed cyber deterrence considerations at the high-level roundtable.

Looking ahead

Defending critical infrastructure sectors from cyber threats will require the effective implementation of minimum cybersecurity standards as well as identifying innovative and resilient approaches to tackling the threats, amid evolving capabilities of AI to augment and thwart cyberattacks. Investments in upgrading ICT systems and adopting secure-by-design technologies are critical steps to limit software vulnerabilities and the attack surface exploited by malicious actors in cyberspace. Multistakeholder collaboration is essential to coordinating cyber defense strategies, exchanging knowledge, and ensuring that AI enables—rather than compromises—cybersecurity within critical infrastructure.

By Angeli Juani, Senior Policy and Quantitative Analyst, FP Analytics

This synthesis report was produced by FP Analytics with support from Oracle. FP Analytics retained control of the synthesis report. Foreign Policy’s editorial team was not involved in the creation of this content.