Skip directly to Accessibility Notice
  • Muni Nation

    Cybersecurity: U.S. National Critical Functions Identified

    Tom Butcher
    May 30, 2019
     

    The U.S. Department of Homeland Security, “viewing risk through a functional lens,” has developed a list of national functions it deems critical. Perhaps cataloging and assessing these vulnerabilities in domestic systems can be done in such a way as to influence, among other things, municipal borrowers to take meaningful action around cybersecurity.

    Introduction

    Only the other day we published a Muni Nation entitled A Quick Cybersecurity and Municipal Bonds Update. In it we had a quick look at what’s been happening in the space over the past year or so, along with very brief glance at a U.S. Government Accountability Office (GAO) report to “Congressional Committees” in its “HIGH-RISK SERIES” (indicative in itself!) entitled “Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation.The GAO “identified four major cybersecurity challenges and 10 critical actions that the federal government and other entities need to take to address them.”

    At the end of our piece, we said: “We so look forward to updating you more positively next time. But we are not holding our breath!” However we certainly did not think we would need to provide a further up-date so soon. But we do.

    Incident Update

    It was with a somewhat pained sense of déjà vu that we read recently of yet another attack on Baltimore. As we mentioned in our last piece, it was only in March 2018 that the city’s 911 dispatch system was victim (subject to?) a hacker attack.

    This time, on May 7, Baltimore’s mayor, Bernard C. Jack Young, tweeted at 1416 hrs: “Baltimore City core essential services (police, fire, EMS and 311) are still operational but it has been determined that the city’s network has been infected with a ransomware virus. City employees are working diligently to determine the source and extent of the infection.”The obvious question was: What has the city been doing about cybersecurity over the last year?

    As cybersecurity expert Hans Holmerpoints out, the majority of breaches are the result of hackers discovering technical vulnerabilities before the owners of those systems themselves do. This leads to the conclusion that if technology owners spent more time and resources enumerating their own vulnerabilities, they would be far less likely to suffer a breach. An organization that suffers a breach through the use of a zero-day vulnerability,a previously unknown attack vector, has an excuse. However, the vast majority of breaches happen to organizations using well-known attack vectorsthat could have been prevented with adequate investment in security processes that focus on preventing breaches facilitated by these attack vectors.

    Developments at the U.S. Department of Homeland Security?

    However, whatever may (or may not) have been happening in Baltimore, it appears that things have been moving along at the U.S. Department of Homeland Security and, in particular, at the Cybersecurity and Infrastructure Security Agency (CISA)—National Risk Management Center.

    On April 30, CISA issued the following release: “National Critical Functions: An Evolved Lens For Critical Infrastructure Security And Resilience.”[i] Therein, National Critical Functions are defined as: “The functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

    The raison d'être is (the hope?) that: “By viewing risk through a functional lens, we can ultimately add resilience and harden systems across the critical infrastructure ecosystem in a more targeted, prioritized, and strategic manner.” And that: “Ultimately, the set of National Critical Functions is a launching pad for executing a more advanced approach to cybersecurity and critical infrastructure security and resilience.”

    In Mr. Holmer’s view: “… this kind of cataloging of critical infrastructure can be useful, but only if it is used to understand our own vulnerabilities rather than external threats.” However, as he points out: “Our infrastructure is so weak that just about any actor can be a threat. Until the average critical infrastructure vulnerability index is so high that only the most capable actors can be a threat, there is no useful way to catalog threats and we must instead fix vulnerabilities.”

    National Critical Functions and Municipal Bonds

    As we continue to assert, the services provided by municipal borrowers have always been, and remain, vital to our everyday life and the need to protect these services from possible disruption becomes ever more important. The “intersection” between the National Critical Functions and the services funded by municipal bonds only goes to illustrate this even more clearly.

    In the chart below, we have taken the list of National Critical Functions and highlighted a number of functions, but by no means all, obviously funded through municipal borrowing

    National Critical Functions Set

    Connect Distribute Manage Supply
    • Operate Core Network
    • Provide Cable Access Network Services
    • Provide Internet Based Content, Information, and Communication Services
    • Provide Internet Routing, Access, and Connection Services
    • Provide Positioning, Navigation, and Timing Services
    • Provide Radio Broadcast Access Network Services
    • Provide Satellite Access Network Services
    • Provide Wireless Access Network Services
    • Provide Wireline Access Network Services
    • Distribute Electricity
    • Maintain Supply Chains
    • Transmit Electricity
    • Transport Cargo and Passengers by Air
    • Transport Cargo and Passengers by Rail
    • Transport Cargo and Passengers by Road
    • Transport Cargo and Passengers by Vessel
    • Transport Materials by Pipeline
    • Transport Passengers by Mass Transit
    • Conduct Elections
    • Develop and Maintain Public Works and Services
    • Educate and Train
    • Enforce Law
    • Maintain Access to Medical Records
    • Manage Hazardous Materials
    • Manage Wastewater
    • Operate Government
    • Perform Cyber Incident Management Capabilities
    • Prepare for and Manage Emergencies
    • Preserve Constitutional Rights
    • Protect Sensitive Information
    • Provide and Maintain Infrastructure
    • Provide Capital Markets and Investment Activities
    • Provide Consumer and Commercial Banking Services
    • Provide Funding and Liquidity Services
    • Provide Identity Management and Associated Trust Support Services
    • Provide Insurance Services
    • Provide Medical Care
    • Provide Payment, Clearing, and Settlement Services
    • Provide Public Safety
    • Provide Wholesale Funding
    • Store Fuel and Maintain Reserves
    • Support Community Health
    • Exploration and Extraction Of Fuels
    • Fuel Refining and Processing Fuels
    • Generate Electricity
    • Manufacture Equipment
    • Produce and Provide Agricultural Products and Services
    • Produce and Provide Human and Animal Food Products and Services
    • Produce Chemicals
    • Provide Metals and Materials
    • Provide Housing
    • Provide Information Technology Products and Services
    • Provide Materiel and Operational Support to Defense
    • Research and Development
    • Supply Water


    Conclusion

    As we have already mentioned, the services provided by municipal borrowers remain vital to our everyday life and need to be protected. Cybersecurity can help provide this protection. Unfortunately, the effects of not doing so have become ever more apparent and the costs of remediation commensurately more expensive.

    Now that the U.S. Department of Homeland Security has listed the functions it deems critical, perhaps identifying, cataloging, and assessing these vulnerabilities in domestic systems can be done in a way that influences municipal borrowers, among other people, to take meaningful action.

    In our next series of posts on cybersecurity and municipal bonds we will be discussing both how rating agencies are treating cybersecurity in the municipal space and looking at examples of successful cybersecurity initiatives.

    1U.S. Government Accountability Office: Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the Nation, September 2018, https://www.gao.gov/assets/700/694355.pdf

    2CBS Baltimore: Some Baltimore City Services Still Shut Down Due To Ransomware Attack, May 7, 2019, https://baltimore.cbslocal.com/2019/05/08/baltimore-city-services-shut-down-ransomware/

    3Hans Holmer is a senior cyber strategist. He has more than 32 years of experience in cybersecurity, human intelligence, and counterintelligence in the United States and overseas. Mr. Holmer served as a case officer for the Central Intelligence Agency (CIA) for over 25 years where he assessed vulnerability and detected threats to internal and external network and infrastructure.

    4“A zero-day vulnerability is a software security flaw that is known to the software vendor but doesn’t have a patch in place to fix the flaw. It has the potential to be exploited by cybercriminals.” Norton, https://us.norton.com/internetsecurity-emerging-threats-how-do-zero-day-vulnerabilities-work-30sectech.html

    5Attack vectors are the means granting access to hackers to a computer, device, or computer network to deliver a payload or malicious outcome.

    6U.S. Department of Homeland Security: National Critical Functions: An Evolved Lens For Critical Infrastructure Security And Resilience, April 30, 2019,https://www.dhs.gov/cisa/news/2019/04/30/cisa-releases-national-critical-functions-set

  • IMPORTANT MUNI NATION®DISCLOSURE  

    This content is published in the United States for residents of specified countries. Investors are subject to securities and tax regulations within their applicable jurisdictions that are not addressed on this content. Nothing in this content should be considered a solicitation to buy or an offer to sell shares of any investment in any jurisdiction where the offer or solicitation would be unlawful under the securities laws of such jurisdiction, nor is it intended as investment, tax, financial, or legal advice. Investors should seek such professional advice for their particular situation and jurisdiction.

    VanEck does not provide tax, legal or accounting advice. Investors should discuss their individual circumstances with appropriate professionals before making any decisions. This information should not be construed as sales or marketing material or an offer or solicitation for the purchase or sale of any financial instrument, product or service.

    Please note this represents the views of the author and these views may change at any time and from time to time. MUNI NATION is not intended to be a forecast of future events, a guarantee of future results or investment advice. Current market conditions may not continue. Non-VanEck proprietary information contained herein has been obtained from sources believed to be reliable, but not guaranteed. No part of this material may be reproduced in any form, or referred to in any other publication, without express written permission of VanEck. MUNI NATION is a trademark of Van Eck Associates Corporation.

    All indices listed are unmanaged indices and do not reflect the payment of transaction costs, advisory fees or expenses that are associated with an investment in a fund. Certain indices may take into account withholding taxes. An index’s performance is not illustrative of a fund’s performance. Indices are not securities in which investments can be made.

    The Bloomberg Barclays Municipal Bond Index is considered representative of the broad market for investment grade, tax-exempt municipal bonds with a maturity of at least one year. The AAA and BBB indices are sub-sets of this broader index.

    Municipal bonds are subject to risks related to litigation, legislation, political change, conditions in underlying sectors or in local business communities and economies, bankruptcy or other changes in the issuer’s financial condition, and/or the discontinuance of taxes supporting the project or assets or the inability to collect revenues for the project or from the assets. Bonds and bond funds will decrease in value as interest rates rise. Additional risks include credit, interest rate, call, reinvestment, tax, market and lease obligation risk. High-yield municipal bonds are subject to greater risk of loss of income and principal than higher-rated securities, and are likely to be more sensitive to adverse economic changes or individual municipal developments than those of higher-rated securities. Municipal bonds may be less liquid than taxable bonds.

    The income generated from some types of municipal bonds may be subject to state and local taxes as well as to federal taxes on capital gains and may also be subject to alternative minimum tax.

    Diversification does not assure a profit or protect against loss.

    Investing involves substantial risk and high volatility, including possible loss of principal. Bonds and bond funds will decrease in value as interest rates rise. An investor should consider the investment objective, risks, charges and expenses of a fund carefully before investing. To obtain a prospectus and summary prospectus, which contain this and other information, call 800.826.2333 or visit vaneck.com. Please read the prospectus and summary prospectus carefully before investing.