A very recent white paper came out by the Institute for Critical Infrastructure Technology (ICIT) called, “America Is Under Siege: Now is the Time for NASA to Unleash Gryphon-X.” It was written by a Fellow at the ICIT, along with a Visiting Scholar from Carnegie University. Both writers seem to have significant pedigrees and have experience writing other papers on cybersecurity attacks. To be clear, this white paper details an unfunded critical infrastructure project of epic proportions: a one stop-shopping network for the cybersecurity needs of NASA to protect its critical infrastructure. To repeat, the project is unfunded, and given recent legislative efforts in the cybersecurity realm, may never be funded.
But what if it were to be funded? The white paper describes one single location for a “Cybersecurity Fusion and Training Center” facilitated and managed by the Ames Research Center in Silicon Valley, California. The facility would, in one giant breath, “manage security risk across NASA’s critical infrastructure and to improve the resiliency of its network—and to provide a collaborative environment that focuses on the security, stability, and performance of the critical infrastructure and cyber-physical systems upon which the federal government, private organizations, academic institutions, and military agencies depend.” The center would focus on the continuous monitoring of critical infrastructure of these organizations and would help aggregate threat information in a way that allows incident responders to almost instantaneously respond to incursions and, hopefully, defend such infrastructure from attacks before the damage is done.
On a standalone basis, the private sector has developed cybersecurity automation and orchestration tools to help “single” company networks, with the help of cyber threat intelligence feeds, defend themselves from cyber incursions and hopefully break the cyber kill chain before it “kills” the company being attacked. The technology is new but it does, and can, work. We suspect in some cases government regulators will in fact mandate its use in many cases where critical infrastructure is involved.
To our knowledge this concept has never been used over multiple independent networks, involving multiple facilities housing critical infrastructure crossing a wide swath of territory. But technically speaking, Project Gryphon might be achievable and certainly when and where aging critical infrastructure is involved, might be a welcome blessing to all.
Paul Ferrillo is counsel in Weil, Gotshal & Manges’ Litigation Department.