×

The US needs to decide what 'critical infrastructure' means, said Isaacson

The U.S. government needs to clearly enunciate a policy that protects more critical systems from hackers, even in the private sector, a prominent policy expert told CNBC's "Squawk Alley" on Friday.

"What the government has tried to do is to take critical infrastructure .... like the electricity grid, and say, 'If you attack that, it could be an act of war. Well, are airlines critical infrastructure? Yes. Is our election system a critical infrastructure? In my mind, yes," said Walter Isaacson, president of the Aspen Institute, a nonprofit that helps leaders solve complex problems. Isaacson is also the author of "The Innovators: How a Group of Hackers, Geniuses, and Geeks Created the Digital Revolution."

Hacking mobile phone laptop
Scyther5 | Getty Images

His comments come on the heels of an announcement by Yahoo that information associated with at least 500 million user accounts was stolen in late 2014 by what appeared to be a state-sponsored actor.

"You really have to broaden this and have some collaboration between private industry and government entities to at least quickly roll up and share information about all hacks," Isaacson said. "So that if something happened in 2014 it can be spotted more quickly."

Yahoo's attack is not the first high-profile hack this year that appears to be tied to state actors. U.S. officials and cybersecurity firms have found evidence that Russia was behind a security breach that released thousands of Democratic National Committee emails.

"What really is a danger in cybersecurity is spearfishing, because if you know enough about a person, they can know the name of their boss, their wife, whatever, and say, 'Hey, would you open this attachment?'" Isaacson said. "That allows you into the system."

The increasing prevalence of cyber attacks is the topic of a new conference from The Aspen Institute, CNBC and MIT to discuss ways to combat urgent cyber threats. Isaacson said that developing a stronger doctrine for cybersecurity is likely to be a key discussion point there.

"How do you have a doctrine that says, 'If you do this and you're a state actor, we will name you. These consequences will happen'?" Isaacson said.