In March of this year, a large Southern California water system tested the effectiveness of its cyber defenses by hiring a cybersecurity team to try to hack its network, something called penetration testing. To official dismay, the team was able to seize control of the computers that add chemical treatments to the drinking water of Los Angeles. If they had been real attackers, they could have rendered the water poisonous, likely killing many people and causing a major disaster. How long did it take them to get in? One day.
The nation's critical infrastructure and key resources are the very foundation on which the nation operates. They include electricity generation and distribution, gas and oil production and distribution, telecommunications, water supply, agriculture, heating, public health, transportation, financial services and security services. The government classifies them as critical because incapacitation or degraded operation of these assets would pose significant economic consequences or even loss of life.
The first U.S. critical infrastructure protection program was in put in place in 1996, but the attacks of 9/11 heightened government interest in stopping terrorist and conventional warfare attacks. The result was the formation of the Department of Homeland Security (DHS), which is charged with protecting our infrastructure.
Defending our infrastructure is a daunting task. Challenges include the diversity of the systems, their complex interactions, and the fact that even within a particular sector, different assets may be owned and operated by different organizations. Some resources are operated by the government, but most are in the hands of the private sector. Traditional attacks, such as the destruction of energy distribution centers and contamination of water supplies, are fairly well understood and have countermeasures grounded in the physical components and connections of these systems. However, like the LA water supply penetration test demonstrates, in every aspect of our lives, these systems are dependent on computers.
DHS recognized early on that cybersecurity is an important aspect in our defense. In 2003, the President's National Strategy to Secure Cyberspace made DHS responsible for proposing security recommendations. The theory behind the strategy was that the government, working in partnership with private industry, could improve cybersecurity without requiring government regulation. The most visible sign of the strategy was the creation of the United States Computer Emergency Readiness Team (US-CERT), which coordinates the response to Internet-based security threats. It publishes information about software vulnerabilities and exploits and works with software vendors to create patches to fix the vulnerabilities.
The DHS' strategy is one based on influence. DHS develops cybersecurity best practices and guidelines but has no authority to enforce them. The result is that the cybersecurity strategies — which include recommendations, requirements and regulations — for government-owned and -regulated sectors are left to each sector to develop and implement. A few government agencies that are responsible for specific types of critical infrastructure have instituted their own enforceable cybersecurity requirements.
For example, the Nuclear Regulatory Commission (NRC), which in 2004 suggested the use of cybersecurity self-assessment tools it had developed for nuclear reactor facilities, finally created cybersecurity rules in 2009 and began enforcing them in 2010. Unfortunately, the NRC is an exception. The Federal Energy Regulatory Commission is responsible for the security and reliability of power transmission, but not for its generation, leaving much of the grid unmonitored and unregulated. Complicating things further for DHS is the fact that the National Security Agency has claimed ownership of aspects of national cybersecurity, launching the "Perfect Citizen" program as part of an initiative to better secure the nation's critical infrastructure against cyber-attacks.
There are no common standards, enforced or otherwise, for the implementation and operation of critical infrastructure systems, both government-owned and private. Even where the government has treated cybersecurity as a priority for its own systems, authorities have achieved questionable success, and there have been numerous high-profile and embarrassing breaches of Department of Defense systems. In 2008, the U.S. Army had to ban the use of USB keys altogether to control the outbreak of a computer virus on computers across its bases. Then in 2009, plans for the Joint Strike Fighter were stolen from the computers of several defense contractors, including Lockheed Martin, which was again breached early this year. Perhaps the most sensational attack was when a disgruntled employee leaked large amounts of classified and secret information from the Department of Defense's classified networks and led to the Wiki Leaks scandal.
Other government-run sectors are no better. A few days ago, the Government Accounting Office released a report criticizing the Federal Deposit Insurance Corporation for having substandard cybersecurity controls, including use of weak passwords and lax software-patching practices. And to recognize that the private sector lags even further, you simply have to watch the headlines. Virtually every day another major company announces that its website, servers or databases have been hacked. Congress recently passed laws expanding the rules regarding breach disclosure, and Federal Information Security Management Act certification is required for companies hosting government-owned data, but the certification's requirements don't address modern cyber threats and have no special provision for critical infrastructure systems.
The bottom line is the nation's critical infrastructure is currently vulnerable to cyber-attacks, and there's no government organization with the authority to improve the situation. Since DHS is charged with the mission of protecting critical infrastructure, it's natural for it to be the department to define cybersecurity standards for the infrastructure, offer incentives for following them and assign penalties for lack of compliance.
Without a combination of encouragement and regulation, the private sector has little motivation, especially given the costs, to better secure their systems. Only Congress has the authority to make this happen, and the longer it delays, the higher the risk that we'll all pay the price.
Email
Facebook
Google
Twitter
Favorites
More
Advertisement
Advertisement