Wyatt Kash | Fighting a common cyber cause
The number of reported cybersecurity breaches involving government information technology networks more than doubled in the past year. But an even greater threat looms over the nation’s infrastructure — and much of it is outside the government’s control.
By most estimates, more than 85 percent of the critical power, communications, transportation, food distribution, resource, health care and financial systems — among other systems that keep the country running — are held in private hands.
It is generally assumed that the economics of competition, self-preservation, the risk of lawsuits and a certain amount of regulation provide sufficient incentive for those service providers to make sure their systems are properly secured.
However, to those who follow the increasingly brazen penetration of seemingly secure IT networks in the United States, it is clear those incentives are no longer enough.
Certainly, it wasn’t a surprise when the Wall Street Journal reported April 8 that cyber spies had penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system. The current and former national security officials who provided details of the break-in have been observing such behavior for some time.
Perhaps more disturbing, though, is a letter written by the chief security officer at the North American Electric Reliability Corp. Citing the results of a 2008 self-certification survey of NERC members, Michael Assante reported that a worrisome number of power generation owners and operators were not fully assessing the risks to their systems, including the risk of cyber attacks. Additionally, he warned, operators need to recognize that the threat today is not that any one substation could be compromised but that many could be brought down simultaneously.
Assante deserves credit for issuing the letter. But the fact remains that NERC and other organizations that oversee the operators of the United States' critical assets must have greater authority to set and enforce network security controls.
At the same time, the government’s national security agencies need to do a better job of sharing intelligence, training and expertise with the chief executives of the companies responsible for those assets.
Captains of industry might be forgiven for resisting government efforts to increase the burdens on their companies in the name of national security. But they cannot be excused from overlooking the mounting threat of cyber attacks. In addition, the government needs to do its part to build greater unity and support for fighting a common, but growing, cyber threat.