CYBEREYE

Blame for critical infrastructure weaknesses starts with Congress

There was another hearing on Capitol Hill in July about cybersecurity and protecting the nation’s critical infrastructure, and once again the news was grim.

Federal information security has been on the Government Accountability Office’s high-risk list since 1997 (it was the General Accounting Office back then), and this was expanded in 2003 to include the information systems supporting critical infrastructure. This area has been a presidential priority since 1998, but little, if any, improvement has been made in that time.

“Despite the actions taken by several successive administrations and the executive branch agencies, significant challenges remain to enhancing the protection of cyber-reliant critical infrastructures,” Gregory Wilshusen, GAO’s director of information security issues, told the House Energy and Commerce Committee's Oversight and Investigations Subcommitte on July 26. “The threats to information systems are evolving and growing, and systems supporting our nation’s critical infrastructure are not sufficiently protected to consistently thwart the threats.”


Related stories:

Senators spar over who should lead on cybersecurity legislation

Can government and industry solve the security/privacy equation?


New vulnerabilities and breaches continue to be discovered in government and commercial IT systems as fast as they can be patched and protected. Protecting IT systems is a technical challenge, of course, but the shortcomings that are crippling our IT security stem largely from a lack of effective governance and oversight.

The primary challenges cited by Wilshusen all involved some lack of clear lines of authority, clearly articulated goals and priorities, planning, and cooperation. The people with front-line responsibility for securing systems are not incompetent, and the technology usually exists to do what must be done, but there is no clear direction on what should be done or — just as important — what should be done first.

It is not the job of Congress to make these decisions. But it is Congress' job to establish clear authority and responsibility for making them, provide funding so that they can be carried out, and ensure some adult oversight.

Unfortunately, this Congress has demonstrated an inability to do these jobs and provide that oversight. While senators and representatives posture for political position, agencies and industries have been struggling to deal with new vulnerabilities and exploits as they crop up with few long-range plans or priorities. The Homeland Security Department has the nominal lead in protecting civilian government and privately owned critical systems, but the Office of Management and Budget still has authority for enforcing the Federal Information Security Management Act, and DHS has little or no authority in the private sector.

Progress is being made. The National Institute of Standards and Technology regularly updates guidelines and standards for information security and the Smart Grid Interoperability Panel is building a catalog of standards for securing the emerging smart energy grid. But clear authority for enforcing standards both in government and industry is lacking.

Agencies do not need a set of draconian, one-size-fits-all rules. They do need a clear set of responsibilities, priorities and goals to guide cybersecurity programs so that full advantage can be taken of the good work front-line practitioners and administrators are doing.

The country would be better served by a Congress that legislates responsibly rather than floundering in crises of its own making while it ignores the hard day-to-day work of government.

Reader Comments

Wed, Aug 17, 2011 Nero Ground Zero Rome

With one thing I can agree completely, "The country would be better served by a Congress that legislates responsibly rather than floundering in crises of its own making while it ignores the hard day-to-day work of government." The imperial legislature has become so dysfuntional that there is little sense in attempting a critique, let alone a cure.

Tue, Aug 16, 2011 Howard Was DC now FL

Attended many meetings on this subject and the bottom line was Who was going to pay (read as Tax Dollars) for the system upgrades to provide adequate security for Industrial (Public) CI Systems. Homeland Security Department & CI system security = an oxymoron, unless you are thinking about a PS that monitors and controls all system data transmissions and interface’s. Our Legislature is CLUELESS on this and their Lobbyist advisors are also totally in the dark. There is a general lack of ILF’s within the Beltway when it comes to how to deal with a problem that requires PM attributes. Any Idiot can see this Nation has no one in charge with the authority to address this National Security Problem; Lobbyist will not allow the Legislature to touch it and the Judiciary only wants to throw everything under the HD to ensure its monitored and controlled. Good Luck on this one.

Tue, Aug 16, 2011

Why should Congress be involved at all in critical infrastructure protection for private sector? The various industries, on their own, should have taken appropriate measures, or risk going out of business. Stupidity should be painful. Just as an aside, anything really critical should have been air-gapped from public internet in the first place. They can use the same technology and software, just set it up in its own little universe.

Tue, Aug 16, 2011 Former DHS Bethesda, MD

Throughout the Bush administration, DHS efforts to protect critical infrastructure were extremely convoluted and burdened by technically-unqualified political appointees. In particular, critical infrastructure "protection" was an expensive and ineffective exercise in setting up government/industry committees, while the DHS office responsible for protection spent all its time and attention on physical barriers (e.g. new fences) and more guards. Unable and actually unwilling to understand the cyber threat, that office wasted hundreds of millions of dollars annually on "security theater". Now its former leadership pontificates at conferences and leverages insider relationships with DHS cronies to obtain contract payments for more of the same -- shameful! The DHS IG, DoJ or Congress should be investigating contracts awarded in this area.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above