After 13 years, critical infrastructure security still lacking
After 13 years of presidential directives, legislation and
cybersecurity initiatives, threats to the nation’s critical
infrastructure continue to grow, members of a panel of government
officials told a subcommittee of the House Energy and Commerce Committee
subcommittee July 26.
“Despite the actions taken by several successive administrations and
the executive branch agencies, significant challenges remain to
enhancing the protection of cyber-reliant critical infrastructures,”
Gregory Wilshusen, the Government Accountability Office’s director of
information security issues, said in a prepared statement to the
Oversight and Investigations Subcommittee.
“The threats to information systems are evolving and growing, and
systems supporting our nation’s critical infrastructure are not
sufficiently protected to consistently thwart the threats,” Wilshusen
U.S. not prepared for 'potentially devastating' cyberattacks, House panel told
Cyberattacks on infrastructure are the 'new normal'
GAO designated federal information security as a high-risk area in
1997. It has remained on the list since, and the category was expanded
in 2003 to include security of information systems supporting critical
infrastructure. When the latest biennial list of high-risk programs was
released in February, federal and critical infrastructure IT security
again was there.
Critical infrastructure includes, among other things, the nation’s
financial systems, telecommunications networks, and energy production
and transmission facilities, most of which are owned by the private
sector. Their critical status and private ownership requires a level of
partnership and cooperation to secure them that government has struggled
to establish, with the Homeland Security Department as the focal point.
“The United States faces a combination of known and unknown
vulnerabilities, strong and rapidly expanding adversary capabilities,
and a lack of comprehensive threat and vulnerability awareness,” DHS
officials wrote in prepared testimony.
Roberta Stempfley, DHS acting assistant secretary in the Office of
Cyber Security and Communications, and Sean McGurk, director of the
National Cybersecurity and Communications Integration Center, described
the department’s efforts to work with industry.
“Initiating technical assistance with a private company to provide
analysis and mitigation advice is a sensitive endeavor — one that
requires trust and strict confidentiality,” they wrote. “Within our
analysis and warning mission space, DHS has a proven ability to provide
that level of trust and confidence in the engagement.”
However, the department has no regulatory authority and relies on
voluntary cooperation from the private sector, and security has lagged
behind rapidly evolving and growing cyber threats.
Protecting privately owned critical infrastructure was identified as priority in President Decision Directive 63, released in May 1998, which led to the establishment of industry sector Information Sharing and Analysis Centers.
DHS was created and given responsibility for critical infrastructure
protection in 2002, and was given the lead for civilian and private
sector security in the 2003 National Strategy to Secure Cyberspace.
It was given additional responsibilities in the 2003 Homeland Security Presidential Directive 7. In 2009, the president’s Cyberspace Policy Review was released and the National Infrastructure Protection Plan was updated.
These efforts are offset by a litany offered by Wilshusen of
high-profile attacks against U.S. companies and systems over the last
two years. These include breaches reported in January 2010 of at least
30 technology companies, including Google, which reported the incidents,
and the discovery of Stuxnet in July. Incidents in 2011 included
numerous breaches of defense contractors and security companies in the
United States and Europe.
The United States faces a variety of adversaries in cyberspace, DHS
reported, some capable of targeting systems on which the nation depends,
with the ability to disrupt or destroy them.
Wilshusen identified these areas to protecting critical infrastructure that relies on networked technology:
- Implementing actions recommended by the president’s 2009
cybersecurity policy review, which has been slower than expected because
of a lack of clear authority in executive branch departments.
- Updating the national strategy for securing the information and
communications infrastructure by clearly articulating goals and
priorities, prioritizing assets and functions and improving
- Reassessing DHS’ planning approach to critical infrastructure protection, focusing on planning for specific industry sectors.
- Strengthening public-private partnerships, particularly for information sharing.
- Enhancing the national capability for cyber warning and analysis, a function of US-CERT.
- Addressing global aspects of cybersecurity and governance to improve
international cooperation in policy making and law enforcement.
- Securing the modernized electricity grid, referred to as the “smart
grid,” for which security policy, practices and standards are being
developed as the technology is being rolled out.
“Until these actions are taken, our nation’s cyber critical infrastructure will remain vulnerable,” Wilshusen wrote.