Blame for critical infrastructure weaknesses starts with Congress
There was another hearing on Capitol Hill in July about cybersecurity and protecting the nation’s critical infrastructure, and once again the news was grim.
Federal information security has been on the Government Accountability Office’s high-risk list since 1997 (it was the General Accounting Office back then), and this was expanded in 2003 to include the information systems supporting critical infrastructure. This area has been a presidential priority since 1998, but little, if any, improvement has been made in that time.
“Despite the actions taken by several successive administrations and the executive branch agencies, significant challenges remain to enhancing the protection of cyber-reliant critical infrastructures,” Gregory Wilshusen, GAO’s director of information security issues, told the House Energy and Commerce Committee's Oversight and Investigations Subcommitte on July 26. “The threats to information systems are evolving and growing, and systems supporting our nation’s critical infrastructure are not sufficiently protected to consistently thwart the threats.”
Senators spar over who should lead on cybersecurity legislation
Can government and industry solve the security/privacy equation?
New vulnerabilities and breaches continue to be discovered in government and commercial IT systems as fast as they can be patched and protected. Protecting IT systems is a technical challenge, of course, but the shortcomings that are crippling our IT security stem largely from a lack of effective governance and oversight.
The primary challenges cited by Wilshusen all involved some lack of clear lines of authority, clearly articulated goals and priorities, planning, and cooperation. The people with front-line responsibility for securing systems are not incompetent, and the technology usually exists to do what must be done, but there is no clear direction on what should be done or — just as important — what should be done first.
It is not the job of Congress to make these decisions. But it is Congress' job to establish clear authority and responsibility for making them, provide funding so that they can be carried out, and ensure some adult oversight.
Unfortunately, this Congress has demonstrated an inability to do these jobs and provide that oversight. While senators and representatives posture for political position, agencies and industries have been struggling to deal with new vulnerabilities and exploits as they crop up with few long-range plans or priorities. The Homeland Security Department has the nominal lead in protecting civilian government and privately owned critical systems, but the Office of Management and Budget still has authority for enforcing the Federal Information Security Management Act, and DHS has little or no authority in the private sector.
Progress is being made. The National Institute of Standards and Technology regularly updates guidelines and standards for information security and the Smart Grid Interoperability Panel is building a catalog of standards for securing the emerging smart energy grid. But clear authority for enforcing standards both in government and industry is lacking.
Agencies do not need a set of draconian, one-size-fits-all rules. They do need a clear set of responsibilities, priorities and goals to guide cybersecurity programs so that full advantage can be taken of the good work front-line practitioners and administrators are doing.
The country would be better served by a Congress that legislates responsibly rather than floundering in crises of its own making while it ignores the hard day-to-day work of government.