After 13 years, critical infrastructure security still lacking

• By William Jackson
• Jul 27, 2011

After 13 years of presidential directives, legislation and cybersecurity initiatives, threats to the nation’s critical infrastructure continue to grow, members of a panel of government officials told a subcommittee of the House Energy and Commerce Committee subcommittee July 26.

“Despite the actions taken by several successive administrations and the executive branch agencies, significant challenges remain to enhancing the protection of cyber-reliant critical infrastructures,” Gregory Wilshusen, the Government Accountability Office’s director of information security issues, said in a prepared statement to the  Oversight and Investigations Subcommittee.

“The threats to information systems are evolving and growing, and systems supporting our nation’s critical infrastructure are not sufficiently protected to consistently thwart the threats,” Wilshusen said.

---

Related coverage:

U.S. not prepared for 'potentially devastating' cyberattacks, House panel told

Cyberattacks on infrastructure are the 'new normal'

---

GAO designated federal information security as a high-risk area in 1997. It has remained on the list since, and the category was expanded in 2003 to include security of information systems supporting critical infrastructure. When the latest biennial list of high-risk programs was released in February, federal and critical infrastructure IT security again was there.

Critical infrastructure includes, among other things, the nation’s financial systems, telecommunications networks, and energy production and transmission facilities, most of which are owned by the private sector. Their critical status and private ownership requires a level of partnership and cooperation to secure them that government has struggled to establish, with the Homeland Security Department as the focal point.

“The United States faces a combination of known and unknown vulnerabilities, strong and rapidly expanding adversary capabilities, and a lack of comprehensive threat and vulnerability awareness,” DHS officials wrote in prepared testimony.

Roberta Stempfley, DHS acting assistant secretary in the Office of Cyber Security and Communications, and Sean McGurk, director of the National Cybersecurity and Communications Integration Center, described the department’s efforts to work with industry.

“Initiating technical assistance with a private company to provide analysis and mitigation advice is a sensitive endeavor — one that requires trust and strict confidentiality,” they wrote. “Within our analysis and warning mission space, DHS has a proven ability to provide that level of trust and confidence in the engagement.”

However, the department has no regulatory authority and relies on voluntary cooperation from the private sector, and security has lagged behind rapidly evolving and growing cyber threats.

Protecting privately owned critical infrastructure was identified as priority in President Decision Directive 63, released in May 1998, which led to the establishment of industry sector Information Sharing and Analysis Centers.

DHS was created and given responsibility for critical infrastructure protection in 2002, and was given the lead for civilian and private sector security in the 2003 National Strategy to Secure Cyberspace.

It was given additional responsibilities in the 2003 Homeland Security Presidential Directive 7. In 2009, the president’s Cyberspace Policy Review was released and the National Infrastructure Protection Plan was updated.

These efforts are offset by a litany offered by Wilshusen of high-profile attacks against U.S. companies and systems over the last two years. These include breaches reported in January 2010 of at least 30 technology companies, including Google, which reported the incidents, and the discovery of Stuxnet in July. Incidents in 2011 included numerous breaches of defense contractors and security companies in the United States and Europe.

The United States faces a variety of adversaries in cyberspace, DHS reported, some capable of targeting systems on which the nation depends, with the ability to disrupt or destroy them.

Wilshusen identified these areas to protecting critical infrastructure that relies on networked technology:

• Implementing actions recommended by the president’s 2009 cybersecurity policy review, which has been slower than expected because of a lack of clear authority in executive branch departments.
• Updating the national strategy for securing the information and communications infrastructure by clearly articulating goals and priorities, prioritizing assets and functions and improving public-private partnerships.
• Reassessing DHS’ planning approach to critical infrastructure protection, focusing on planning for specific industry sectors.
• Strengthening public-private partnerships, particularly for information sharing.
• Enhancing the national capability for cyber warning and analysis, a function of US-CERT.
• Addressing global aspects of cybersecurity and governance to improve international cooperation in policy making and law enforcement.
• Securing the modernized electricity grid, referred to as the “smart grid,” for which security policy, practices and standards are being developed as the technology is being rolled out.

“Until these actions are taken, our nation’s cyber critical infrastructure will remain vulnerable,” Wilshusen wrote.