While the increased intensity of talks between politicians and IT industry experts moved the ball slightly forward, it also effectively exposed the not-so-flattering motivations of some of the stakeholders involved.
Securing Critical National Infrastructure
One of the biggest defining features of the bill drafted by Senators Lieberman and Collins that fizzled late last year had to do with the US Department of Homeland Security’s (DHS) interaction with the critical national infrastructure (CNI) companies that keep our lights buzzing, our water running, our fuel pumping and our dial-tone humming.
The proposed bill offered a generous exchange with CNI companies: Allow the DHS to scan, poke and prod their networks for vulnerabilities; in turn the feds would offer those companies liability indemnification in the event of a large scale security breach.
Should the DHS find vulnerabilities in these CNI companies’ systems, the companies would have to mitigate those risks if they were to get safe harbor from the government. Seems like a fair enough trade, right? But many of the insiders at these companies—leaders who helm the companies that control our nuclear power plants and cell phone towers, among other assets—pushed against these provisions as too intrusive by our U.S. government.
But here’s the deal: these kinds of scans are already being done. Only, the people behind the driver’s wheel aren’t employed by OUR government. They’re operatives working for foreign governments and cyber terrorist groups. It’s a scary situation, but even scarier – there are many vulnerabilities to find and exploit within the IT systems and networks of these critical infrastructure companies. The kind of vulnerabilities that would make it trivial to shut down whole power grids or water mains with a single attack.
Identifying SCADA Threats
Security researchers concerned about such attacks have stepped up their efforts to find them and report them to the vendors who make the systems that control our critical infrastructure. In fact, in the first eight months of 2012, security researchers found 98 different vulnerabilities in supervisory control and data acquisition (SCADA) systems.
These types of flaws didn’t just hit the governmental radars in 2012. Experts within the security industry and various government agencies have warned about them for years, if not decades. And yet, critical national infrastructure companies have grown more dependent on automated systems without putting a commensurate amount of money into protecting these systems and proactively seeking to fill these holes themselves.
The public need look no further than the response by these companies’ leadership to the latest suggested cyber security bill for evidence. The NSA and other three-letter-acronymed US agencies have been trying to work with these organizations to clean up their acts with little success. Software security vendors have tried and often failed to convince CNI companies to employ better security controls.
The Case for CyberSecurity Legislation
And so this is why legislators have looked for ways to create a federal law that will force the hand of CNI companies into improving the security of the energy industry. It’s also why President Obama and his staff are considering and looking for ways to enact these policies through an executive order. And it is why some lawmakers say that passing a cybersecurity bill could be one of the biggest issues for US legislators to tackle in 2013.
Whether it comes as a law or an executive order, citizens of the USA deserve to have their representative leaders make these companies accountable. It’s something the intelligence community and the information security community want to see.
The only people who don’t want to see it happen are the executives and managers of critical national infrastructure companies. Quite frankly they’re frightened of the inevitable embarrassment that will come when the official microscope hovers over their practices, particularly if poor results were to affect real consequences.
Of course, this kind of regulatory oversight would only apply to critical infrastructure companies. Lawmakers still haven’t come up with anything that really works for keeping personally identifiable information reasonably protected. Breach notification laws are useless, HIPAA is toothless and most other regulations are closing the barn doors after the horse has left. But I guess you have to crawl before you can run.
When it comes down to it, though, I think maybe it’s shaming that needs to take precedence above all else. Sure, the stocks may not be legal but if only we could professionally flog the executives who choose not to protect our critical national infrastructure, I think we could go a long way towards achieving a safer 2013 and beyond.
That’s my take on the current state of critical national infrastructure. What’s yours? Leave a comment below.