President Obama on Tuesday signed an executive order to strengthen the cybersecurity of critical infrastructure by increasing information sharing and by jointly developing and implementing a framework of cybersecurity practices with industry partners. How is the technology industry responding?
Lawrence Reusing, general manager of mobile security at Imation, told us it's not news to say we live in a dangerous world -- but we are in a world that's becoming more and more interconnected every day. He pointed to a reality where organizations are being targeted through remote attacks and their employees are also being targeted as travelers so they can bring malicious threats back into the organization.
"For that reason, we need to be ever vigilant in protecting ourselves from the types of attacks -- and attack vectors -- emerging within the world we live in. The United States must take a leadership position by defining policies and procedures so that our critical infrastructure is protected," Reusing said, noting this includes making sure that nefarious interests cannot directly compromise our systems and that our own government employees are protected from themselves.
"As we've seen on more than one occasion, government employees have inadvertently carried malware and other malicious software into their work areas and have accidentally installed that software onto public IT infrastructure," Reusing said. "The security industry needs to give organizations an advantage over malicious software. A comprehensive approach to cybersecurity will address these and other scenarios."
Bill Morrow, CEO of Quarri Technologies, told us recent cyberattacks targeting several high-profile media companies and government agencies provides further proof that nation-states' threats are real. Not surprisingly, he said, criminals today are carrying out very targeted and efficient attacks and are becoming more brazen.
"There is a once-in-a-generation opportunity for our leaders in public and private industry to come together in the coming weeks in an effort to put measures in place to help minimize network risks to critical infrastructure that could occur in the future," Morrow said. "There are also a number of steps the private and public sector can take in what I would call preventative medicine."
First, he argued, it is imperative that private and public industry get a better handle on which threats are the most harmful to our own interests in the United States, as this will allow us to allocate resources in the right places. Second, he continued, private industry is a leader in innovation and many of the best IT security products in the world have been developed within our borders.
"We need private industry to continue being innovators, as next-generation products are the key in the fight against cyber terrorists," Morrow said. "Our government plays a leading role in determining when disruptions or damage to critical infrastructure such as banking systems, water treatment plants, SCADA [supervisory control and acquisition] systems, and air traffic control are occurring, and can then quickly and efficiently work in conjunction with private industry to diagnose and mitigate risk as quickly as possible."
Proceed with Caution
Obama's order, implemented after months of frustration at getting Congress to pass cybersecurity legislation, directs government agencies, to develop voluntary cybersecurity standards for companies operating the nation's vital infrastructure, such as power grids and air traffic control systems. It instructs the agencies to consider including those standards in regulations.
Tom Cross, director of security research at Lancope, told us over the past few years, computer-based espionage and sabotage of facilities has become increasingly brazen. He pointed to malware like Stuxnet, which demonstrates that computer software designed to break plant equipment is not science fiction.
"Many people believe that industrial control systems are impervious to attack because they are 'air-gapped' from the Internet," he said. "In practice this is rarely the case. There are a variety of interconnection points that find their way into these networks as they grow, to provide access to data and keep software updated, and malicious software can cross these interconnection points."
He agreed that the vulnerability of our critical infrastructure to computer attacks is a national security concern, and that it makes sense for the government to take steps that help ensure that these facilities are protected.
"The U.S. government has access to information about attack activity and best practices that operators need to adequately protect themselves. However, the devil is in the details," Cross said. "Overzealous regulations can hamper efforts to protect computer systems rather than aiding them, by creating barriers instead of breaking them down, or by introducing civil liberties concerns that have unintended consequences. Although action is needed, it is just as important that those actions be taken with care."