(Page 2 of 2)
"We need private industry to continue being innovators, as next-generation products are the key in the fight against cyber terrorists," Morrow said. "Our government plays a leading role in determining when disruptions or damage to critical infrastructure such as banking systems, water treatment plants, SCADA [supervisory control and data acquisition] systems, and air traffic control are occurring, and can then quickly and efficiently work in conjunction with private industry to diagnose and mitigate risk as quickly as possible."
Proceed with Caution
Obama's order, implemented after months of frustration at getting Congress to pass cybersecurity legislation, directs government agencies, to develop voluntary cybersecurity standards for companies operating the nation's vital infrastructure, such as power grids and air traffic control systems. It instructs the agencies to consider including those standards in regulations.
Tom Cross, director of security research at Lancope, told us over the past few years, computer-based espionage and sabotage of facilities has become increasingly brazen. He pointed to malware like Stuxnet, which demonstrates that computer software designed to break plant equipment is not science fiction.
"Many people believe that industrial control systems are impervious to attack because they are 'air-gapped' from the Internet," he said. "In practice this is rarely the case. There are a variety of interconnection points that find their way into these networks as they grow, to provide access to data and keep software updated, and malicious software can cross these interconnection points."
He agreed that the vulnerability of our critical infrastructure to computer attacks is a national security concern, and that it makes sense for the government to take steps that help ensure that these facilities are protected.
"The U.S. government has access to information about attack activity and best practices that operators need to adequately protect themselves. However, the devil is in the details," Cross said. "Overzealous regulations can hamper efforts to protect computer systems rather than aiding them, by creating barriers instead of breaking them down, or by introducing civil liberties concerns that have unintended consequences. Although action is needed, it is just as important that those actions be taken with care."