Critical infrastructureBusinesses cannot defend against cyber attacks, expert says

In a recent testimony before Congress, a cyber security expert warned that the private sector in the United States has proven unable to defend the nation’s critical cyber infrastructure from attack.

At a House cyber security subcommittee hearing on 16 March 2011, James Lewis, the head of the technology and public policy program at the Center for Strategic & International Studies, a think tank in Washington, D.C., said that the private sector has been largely responsible for protecting critical portions of U.S. networks for the past ten years and “it’s not working.”

According to Lewis, businesses own 85 percent of critical infrastructure and they have not invested in the skills or technology to secure it from cyber attack leaving the electrical grid, financial services, and other key elements vulnerable.

“We are not prepared to defend ourselves,” he said.

The most immediate and realistic threats to U.S. networks were from foreign intelligence agencies, organized gangs, and corporate spies. So far these malicious actors have successfully infiltrated banks, multinational corporations, and even government websites.

Analysts at McAfee recently announced that hackers had stolen sensitive data worth millions from five major multinational oil and gas companies. Hackers stole company secrets like bidding contracts, oil exploration data, proprietary industrial processes, and sensitive financial documents.

Dmitri Alperovitch, vice president for threat research at McAfee, said, “It speaks to quite a sad state of our critical infrastructure security,” because “these were not sophisticated attacks, yet they were very successful in achieving their goals.”

Lewis said that most companies lack the financial incentives to secure their networks, while others have proven ineffective.

“No sector has a greater incentive than banks to protect their networks. They are a constant target. Some banks, particularly top-tier banks, have sophisticated defenses. Despite this, they are hacked,” he said.

“If banks cannot protect themselves, why do we think other sectors will be able to do so?”

Lewis added that most companies do not invest as much as banks in cyber security as it “requires them to spend on nonproductive assets” that companies “will not get an increased return on investment” from. As a result, they simply do not install cyber defenses.

To bolster U.S. networks, Lewis urged lawmakers to impose regulations on the private sector.

He said, “Regulation is unpleasant, but in some cases, the alternative is worse. Cyber security is one such case.”

For the regulations to be most effective, he suggested that the private sector play a substantial role in helping to develop guidelines.

The increasing prevalence of cloud computing could also help to alleviate cyber security concerns in the private sector.

Mischel Kwon, the former director of the U.S. Computer Emergency Readiness Team (CERT), was also present at the subcommittee’s hearing and explained that cloud computing is putting cyber defense in the hands of real experts.

Kwon said, “Soon most companies, even government departments and agencies, will no longer have data centers, or continue to manage their own e-mail servers, applications or desktops,” as they move to cloud computing systems.

By building security measures into cloud computing, cyber security efforts could be centralized thereby reducing costs, minimizing the “cyber talent pool shortage,” and increase defense capabilities.