CybersecurityDueling legislation over cybersecurity regulations

No one doubts that one of the leading concerns in anti-terrorist security is the possibility that terrorists with more advanced computer skills would be able to access the control systems for critical infrastructure components.

Consider post-Katrina New Orleans to help visualize the impact of such a cyberattack. No electricity. No fresh water. Limited traffic control, and difficulties in leaving the affected area. Severely curtailed emergency response.

There is a legislative conflict, however, regarding what is the best way to prevent and prepare for a cyberattack on U.S. critical infrastructure. There is now a conflict on the Hill between two competing bills, one imposing stringent standards on utilities and infrastructure providers, while the second makes such protection voluntary.

The legislation that has attracted the most attention is co-sponsored by Senators Joe Lieberman (I-Connecticut) and Susan Collins (R-Maine), which would require that operators of public infrastructure components report to DHS any intrusions or attempted intrusion into their control systems. Currently, such reporting is voluntary, and security analysts maintain that only a small fraction of such intrusions are reported.

The Lieberman-Collins initiative would also set minimum standards which infrastructure operators would be required to meet. It is this aspect of the proposed legislation that is meeting the greatest resistance from the private sector.

Supporters of the legislation say that owners and operators of critical infrastructure components are simply unaware of the vulnerabilities in their systems, and are therefore unlikely to make the expenditures to secure their systems.

In an interview with National Public Radio, Sean McGurk, as director of the National Cybersecurity and Communications Integration Center at DHS, visited hundreds of power stations, water facilities, and other critical assets.

McGurk recalls: “In every case, we were told that the systems were completely isolated from the enterprise network or the Internet, that there were no direct connections… and in no case has that ever been true. In hundreds of vulnerability assessments, we’ve always found connections between the equipment on the manufacturing floor and the outside world.”

When originally installed, the operating equipment was indeed discreet and unconnected to the Internet.

In the intervening years, upgrades and improvements opened access to the “shop floor” via the Internet.

Competing with the Lieberman-Collins proposal is one co-authored by Senator John McCain (R-Arizona) that would make voluntary much of what Lieberman-Collins makes mandatory.

Support for the McCain proposal comes largely from the business community. “There’s been an awful lot written about cybersecurity and the threat of it,” said Robert Johnston, president and CEO of MEAG Power in Atlanta. “There are a lot of people who want to spend a huge amount of money on something that we have not necessarily identified.”

According to NPR, Johnson made his comments in the business journal Energybiz. “Show me an event where we’ve lost systems due to cyberterrorism,” he said. “I’m not aware of one.”

As of now, intelligence estimates are that the technical capability to attack critical infrastructure is not yet in the hands of the most malicious actors. It is not unreasonable to assume, however, that they are hard at work in developing those skills and capabilities. There is no reason to believe that they will not use them once they have them.

This provides a window of opportunity for critical infrastructure facilitirs to strengthen and reinforce their defenses, as well as enhance communication of attempted attacks as an alert to similar entities.