SCADA protection should remain in private hands

The U.S. National Security Agency (NSA) is planning to take the lead in a federal initiative to monitor and protect the control and communications networks that serve the nation’s critical infrastructure. William Jackson writes in GCN that security can be a good thing, but that there is a need to ask whether the government is equipped to do the best job of protecting these networks, and, in any event, do we want to entrust this job to the government. He says that the answer to both questions is no.

Supervisory control and data acquisition systems (SCADA), which form the nexus of information technology and physical infrastructure, have been recognized for several years as a “critical chink in the armor” of U.S. cyberdefenses as they become increasingly connected to the Internet. In 2004 DHS told a House committee that the department had identified 1,700 facilities across the country which pose a risk to the nation’s critical infrastructure, but that the department lacked the authority to mandate that companies and state and local governments correct vulnerabilities. The same year, the Government Accountability Office (GAO) recommended that DHS “develop and implement a strategy for coordinating with the private sector and other governmental agencies to improve control system security.”

Scott Borg, director and chief economist at the Cyber Consequences Unit, an independent research institute, said SCADA networks in critical infrastructures are prime targets for would-be cyberterrorists. “Cyberattacks on those industries have the greatest potential to cause our country huge losses of life and value,” Borg said. “Critical infrastructure industries are also the most likely targets for serious cyberattackers.”

Now, reports say that the plan being hatched by NSA and DHS calls for the government to take the lead in monitoring networks to detect threats. The plan, writes Jackson, may give agencies a blank check for the kind of network access which historically has required a warrant. The government would no doubt argue that the access is necessary to identify and respond to threats, but “putting private-sector communications into the hands of government overseers is a breach of privacy. Regardless of how they use the information, privacy has been breached as soon as they have access to it.” Privacy concerns aside, it is not clear that this approach would be effective. “To be effective, any efforts to protect the critical infrastructure industries need to be led by cybersecurity experts who know something about these industries, not just people whose chief experience is with the government and military,” Borg said. Resources could be better spent improving the security of systems we are trying to protect, he said. “We should be designing robust, self-restoring systems that an intruder can’t easily harm or hijack.”

“The government has a legitimate interest and a valid role to play in protecting the nation’s critical infrastructure,” Jackson concludes, “but except in the government’s own networks, that role is not active surveillance or control.” Rather, it is a regulatory role, in which it sets standards for the private sector, enforces compliance, funds research and development into security technology, and helps make that technology available where needed. “Allowing unfettered government access to the contents of the nation’s communications networks is too high a price to pay for a sense of security that could, in the end, prove false,” he says.