DHS Secretary Calls For Public, Private Partnership To Protect Critical Infrastructure6:23 PM EST Wed. Oct. 31, 2012
The U.S. Secretary of Homeland Security is calling for an enhanced public-private partnership that includes increased information sharing and the development of best practices in order to help defend U.S. critical infrastructure against cyber attacks.
Department of Homeland Security Secretary Janet Napolitano addressed a security cyber summit hosted in the District of Columbia by the Washington Post newspaper.
"Cyber [capabilities] extend into every aspect of our everyday life, and the nation is constantly under attack," she said. "Secretary Panetta sounded the alarm, and I do as well."
Napolitano was referring to statements made earlier this month by Defense Secretary Leon Panetta, indicating that the United States is currently vulnerable to a "cyber Pearl Harbor," and that his department is in the process of drafting preemptive, first strike policies and capabilities. Panetta expressed concerns that foreign governments, hacktivists and the terrorist community could cause significant damage to the country by attacking the nation's power grid, financial networks, transportation system and other critical infrastructure.
During her comments at the Washington Post conference, Secretary Napolitano echoed those concerns and called for immediate action by the federal government to strengthen defenses against cyber attacks.
"Control system attacks are the most critical," she said. "The cascading effects are immediate, and they can be life-threatening."
The Department of Homeland Security is charged with protecting the government's non-classified networks, and works with other agencies to investigate and protect the communications grid, as well as a host of other critical systems. In an emergency, the agency is also expected to coordinate national response to significant incidents. "We look and act like a cyber-FEMA," she said.
Losses from cyber attacks are difficult to assess. Estimates discussed in the conference ranged from $114 billion annually to $400 billion annually, depending on the various elements added into the equation. Napolitano also said that the absence of clear guidelines and policies for information sharing is another reason why accurate estimates are difficult to assess.
The secretary also acknowledged the Lieberman-Collins bill, which was shot down in the Senate last summer, due to concerns about impacts on business, as well as privacy issues.
"Legislation is 'kind of stuck' in the Senate," she said. "There may be another attempt [at passage] in the lame duck session, depending on Tuesday's election.
"If Congress cannot act, then other options need to be pursued," she added. "We have to step up our game. The nation's security is involved."
Napolitano stopped short of prescribing specific changes to policies and regulations, but she called for the public sector and the private sector to work more closely together to arrive at a conclusion that would be both equitable and effective. Such an agreement would likely include real-time information sharing and the development of best practices to protect critical infrastructure, she said believes.
NEXT: A Fictional Dress Rehearsal
In the event that legislation is not passed, DHS Secretary Napolitano urged President Obama to issue an executive order in support of security objectives. But, she acknowledged that such an order coming from the Oval Office would have limitations, particularly in the area of liability protection for companies under attack that share information with government agencies and other groups involved in protecting the infrastructure. Such protection, she said, could only come through congressional action.
One of the obstacles associated with any government action involves the likelihood that regulations and best practices would also be known by the attackers, who could then revise their exploits to circumvent the additional defenses.
Beyond the domestic discussion, the secretary also noted the need to strengthen the international framework for investigation, forensics and deterrence against cyber attacks. "The U.S. and European Union are currently having dialogues in an attempt to develop agreements and protocols on this matter," she added.
At the conclusion of Napolitano’s comments and subsequent interview, the event turned toward a fictional scenario in which a large oil company was struck by a virus that destroyed 40,000 computers. A number of people involved in the protection of sensitive infrastructure played the roles of various parties who would be involved in this dialogue, either from federal agencies or from the fictional oil company in question. But, progress quickly broke down amid the oil company's CEO concerns that exposing too much information would entail legal exposures and other negative ramifications for his company. Various individuals who spoke at the conclusion of this exercise indicated that the same course of events would likely transpire in real life.
"We need to set up a process for private and public to assess risk and come up with a set of minimal standards for response," said Jeff Ratner, senior advisor to the Senate Homeland Security and Government Affairs Committee. "Regulatory fines have now moved toward liability protections and procurement incentives around government contracts."
But such actions do not go far enough, according to James Lewis, program director at the Center for Strategic and International Studies. "Incentives need to be tax breaks and direct financial benefits, as opposed to [preferential treatment] in the contract process," he said.
The discussion also turned towards the political ramifications around counterattacks, and whether such measures should be reserved to the federal government, or if victimized corporations should have the opportunity to take direct action. Most favored of governmental response, but penetration tester Raphael Mudge, the founder of Strategic Cyber, LLC and self-described "white hat hacker," said the direct response from the private sector could sometimes have a favorable impact.
"Oftentimes, it's possible to reach in and control those systems like the bad guy would, and shut down the attack," he explained. Mudge went on to say that security in support of the command-and-control servers is not always as impenetrable as people might assume.
PUBLISHED OCT. 31, 2012