Page 2 of 2
The Stuxnet Trojan illustrated the risk posed to critical infrastructure facilities despite being somewhat isolated from the Internet. Stuxnet was designed to disrupt the complex operations at an Iranian uranium enrichment facility. Signs have surfaced that information gathering has increased the threat against power plants, oil and chemical refineries and the infrastructure serving as the backbone to the financial industry.
Flame, a highly sophisticated cyberespionage attack toolkit, was detected on the systems of individuals in Lebanon, Syria, Sudan and Israel. Shamoon, Duqu and Gauss were designed to target specific individuals and steal as much data from their systems as possible. Google and other private-sector companies also were targeted by nation-state groups.
Industry groups and security experts praised the executive order, calling it an important step in increasing the discussion and getting Congress to take action on meaningful legislation, creating a law that frees private-sector companies to share threat information with federal officials. They say that for threat information sharing to work, information needs to be reliable and actionable, with significant data flowing from both the government and the private sector.
The government needs to measure the threats and vulnerabilities and provide meaningful data, said William Hugh Murray, a longtime security industry veteran and consultant based in New Cannan, Conn. Security vendors and Internet service providers have plenty of threat intelligence data, but the government often fails to provide specific information about the threats it perceives, Murray said.
"The government screams loudly about things that from my perspective are not attributable and lack depth," Murray said. "We've already got so much information that we don't know what to do with it all so I don't think it's a lack of intelligence we've got right now, the problem is that managing all of this security stuff is really hard."
Other experts agree with Murray, pointing out that defending intellectual property and sensitive systems isn't difficult due to a lack of threat intelligence -- the difficulty lies in complex, interconnected systems and many basic security issues. Critical systems are plagued with gratuitous connections, poor authentication and weak and default passwords, not a lack of intelligence, they say.
BITS, the technology policy division of The Financial Services Roundtable, a trade group for financial institutions, issued a statement calling the executive order a step forward. The organization said it supports legislation that increases sharing of threat data and analysis between private- and public-sector organizations.
"The passage of cybersecurity legislation clarifying the legal authority to share threat information is essential. We look forward to working with Congress to achieve this goal," said Paul Smocer, president of BITS.
Tom Cross, research director at network security firm Lancope, said critical infrastructure protection is an imperative as attacks such as Stuxnet demonstrate how plant equipment can be disrupted.
"There are a variety of interconnection points that find their way into these networks as they grow, to provide access to data and keep software updated, and malicious software can cross these interconnection points," Cross said. "The U.S. government has access to information about attack activity and best practices that operators need to adequately protect themselves. However, the devil is in the details."