Government role in protecting private sector in cyberwar debated
By GEOFF ZIEZULEWICZ | STARS AND STRIPES Published: June 2, 2011
While last month’s cyber attack on defense giant Lockheed Martin has drawn concern about vulnerabilities in the defense industry, cyber watchers have also debated the role the U.S. government should play in protecting the so-called “critical infrastructure networks,” the corporate computer systems that run power grids, oil companies and other vital elements of modern society.
Many analysts say it’s only a matter of time before these networks are hit with a crippling cyber attack that cuts the electricity, water or telecommunications across a swath of America.
Proponents for more government intervention argue that this is a matter of national security, while opponents say it would be tantamount to a Big Brother style system, where the government is privy to all the details of private companies.
The Pentagon is in charge of cyber offensives and protection of “.mil” networks, while the Department of Homeland Security is tasked with leading other government efforts and private sector outreach.
But the private sector is responsible for protecting its own networks, and there is a cost factor, said Daniel Kuehl, head of the National Defense University’s Information Strategies Concentration Program.
“They’re willing to spend the last nickel they need on security, but not the next nickel,” Kuehl said. “That opens them up to more vulnerabilities.”
Some businesses have begun to regulate themselves. The North American Electric Reliability Corporation, a consortium of power companies, has mandatory and enforceable cyber-security regulations for its members, according to spokeswoman Kimberly Mielcarek.
“We feel that the electric industry is leading the charge on this issue,” Mielcarek said in an email. “We agree that if there is a threat of imminent danger, the federal government should designate one agency to be in charge to avoid any confusion, make efforts streamlined and communication easier.”
The threat against essential private sectors is growing, but defenses lag behind, according to a report released this year by the Center for International and Strategic Studies and internet security company McAfee.
Between one-fifth and a third of all respondents said their company was not prepared for cyber-attacks, the report states.
“The professionals charged with protecting these systems report that the threat has accelerated,” it states, “but the response has not.”
The report surveyed 200 anonymous executives from 14 countries in the energy, oil, gas and water sectors, and found the Western world lagging.
“If there is a race among governments to harden their civilian infrastructure against cyber-attack, these responses suggest Europe and the United States are falling behind Asia,” according to the report.
The defense industry has been more receptive to government cooperation on cyber defense, but that is partly because those companies earn profits through lucrative defense contracts, according to Alan Paller, head of research for the SANS Institute, a consortium for information security training and development.
“It was the same way in the defense industrial base until the big breaches,” he said. “That’s not irrational, if they don’t believe the threat is real.”
Kuehl said a cyber attack on a power plant would be an act of war. “We’ve been doing that with bombs for 100 years,” he said.
A Defense Department strategy for cyber-security to be released in June, does not rule out punishing cyber attacks on vital infrastructure with conventional weapons.