Last week, Homeland Security Secretary Janet Napolitano warned that a cyber attack is looming on the horizon — an attack so big that it would rival Superstorm Sandy for its impact. This warning comes a few months after then-Defense Secretary Leon Panetta warned that we are heading for a cyber attack that would rival Pearl Harbor or 9/11 in its scope and damage.
In her comments, Napolitano then went on to say that Congress needs to act on cybersecurity legislation, particularly legislation that would promote sharing of information between private corporations and the critical infrastructure industry. Legislation along this line, if you remember, failed in Congress last fall.
I totally support the idea of cybersecurity legislation, and I do think that industries across the board need to do a better job communicating with each other. I know Napolitano is highlighting the outages caused by Sandy – no electric, gas shortages – but I think we need to look back to the summer when the lights went out from Cleveland to New York because of a problem in the power grid. That’s the type of attack we’re going to see – possibly widespread and totally unexpected. The issue isn’t how to get things running after the damage is done but how to prevent the damage happening in the first place. As Chris Petersen, CTO of LogRhythm, told me in an email:
Today, the utilities and critical infrastructure industries in the United States are under constant cyberattack from nation states and other groups. It is no longer a matter of if power grids, telecommunications networks, chemical plants, water supplies and other critical infrastructure will be attacked, but when will the next attack occur. Bolstering their IT security hardware, policies and procedures should be mandated because the stakes are too high and the damaging blow it could land to the citizens of this country and our economy is far too great to overlook any longer.
But I can’t help but think that Napolitano’s plea comes now as an attempt to push through the legislation. Yes, the threat looms. I don’t disagree with that, but is she making the possibility of the threat larger in order to scare folks into passing legislation? Something has to be done, but it has to be done in such a way that will be effective. As Amrit Williams, CTO, Lancope, said to me: Poorly written policies could end up leading to more severe damage. Along that line, Williams gave me his suggestions on what government should be thinking about:
- Communication and collaboration between public and private sectors
- A forum for anonymous sharing of security incident / breach information
- Eliminating the fear, uncertainty, and doubt that plagues the security industry
- Implement tax incentives to companies that meet base security compliance requirements
- Increase security standards around technology infrastructures, including;
- Real-time visibility and control into the detailed state of all computing devices
- Security configuration management for all host and infrastructure devices
- Continuous policy compliance and enforcement
- Security and support for mobile and intermittently connected devices
Scare tactics will get attention – and this topic needs attention – but we need to have some serious dialogue about how to approach cybersecurity. And it should come now, rather than later. I don’t want to take the risk that Napolitano is just blowing smoke when there really may be a fire.