Home » Data Protection » Malware/Cybercrime

In Brief

Public and Private Sectors Share Data in Cyberattack Exercise but Responsibilities are Still Murky

The government and the private sector are talking, but there is still more to be done

By Allan Holmes

June 01, 2006 — CSO —

CRITICAL INFRASTRUCTURE

The government and the private sector are talking. That’s the message officials offered as a preview to a Department of Homeland Security report due out this summer on Cyber Storm, a four-day exercise in February that simulated cyberattacks on critical systems supporting the energy, telecommunications and transportation industries. (One simulation hijacked a utility’s computers and disrupted the power grid.)

Andy Purdy, acting director of the National Cyber Security Division of DHS, describes Cyber Storm as “a major leap forward” in the nation’s cyberdefense, in part because “the private sector showed up” (as he told the RSA Conference this winter). But experts from the private sector say the exercise highlighted gaps in responsibility. They assert that DHS has not made clear who is in charge of what when enemies strike critical pieces of the country’s networks that support vital transportation, electricity, goods and services, 85 percent of which are privately owned.

Cyber Storm, in which 115 organizations participated, is the second of three exercises. The first, conducted in October 2003, established a baseline of vulnerabilities in the nation’s critical infrastructures and what processes would be needed to respond to a cyberattack. Another exercise is planned for 2008.

Cyber Storm showed that federal agencies and companies were able to find relationships between seemingly unrelated worldwide attacks and cooperate in their response “to improve our ability to connect the dots,” Purdy says.

But other players say those relationships need improvement. The Internet Security Alliance, a group of high-tech companies working with Carnegie Mellon, called on DHS to involve business more in planning efforts. If cyberspace is to be secured, “the private sector must be recognized as a full and equal partner in its defense,” a move that would make more resources available to the task, according to the group’s report commenting on national infrastructure protection plans. Cybersecurity officials in state, county and municipal governments also reported that relationships with DHS are poor, according to an NASCIO survey in late 2005. “It is clear that there is a huge opportunity to improve collaborative cybersecurity efforts among local, state and federal government,” says Janette Pell, CIO of San Luis Obispo County, Calif.

All this has left a muddled cybersecurity plan, in which the private sector and the federal government don’t know who is responsible for what during an attack, says Jim Lewis, a cybersecurity expert at the Center for Strategic and International Studies. Lewis says DHS needs to develop an enterprise architecture for securing the nation’s telecommunications system and determine who is in charge of securing critical systems information during an attack. “Cyber Storm may have been a good first step,” Lewis says, “but in the end it hasn’t led to anything that has made us any better off. So much more needs to be done first.”