Can Homeland Security prevent a cybersecurity critical infrastructure disaster?

A new study said companies would need to spend nine times as much on cybersecurity to prevent a cybersecurity disaster which would hurdle America back to the Dark Ages. With over 10,000 industrial control systems vulnerable and a predicted 440 million new hackable smart grid points, America's infrastructure is in a state of chaos. Homeland Security is stepping up to protect the infrastructure, despite some private firms protesting cybersecurity legislation.

The U.S. is headed toward a "cybersecurity disaster," according to a Bloomberg Government study. The Ponemon Institute said that to stop 95% of the cybersecurity attacks, companies would need to spend nine times as much, which would "boost spending to a group total of $46.6 billion from the current $5.3 billion." Bloomberg reported, "Hardening those systems would require a significant investment given the increasing stealth and sophistication of hackers." According to Lawrence Ponemon, chairman of the Ponemon Institute, "The consequences of a successful attack against critical infrastructure makes these cost increases look like chump change. It would put people into the Dark Ages."

If our infrastructure is being hacked is not in question. It is and has been for years. China is our bigtime cyber-enemy. A recent counterintelligence report [PDF] basically said, "China and Russia cyberspies are hell-bent on espionage and trying to steal U.S. secrets in cyberspace." Nation states have hackers who hammer away at us every single day. The smart grid is expected to have 440 million new hackable points by 2015, but utility cybersecurity is not the only part of America's infrastructure that is in a near state of chaos; another very recent example occurred when the TSA reported cyberattacks on railways. Sadly the USA is vulnerable. Cybersecurity is "one of the most intense challenges of our time," stated DARPA Director Regina E. Dugan. "Malicious cyberattacks are not merely an existential threat to our bits and bytes. They are a real threat to an increasingly large number of systems that we interact with daily, from the power grid to our financial systems to our automobiles and our military systems."

The private sector has not stepped up to protect SCADA systems as was recently shown at the S4 conference; it resulted in the release of "push of a button easy" exploits to hack critical infrastructure. Other companies, utilities, banks and phone carriers are vulnerable to massive hacker attacks as highlighted by the Bloomberg Government study. Last summer, Eireann Leverett published a paper about industrial system attack surfaces [PDF]. For those who don't want to read about it, Leverett also published visualizations as seen on the left (from page 28).

Wired reported that Leverett found "10,358 devices connected through a search of two years worth of data in the SHODAN database." A mere 17% "of the systems he found online asked him for authorization to connect, suggesting that administrators either weren't aware that their systems were online or had simply failed to install secure gateways to keep out intruders."

We don't need every single thing connected to the Internet, causing more holes and headaches. Thanks to all the lax security, Homeland Security is about to take over the cybersecurity infrastructure reins and baton down the hatches. There are plenty of private firms freaking out about that and cybersecurity legislation. Some security professionals even want DHS to be abolished. Although I agree cybersecurity efforts must not run roughshod over privacy, something has to be done. As James Lewis, technology program director at the Center for Strategic and International Studies, told Bloomberg, "If you interview power companies and say, 'Is your control system connected to the Internet,' they'll say, 'Of course not'." Yet "it turns out in almost every case a control system is connected to the Internet and it's vulnerable to being hacked." Lewis added, "The pattern in the U.S. is not to do anything until there's a disaster. The way we're going to find out if someone has the capability is we'll wake up one day and the lights won't work."

Perhaps DHS would be better served to go public with more details of these criticial infrastructure hacking incidents that happen, so those who question if it's a legitmate cybersecurity emergency would see that it is?

While the senate cybersecurity bill is shrouded in secrecy, some of the new authorities it would grant DHS are "very scary," said Bob Dix, vice president of government affairs and critical infrastructure protection at Juniper Networks. Dix told The Hill, "The provision that establishes covered critical infrastructure presumes to give DHS new authority, that in my mind is overly broad, subject to interpretation and frankly goes beyond the boundaries of the role of government." He added, "The bill's language suggests DHS could seize control of systems owned by private firms and cloud providers." This sentiment about the implementation of a comprehensive and constitutional cybersecurity policy was echoed by privacy gurus at The Constitution Project [PDF]. "The government should not be permitted to conduct an end-run around Fourth Amendment safeguards by relying upon private companies to monitor networks."

I hate it when the Fourth Amendment is stomped, and privacy or civil liberties lose out in the "balance" against security. Yet without enacting legislation to address the growing cyber-threat dangers, America is exposed to "serious risk." White House Cybersecurity Coordinator Howard Schmidt wrote, "Only providing incentives for the private sector to share more information will not, in and of itself, adequately address critical infrastructure vulnerabilities." 

Clearly incentives did not work "to mitigate the risks and reduce the potential for a malicious actor to be successful." Secretary of Homeland Security Janet Napolitano said to the National Press Club, "We are deploying the latest tools across the federal government to protect critical systems while sharing timely and actionable security information with public and private sector partners to help them protect their own operations. Beyond protecting the computer networks of the civilian side of our government, we are leading the effort to protect our nation's critical information infrastructure - the systems and networks that support the financial services industry, the electric power industry, and the telecommunications industry, to name a few."

However, before you break out the pitchforks, or tar and feathers, like an angry mob about to come at me, here's a note of caution about Napolitano's "prepared remarks." If you give a wordsmith some time, he or she can spin it so even a dirty kitty box smells like roses. For example, on the notion of hoovering up data to hoarding levels and the sharing of potential risk information, Napolitano also said, "Think of it this way--if we have to look for a needle in a haystack, it makes sense to use all of the information we have about the pieces of hay to make the haystack smaller." 

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2012 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.