Talk of cyberwarfare meaningless to many companies, experts say

While government leaders often use attention-grabbing buzzwords like cyberwarfare, such expressions do not have much impact on security budgets within private industries, experts say.

[Export controls place cybersecurity on par with military weaponry]

The possibility of cyberwarfare has been in the spotlight for more than a year, when then-Defense Secretary Leon Panetta said in a policy speech that the nation faced the threat of “another Pearl Harbor.”

In following Panetta’s lead, other government leaders have also given speeches to draw the nation’s attention toward the risk of having a wide-scale cyberattack take down a large segment of the nation’s critical infrastructure, such as power plants or financial institutions.

In a recent poll conducted by DefenseNews, U.S. leaders in national security policy, the military, congressional staffs and the defense industry rated cyberwarfare as the most serious threat facing the U.S.

Republicans, Democrats and independents in the poll of more than 350 national security leaders held that view, while differing on the second most serious threat. Respondents who identified themselves as Republicans listed terrorism and Democrats chose climate change.

As the clear bipartisan winner, cyberwarfare has become a major concern among security leaders. However, that has not led to more spending on cybersecurity within the private sector, including industries that encompass the nation’s critical infrastructure, experts specializing in industrial control systems, say.

“Yes, I’ve seen some industrial companies go above and beyond the normal practices,” Jim Gilsinn, senior investigator for Kenexis Consulting, said. “Those are the examples of how things should get done if all things can be done right.

“In most cases, the companies I’ve dealt with have limited budgets and/or resources, so they are just trying to handle the minimum and maybe a little more to get themselves some level of protection.”

The private sector is not going to increase spending because of a sound bite from a government official’s speech, Kevin Coleman, strategic management consultant for SilverRhino, which specializes in government IT security, said. Companies need facts before agreeing to increase expenses that reduce profits.

“They’re only going to spend what they absolutely have to and not a dime more,” Coleman said.

[Adoption, privacy biggest topics as NIST cybersecurity framework nears February deadline]

Companies spend on what’s considered “usual and customary” within their particular industry, Coleman said. During congressional hearings on cybersecurity, industry leaders will often tell lawmakers they are willing to do more if the government gives them the money to do it.

Most of the companies Gilsinn has worked with have never suffered a major cybersecurity problem, so they are cautious not to overspend.

“We work with them to implement a lot of very basic cybersecurity countermeasures in their industrial environments,” Gilsinn said. “They aren’t trying to defend against the threat of cyberwarfare or APT (advanced persistent threats).

“Mostly, they are just trying to implement a similar level of cybersecurity in their industrial environment that they may already have in their IT environment.”

To get the private sector to spend more, Coleman suggested the government give security clearance to CSOs and CISOs, so they can examine the cyberattack intelligence to determine the risk it poses to their companies.

“Because they’re not cleared, they do not understand the threat,” he said.

Utilities and manufacturers are hesitant because of the enormous expense of replacing or upgrading security technology built into their infrastructure, Eric Cosman, co-chair of the Chemical Sector Cybersecurity Program at the International Society of Automation, said.

[3 reasons why America’s security model is broken]

“If the IT and the physical components are highly integrated then it may not be possible to replace one without the other,” Cosman said.

Industries are still working on finding a way to separate security systems, so they can be updated “without requiring total system replacement,” he said.

In Gilsinn’s opinion, the term cyberwarfare is more useful to the Defense Department and other organizations hoping to convince Congress to send more money their way.

“Cybersecurity is definitely sexy at the moment, and government agencies and (defense) contractors are all trying to figure out how to get as much of the budget pot as they can,” Gilsinn said.