U.S. Failing To Combat Cyberthreats to Critical Infrastructure
The growing threat of cyberattacks outmatch the modest security improvements made to the U.S. critical infrastructure in the past year, said a McAfee security report unveiled Tuesday at an event sponsored by the Center for Strategic and International Studies. Though operators of the power, oil, gas and water sectors are more cognizant of the threats, not enough is being done to protect critical assets, said an author of the report, Stewart Baker, who was a Department of Homeland Security assistant secretary and is now a partner at Steptoe & Johnson. Meanwhile, existing cybersecurity bills are too costly for the U.S. and Congress has not figured out the best way to encourage greater security in critical U.S. sectors, said a DHS representative speaking at the event.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Every month critical utility networks find malware that is designed to sabotage their operations on their control systems, said the McAfee report entitled “In the Dark: Crucial Industries Confront Cyberattacks.” In the past two years the threat has grown more dire with the advent of highly sophisticated cyberweapons like the Stuxnet Virus, said cybersecurity experts. Stuxnet is a computer worm that emerged in 2010 to target industrial control systems, specifically those in Iran, to take control of industrial facilities such as power plants (WID Nov 12/10 p3). “In my view Stuxnet demonstrates that cyberwar is real because Stuxnet is a cyberweapon designed to sabotage an industrial control system,” Baker said. “We are going to see many more attempts to use attacks on industrial control systems to achieve military and political ends.”
The U.S. is “doubling down” on its vulnerability to cyberattacks by rolling out smart grids without paying a lot of attention to the security risks, said Baker. “You might think that we as a country and the power companies and other people who are dependent on industrial control systems would be spending an enormous amount of money and attention to security, but we're not,” said Baker. The report revealed that 32 percent of the 200 infrastructure companies that McAfee interviewed had not adopted special security measures for smart grid controls. “This is not exactly a prudent response to the emergence of Stuxnet and the possibility of attacks on the power systems. This is troubling,” Baker said.
It’s not too late for the U.S. government to play a positive role in the development of better security measures, said Phyllis Schneck, director of threat intelligence for the Americas at McAfee. “It shouldn’t have to take a disaster for us as an industry and us as a community to invest in foundational security for things like the smart grid and our critical infrastructure,” she said. Schneck suggested that the Congress avoid excessive regulations and employ incentives that would encourage companies to build better security into its systems.
But Congress has its hands tied with budgetary constraints and has not created any feasible solutions, said Kevin Gronberg, senior counsel with the House Homeland Security Committee. “We are operating in a fiscally tight environment,” said Gronberg. “That causes real problems with regards to some aspects of, say, the Lieberman-Collins’ bill.” The Office of Management and Budget estimates that the proposed Protecting Cyberspace as a National Asset Act presented by Senate Homeland Security Committee Chairman Joe Lieberman, I-Conn., and Ranking Member Susan Collins, R-Maine, would cost $1.5 billion over the next four years. “From my lowly perspective, having a scoring that high without any offsets or corresponding cuts make it very difficult to move forward,” Gronberg told us after the event. Rep. James Langevin, D-R.I. and former chairman of the Homeland Cybersecurity Subcommittee, introduced his own cybersecurity bill last month (WID March 18 p4).