Advocates of cyber security legislation have
advanced the ball to the point where they might
score. A new bill intended to win bipartisan support
would offer “incentives” to companies that operate
vital infrastructure if they participate with
government authorities, which would include getting
absolved of any liability.
President Obama has come out in favor of the new
approach, writing an op-ed in the Wall Street
Journal that essentially says that any hacker from
anywhere in the world can disrupt critical U.S
assets if certain companies have not taken the right
steps to address such pitfalls. The time is now to
fix the problem, he says, pointing out that water
plants in Texas have already been hacked while cyber
invaders have also penetrated natural gas pipelines
in the United States.
“We need to make it easier for these companies --
with reasonable liability protection -- to share
data and information with government when they’re
attacked,” the president writes in the paper. “And
we need to make it easier for government, if asked,
to help these companies prevent and recover from
attacks.”
A recent report by the
U.S. Department of Homeland Security Control Systems
Security Program says that the number of attacks
has jumped from 41 in 2010 to 198 in 2011. Many
problems, it adds, could have been prevented using
best security practices -- things that may elude a
private company but which could be resolved by
sharing information. So-called spear phishing
tactics where employees are tricked into giving out
sensitive info to hackers is a prime problem.
About 85 percent of all critical infrastructure
assets are owned and operated by private entities,
which have an interest in keeping such attacks
secret and which do not want to disclose any
proprietary information. That’s why the re-write of
the cyber security bill would “hold harmless” these
companies that collaborate with the federal
government -- either to divulge attacks or to work
with authorities to prevent them. Along those lines,
owners of critical infrastructure assets would not
be obligated to participate but if they do, they
would have much flexibility.
“These numbers demonstrate that attackers are
increasingly turning their attention to critical
infrastructure facilities, and are finding soft
targets,” says Brian Ahern, chief executive of
Industrial Defender. “Doing nothing about this
is like playing with fire, leaving power grids,
chemical plants, oil and gas facilities, waters
supplies and other key systems at significant risk.”
Liability Concerns
The pending measure defines critical infrastructure
as any asset that if brought down would lead to mass
casualties, mass evacuation or financial collapse.
The power grid fits into that categorization.
According to the
General Accountability Office, the nation’s
wires infrastructure is comprised of $1 trillion in
assets that entail 200,000 miles of transmission
lines. Altogether, over 800,000 megawatts of power
serve more than 300 million people. Because
the system is now connected to the outside world, it
is open to attack.
Consider the smart grid that allows utilities and
customers to communicate with each other: A nemesis
can manipulate the data and disrupt the network —
just as a number of smaller but potent viruses have
already done. The big one, of course, has been
Stuxnet that this government used in coordination
with that of Israel and that was intended to
diminish the Iranian nuclear program.
For their part, utilities are already required under
the Energy Policy Act of 2005 to certify with the
Federal Energy Regulatory Commission that they have
developed robust systems that can continue to
generate and deliver power if attacked. To comply,
they are describing their potential risks based on
historical accounts. Meantime, nuclear operators
have their own separate requirements that they
follow and that they report to the Nuclear
Regulatory Commission.
That earlier law is one reason why some U.S.
senators have been wary about new cyber security
legislation. That is, they were concerned about
redundancy, higher costs and more burdens. And,
according to
Senator Lisa Murkowski, R-Alaska, the
“voluntary” aspects of the previously considered
measures could later become “mandatory,” which would
hamstring companies’ latitude.
As such, Murkowski and other ranking Senate
Republicans have pushed for an “information sharing”
arrangement between the federal government and
industry. It is part of the compromise that is
winning bipartisan support -- and it could pass both
chambers this year, says Murkowski’s office.
Provisions tied to how and with whom information is
shared would still need to reconciled. But, all such
bills now provide liability protection for the use
and disclosure of cyber threats.
By all accounts, most companies are increasing their
cyber security efforts. But some are going to great
lengths while others just don’t have the experience
to erect better defenses. By opening the lines of
communication with government authorities and
eliminating the liabilities for doing so, cyber
security advocates say that critical infrastructure
would be much better protected.
EnergyBiz Insider is named a 2012 Finalist for
Original Web Commentary presented by the American
Society of Business Press Editors. The column is
also the Winner of the 2011 Online Column category
awarded by Media Industry News, MIN. Ken Silverstein
has been named one of the Top Economics Journalists
by Wall Street Economists.
Twitter: @Ken_Silverstein
energybizinsider@energycentral.com
Copyright © 1996-2012 by
CyberTech,
Inc.
All rights reserved.
To subscribe or visit go to:
http://www.energycentral.com
To subscribe or visit go to:
http://www.energybiz.com