Ken Silverstein | Jul 25, 2012

Advocates of cyber security legislation have advanced the ball to the point where they might score. A new bill intended to win bipartisan support would offer “incentives” to companies that operate vital infrastructure if they participate with government authorities, which would include getting absolved of any liability.

President Obama has come out in favor of the new approach, writing an op-ed in the Wall Street Journal that essentially says that any hacker from anywhere in the world can disrupt critical U.S assets if certain companies have not taken the right steps to address such pitfalls. The time is now to fix the problem, he says, pointing out that water plants in Texas have already been hacked while cyber invaders have also penetrated natural gas pipelines in the United States.

“We need to make it easier for these companies -- with reasonable liability protection -- to share data and information with government when they’re attacked,” the president writes in the paper. “And we need to make it easier for government, if asked, to help these companies prevent and recover from attacks.”

A recent report by the U.S. Department of Homeland Security Control Systems Security Program says that the number of attacks has jumped from 41 in 2010 to 198 in 2011. Many problems, it adds, could have been prevented using best security practices -- things that may elude a private company but which could be resolved by sharing information. So-called spear phishing tactics where employees are tricked into giving out sensitive info to hackers is a prime problem.

About 85 percent of all critical infrastructure assets are owned and operated by private entities, which have an interest in keeping such attacks secret and which do not want to disclose any proprietary information. That’s why the re-write of the cyber security bill would “hold harmless” these companies that collaborate with the federal government -- either to divulge attacks or to work with authorities to prevent them. Along those lines, owners of critical infrastructure assets would not be obligated to participate but if they do, they would have much flexibility.

“These numbers demonstrate that attackers are increasingly turning their attention to critical infrastructure facilities, and are finding soft targets,” says Brian Ahern, chief executive of Industrial Defender. “Doing nothing about this is like playing with fire, leaving power grids, chemical plants, oil and gas facilities, waters supplies and other key systems at significant risk.”

Liability Concerns

The pending measure defines critical infrastructure as any asset that if brought down would lead to mass casualties, mass evacuation or financial collapse. The power grid fits into that categorization. According to the General Accountability Office, the nation’s wires infrastructure is comprised of $1 trillion in assets that entail 200,000 miles of transmission lines. Altogether, over 800,000 megawatts of power serve more than 300 million people.  Because the system is now connected to the outside world, it is open to attack.

Consider the smart grid that allows utilities and customers to communicate with each other: A nemesis can manipulate the data and disrupt the network — just as a number of smaller but potent viruses have already done. The big one, of course, has been Stuxnet that this government used in coordination with that of Israel and that was intended to diminish the Iranian nuclear program.

For their part, utilities are already required under the Energy Policy Act of 2005 to certify with the Federal Energy Regulatory Commission that they have developed robust systems that can continue to generate and deliver power if attacked. To comply, they are describing their potential risks based on historical accounts. Meantime, nuclear operators have their own separate requirements that they follow and that they report to the Nuclear Regulatory Commission.

That earlier law is one reason why some U.S. senators have been wary about new cyber security legislation. That is, they were concerned about redundancy, higher costs and more burdens. And, according to Senator Lisa Murkowski, R-Alaska, the “voluntary” aspects of the previously considered measures could later become “mandatory,” which would hamstring companies’ latitude.

As such, Murkowski and other ranking Senate Republicans have pushed for an “information sharing” arrangement between the federal government and industry. It is part of the compromise that is winning bipartisan support -- and it could pass both chambers this year, says Murkowski’s office. Provisions tied to how and with whom information is shared would still need to reconciled. But, all such bills now provide liability protection for the use and disclosure of cyber threats.

By all accounts, most companies are increasing their cyber security efforts. But some are going to great lengths while others just don’t have the experience to erect better defenses. By opening the lines of communication with government authorities and eliminating the liabilities for doing so, cyber security advocates say that critical infrastructure would be much better protected.


EnergyBiz Insider is named a 2012 Finalist for Original Web Commentary presented by the American Society of Business Press Editors. The column is also the Winner of the 2011 Online Column category awarded by Media Industry News, MIN. Ken Silverstein has been named one of the Top Economics Journalists by Wall Street Economists.

Twitter: @Ken_Silverstein

energybizinsider@energycentral.com

Copyright © 1996-2012 by CyberTech, Inc. All rights reserved.

To subscribe or visit go to:  http://www.energycentral.com

To subscribe or visit go to:  http://www.energybiz.com