Corporate Interests AND National Security
Editor’s Note: The choice suggested by the Forbes headline below is false. Business growth and national security are symbiotic which is one reason why the Department of Commerce/NIST National Cybersecurity Center of Excellence (NCCoE) emphasizes “Stronger Cybersecurity Througth Collaboration.”
Cyber Security Debate Pits Corporate Interests Against National Security
National security is running headfirst into corporate and privacy interests. It is centering on two competing versions of cyber security legislation, which would either give government more power to regulate private, but vital, networks or which would make any new rules voluntary.
The networks in question are integral to the U.S. economy and are owned by private utilities and telecom operators. But if they are destroyed and cause massive upheaval, then the country’s welfare is at stake. Business groups say that it is already in their interest to buck up whereas both the Obama and Bush administrations say that more is necessary and that national security is the foremost concern.
“We are being bled of our intellectual property everyday and would-be enemies probe the weaknesses in our most critical national assets — waiting until the time is right to cripple our economy or attack a city’s electric grid with the touch of a key,” says Senator Joe Lieberman, I-Conn., co-sponsor of one of the bills.
After collectively identifying the precise systems that are at high risk, the U.S. Department of Homeland Security would then work with that “narrow slice” of the private sector that must join in the battle, Lieberman adds.
For example, let’s say that Pepco, the electric company serving the Washington, DC, metro area, had “critical” systems covered by the bill: Only systems directly involved in the generation or distribution of electricity would need to conform to the increased security standards, the senator notes. But Pepco’s other systems, like human resources or customer service, would not be asked to do anything new.
The White House, generally, supports that bill — one that its sponsors argue narrowly defines “critical infrastructure”: That would be any national asset that is brought down or destroyed and that would lead to mass casualties, mass evacuations or financial collapse. Those affected would have to make the needed investments to ensure their assets are “insulated” from attack.
Obama’s team, in fact, simulated for members of Congress the overall impact that a successful cyber attack would have on New York City. It would be lights out, affecting an entire city population in much the same way as the 2003 Blackout that swept the East Coast and parts of Canada.
According to the General Accountability Office, the nation’s wires infrastructure is comprised of $1 trillion in assets that entail 200,000 miles of transmission lines. Altogether, over 800,000 megawatts of power serve more than 300 million people. Because the system is now connected to the outside world, it is open to attack.
Consider the smart grid that allows utilities and customers to communicate with each other: A nemesis can manipulate the data and disrupt the network — just as a number of smaller but potent viruses have already done. The big one, of course, has been Stuxnet that this government used in coordination with that of Israel and that was intended to diminish the Iranian nuclear program.
The U.S. government using those worms and viruses to hurt its adversaries is one thing. But criminals using them to extort money from businesses such as utilities are another. National enemies going after the whole society here is a completely other scenario.
Even though the threats are real and present, only a small percentage of the energy firms are adopting security technologies, says software firm McAfee. Here, utilities are spending time and money addressing weaknesses, and one way is by applying “patches” to fix specific vulnerabilities. But hackers are always seeking new voids and oftentimes, companies are too busy with other security concerns.
In any event, utilities once had disparate assets that could not talk to each other, but today they are highly digitized with devices that are interwoven, allowing infections to spread. One devious method reported recently is finding the so-called digital back door that is meant to give manufacturers a marketing edge but that can also be exploited by corporate or national enemies.
A subsidiary of energy vendor Siemens AG has been criticized for selling that kind of equipment to support industrial control systems. Among those that have made purchases are Boeing and Lockheed Martin in the defense sector and American Electric Power, National Grid and Pepco in the power industry, says a news report by the Christian Science Monitor. The paper is also reporting that the problem can be fixed.
For their part, utilities are already supposed to certify with the Federal Energy Regulatory Commission that they have developed robust systems that can continue to generate and deliver power if attacked. To comply, they are describing their potential risks based on historical accounts.
As with other businesses, utilities are also concerned about overreach. They prefer voluntary efforts, as opposed to those mandated by law, noting that as owners of the assets, they are naturally motivated to secure them.
“The only government actions allowed by our bill are to get information voluntarily from the private sector and to share information back,” says Senator John McCain, who introduced a bill that is now competing with the one pushed by Senator Lieberman. “We have no government monitoring, no government takeover of the Internet, and no government intrusions.”
Cyber attacks are escalating and leaving corporate networks increasingly susceptible. Utilities are getting the message but are emphasizing that they must carefully allocate scarce resources. Those pushing for a more assertive federal role, however, are saying that national security takes precedence. All sides are attempting a reconciliation, although the ultimate invoice coupled with privacy concerns might keep them apart.