Baked-In Security
While much of the Monday-morning quarterbacking of the response to Hurricane Katrina revolves around poor communication, bureaucratic missteps, sluggishness, and red tape on both the state and federal levels, the disaster got me thinking about something entirely different: the readiness of our national infrastructure--roughly 80% of which lies in private hands--to withstand or bounce back from a disaster or cyberattack of similar proportions.
While much of the Monday-morning quarterbacking of the response to Hurricane Katrina revolves around poor communication, bureaucratic missteps, sluggishness, and red tape on both the state and federal levels, the disaster got me thinking about something entirely different: the readiness of our national infrastructure--roughly 80% of which lies in private hands--to withstand or bounce back from a disaster or cyberattack of similar proportions.One look at New Orleans and the Mississippi cities of Gulfport and Biloxi makes it very clear what happens when we have wholesale, widespread shutdowns of key utilities--water, electricity, fuel, and communications: chaos, panic, and death. It also points to the perils of inadequately secured ports, oil rigs, and levees. It's not good.
Now, we don't have oil rigs and levees everywhere. And a Category 5 hurricane is not a common occurrence. That is not the point. The issue isn't even whether anything could have withstood the howling winds, storm surge, and flooding wrought by Katrina. Clearly not.
The issue is that we do have chemical plants all over the place, key ports of entry ringing the country, a network of interstate highways and skyways, and a national grid of utility, water, communications, and network services we all take for granted. These pieces of our critical infrastructure have long been considered prime targets for physical and cyberattack, and, indeed, it may not be possible to protect them from a determined attacker.
But it is possible to put into place physical and cyber safeguards, and it is possible to have a detailed, thought-out plan for recovery in the event of, say, a major shutdown of the electricity grid or air-traffic control. We just assume these things are so.
Which is why, I think, as stunning as the images of destruction are--and you don't expect to see that kind of devastation in the United States--the country seems more shocked by the aftermath. We perhaps naively expected to see an almost instantaneous response--the kind we are accustomed to seeing our nation lend to other planetary citizens. And for whatever reasons, when it did not happen, the shock was felt around the world. Closer to home, people died.
And yet, it could be worse. The question that is going to have to be addressed at some point in the angst-ridden postmortem is this: What if this level of disaster happens again? On a broader, more nationwide scale? We can no longer say terrorist attacks and the unbridled wrath of Mother Nature don't hit here. The last four years make it clear they do. And we can no longer assume that when these disasters strike, wrecking the level of havoc they do, that we'll be bouncing back to normal in no time. We won't.
Give our focus on technology, I cannot help but wonder about a wider scale shut down of key services driven by cyberattacks and whether we've made any progress in the area of cybersecurity beyond the many committees, subcommittees, and proclamations that have been created over the last four years to address the subject. So it seemed a good time to check in with the security experts at the SANS Institute, specifically its longtime director of research, Alan Paller. As it turns out, my timing was perfect--in recent weeks there has been progress on this very issue, including "three or four" conversations about it at the White House level. Among the changes under way:
An old idea that could go a long way toward addressing the cybersecurity side of critical infrastructure has gotten new wind recently as three current and former federal CIOs -- Karen Evans, the head of E-government and chair of the Federal CIO Council; Lisa Schlosser, CIO at HUD; and John Gillian, formerly CIO of Energy, recently retired CIO of the Air Force now a senior exec at SRA--have renewed efforts to push the idea. Variously called "The Big Idea" and "Baked-in Security," the idea is to lead the way by using federal procurement to set new security standards and to force vulnerability testing. Using the clout of government contracts, these CIOs are essentially advocating pushing some of the security responsibility down to the vendors. The thinking is that if the feds can demand a certainly level of security and monitoring capabilities built into the PCs they buy--i.e., Center For Internet Security-compliance--how long will it be before Boeing says, "Hey, we want those too," and more ordinary companies and consumers chime in as well? Paller asks.
On the physical security front, in turns out that the utility companies are working together as you read this to pull together a standard for Scada (Supervisory Control and Data Acquisition) industrial control systems, a very big deal further explained by InformationWeek Editorial Director Bob Evans in an Aug. 29 column on our annual security issue. According to Paller, "The utilities are getting together and saying, 'Wait a minute, Scada provider. When you sell your next system to us, it has to have these characteristics.'"
The reason there is so much excitement over "Baked-in Security" is fourfold, Paller explains:
It recognizes that only the federal government has the money to force, or if you prefer, persuade vendors, to make these changes. "It radically lowers costs to do it once, at the supplier level, rather than having to harden systems at every desktop after deployment."
The hoped for "catalytic" changes can have widespread impact since we are not talking about fighter jets or systems specific to the narrow needs of some agency. We're talking about ordinary systems used everywhere for a variety of purposes. The feds run hospital systems, power plants, telephone networks--you name it, Paller says. "There is nothing these guys [critical infrastructure suppliers] run that the feds don't run, so the federal buying power is highly relevant."
It transfers some big pieces of the security responsibilities back onto the vendor. For example, instead of an agency doing vulnerability testing of the software it is buying, Paller says, the government is picking up on an idea he attributes to Gartner, and starting to put together RFPs that require developers to run a vulnerability test of their software on the platforms they are proposing the customer buy. The vendor is too embarrassed to deliver systems that fail the vulnerability tests, so they fix them. This way customers are provided with secure systems at the outset. Procurement is also being considered as a way of requiring vendors to include facilities for automated monitoring of security of software or hardware so that it stays safe.
The expectation is that the requirements at the federal level will roll over to everyone eventually, upping the level of secure systems all around.
A little closer to my original question, at best, Paller says we can expect to see mobile recovery technology, starting with mobile communications, improved "radically" following the lessons learned from Katrina. But in terms of large-scale impact on the national infrastructure, he is doubtful. More likely, he predicts, will be the changes wrought over time by the initiatives he described above. Let's hope those CIOs find some willing listeners.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024