The federal government, mostly under the auspices of the Department of Homeland Security, over the last few years has increased efforts to protect private sector critical infrastructure from hackers. But representatives from AT&T, the North American Electric Reliability Corporation, and a consortium of financial services companies said in testimony before the House committee on homeland security that it's still not enough.
"There's a strong need to develop appropriate and standardized protocols for sharing," said Jane Carlin, chair of the Financial Services Sector Coordinating Council, an association of financial companies set up in the wake of September 11 to protect the nation's financial services critical infrastructure from attack. "Although we've made good progress on information sharing entities, we have not adequately addressed issues of timeliness and completeness of information."
Carlin pointed to the aftermath of a cyber attack on a major financial exchange in October 2010 as an example of where better cooperation could have gone a long way. The exchange immediately informed its regulator and law enforcement, but information about the attack and its impact on other companies wasn't disclosed to the rest of the industry for 102 days.
"This could have had an enormous impact on employees, stockholders, large and small, and the industry as a whole," Carlin said, pointing out that those 102 days spanned the year-end period when companies prepare annual financial reports. "The lack of meaningful information for more than three months left the entire sector unnecessarily vulnerable."
That sentiment was echoed by Gerry Cauley, president and CEO of the North American Electric Reliability Corporation, which develops and oversees power system standards nationwide. Cauley complained that a lack of real-time, actionable intelligence sharing on attacks leaves the power industry "at best" a step behind the government in preventing attacks.
Ed Amoroso, senior VP and chief security officer for AT&T, voiced similar concerns, not just in terms of receiving information from DHS, but also in sending information to DHS. "If you think about the question of coordination, it's the case right now that there's no good way to share information in real time," he said, adding that whenever he wants to share information with the government, it seems like a room full of AT&T lawyers caution him not to. "At AT&T we find it frustrating because we have information we'd like to share."
While shortfalls may remain, DHS has been increasingly working closely with the private sector on critical infrastructure protection issues. Representatives from the IT and financial sectors, for example, work daily on the floor of DHS's National Cybersecurity and Communications Integration Center, which gathers, analyzes, and shares information on cyber attacks with government and industry and coordinates responses. DHS also is finalizing a similar relationship with the electric sector.
In written testimony provided for the hearing, Sean McGurk, the center's director, offered an example of how current modes of collaboration can be effective. Early last year, a company he didn't name was infected with the Mariposa botnet and worked closely with DHS to analyze the attack, trace it back to its point of entry to the company's network, contain the attack, and remove the malware.
The hearing came just as the White House prepares legislation that could have far-reaching effects on the Department of Homeland Security's cybersecurity relationships with private sector critical infrastructure.
According to Federal News Radio, the 100-page bill, which is currently circulating among federal agencies, would, in addition to addressing other broader cyber-related issues, authorize the secretary of DHS to decide what constitutes critical infrastructure and assess and audit critical infrastructure systems. Critical infrastructure owners and operators, in turn, would be required to attest to the implementation of cybersecurity measures.