The Center for the Study of the Presidency & Congress (CSPC) launched a project to bring together representatives from the Executive Branch, Congress, and the private sector to discuss how to better secure the U.S. electric grid from the threats of cyberattack, physical attack, electromagnetic pulse, and inclement weather.
The result is the Securing the U.S. Electrical Grid report, and talking about critical security challenges we have Dan Mahaffee, the Director of Policy at CSPC.
How can politics influence the rise of critical infrastructure security on a national level?
Politics will certainly play a role in how our nation approaches critical infrastructure security. Many of the current bureaucratic structures for critical infrastructure security have arisen from politics. The Department of Homeland Security reports to over 100 committees and subcommittees because of politics.
One ongoing political debate is how to organize the various government agencies and entities responsible for cybersecurity—political influence and budget dollars are at stake. Given the importance of communication between government and critical infrastructure, it is important to provide some level of stability in the relationship between government and private sector operators.
Instead of reorganization, political leaders should emphasize clearer divisions of existing authority and streamlined communication within government regarding grid issues.
Additionally, cybersecurity legislation—along with most legislative business—has fallen victim to a deadlocked Congress. Even though it seems that the House and Senate have agreed on 90% of the legislation, politics has prevented the bills from going to a conference committee where the remaining 10% could be resolved. This political environment is only more difficult following the Snowden leaks, and it will require political leadership—both from elected officials and industry leaders and advocacy groups—to explain the importance of critical infrastructure protection to the American people and to seek the compromises to pass needed legislation.
Should the USA allow foreign companies to produce software/hardware for the domestic smart grid? How can these solutions be tested in order to prevent accidental or intentional failures?
In a globalized world, the issue of supply chain security is an area of significant concern. In some major countries there is a far blurrier line between government and the private sector when it comes to technology companies, and the United States needs to be aware of the security risks posed by these companies’ hardware and software. U.S. policymakers have demonstrated their leadership on this issue, but there are still concerns about how software or various components of hardware might introduce vulnerabilities to U.S. infrastructure. However, in a globalized world, we also cannot afford to succumb to the temptations of protectionism or risk retaliation against the operations of U.S. technology companies doing business overseas.
A combination of government and private sector testing processes can be implemented to test hardware and software for counterfeit components, potential backdoors, or other vulnerabilities, and these processes can be applied to both imported and domestically produced systems. Additionally this testing can avoid a one-size-fits-all approach by evaluating not only the security of the product but also the criticality of its intended destination. Obviously hardware or software that will be installed at key grid nodes, links to other critical infrastructure, or major civil or military facilities will undergo more rigorous testing than less critical sites.
Through the buying power of the government and major utilities, manufacturers could be incentivized to meet these testing and specification requirements across their product lines. Manufacturers will likely seek to differentiate their products by demonstrating that their products meet these standards. In a way, this could be similar to the “UL” logo, the “Good Housekeeping Seal of Approval,” or the “MIL-SPEC” designation that graces many other products.
As we move closer to a world where almost every device is going to be connected to the Internet, how can we mitigate the onslaught of entirely new threats while we’re not able to fend off even the most old of attacks?
During our project, we often heard it described as the challenge of the grid moving from the “Edison Era to the Google Era.” Policies should seek to facilitate tools that use this increased connectivity to provide immediate analysis of grid use and network traffic. The participants in our discussions indicated that the most fundamental tool to address attacks—old and new—is some form of information sharing mechanism with liability protections.
Such a tool—only available through Congressional legislation—can address today’s security challenges and facilitate current and future technologies that allow for real time, machine-to-machine cyber threat information sharing and rapid incident response.
Additionally, as an increasing array of systems and appliances are connected to the grid, both government and the private sector should facilitate lines of communication between utility companies and the wide array of manufacturers developing control systems, appliances, cars, and other consumer products that will be connected to the grid. One current example is the work already underway at various national laboratories to explore the integration of electric cars into grid systems. Smart policies will seek to facilitate an ongoing security discussion and vulnerability testing rather than a static benchmark that will be quickly surpassed by technological advances.
Many information security professionals would argue that the key to an organization’s security is security awareness, as it’s usually the weakest link that enables cyber attackers to execute an efficient attack. How can we motivate an entire nation to educate themselves and understand the risks? It looks like a massive challenge that will have to pull together the resources from both the government and the private sector. How can the CSPC help in this regard?
As your question indicates, the human factor is one of the most important—if not the most important—aspects of physical and cyber security. Security awareness needs to be both top-down and bottom-up in an organization. While this is true of any organization, it is vital in a critical infrastructure provider. At the top, security awareness requires constant communication between CEOs, CFOs, and COOs and their CSOs and CISOs.
Beyond the C-suites, every employee and vendor must also be aware of how their decisions may affect the security of a company. As social engineering becomes a key method for cyber attackers, individuals will need to be increasingly cognizant of how threat actors can pose as colleagues, vendors, social networks, or other legitimate activities.
This is indeed a massive challenge that will require resources from the government and private sector, but similar challenges have been overcome in the past. CSPC is an organization that looks at the lessons of history and facilitates opportunities for dialogue between the White House and Congress and between the government and the private sector. CSPC is in a unique position to understand how combining historical lessons in public awareness campaigns—pollution and smoking are ones that immediately come to mind—with continued communication between our government and private sector leaders can improve cybersecurity.