WASHINGTON–As things stand right now, the United States has no overarching national information security policy or centralized agency responsible for defending the government’s networks in the event of a serious cyberattack. There have been many pushes over the years to change that and put one agency or another at the head of the table, but some in Washington and in the private sector aren’t too keen on that prospect.
Each federal agency is responsible for the security of its own networks, and although the networks are discrete for the most part, they also tie into the larger federal government and other systems. To an attacker looking at it from the outside, those boundaries are meaningless. A target is a target, regardless of whether it’s on the Department of Energy’s network or Department of Interior’s. Some of that was supposed to change when the Department of Homeland Security was created more than a decade ago and took over some of the cybersecurity functions. But DHS doesn’t have any real authority to tell other agencies how to run their networks, something that those agencies are keenly aware of.
“DHS has all the power of Ann Landers. They can advise you and you can ignore it,” Robert Clark, cyber operational lawyer at the Army Cyber Institute at the United States Military Academy, said during a panel discussion on network resiliency and security at the Kaspersky Government Cybersecurity Forum here Tuesday.
The lack of a central authority for government network security is not a new problem. It’s something that’s been discussed inside the Beltway for years. But it’s not necessarily a bad thing, if everyone is doing their jobs, some experts say.
“In the U.S. we have no national cybersecurity policy, and I kind of think that’s OK. We don’t respond to hurricanes with the national department of hurricanes,” said Miles Keogh, director of grants and research at the National Association of Regulatory Utility Commissions. “We have NOAA, that tells us that the bad guy is coming. And we have FEMA to respond. We allow the people who are closest to the yelling to be in charge of taking care of what’s causing the yelling. We have a shared risk model. With cybersecurity, we’re building the structures to enable the people who are closest to the yelling to to be primarily responsible for taking care of it. I’d think about the predictive communications that we need and how we build things like FEMA to respond.”
Another piece of the puzzle is that much of the critical infrastructure that consumers and the government rely on for things such as power and water is owned by private companies. The government’s authority to dictate technology and security policies to those companies is far from absolute, and even if Washington could mandate specific types of technologies, that might not be good in the long run.
“When the grid gets upgraded and everyone is using the same kind of controllers and running the same operating system, I’m very excited as a bad guy,” said James Jones, associate professor of computer forensics at George Mason University.
Jones and Keogh said that the weaknesses in the country’s infrastructure aren’t necessarily in the places that most people might think.
“If you’re looking for somebody who’s particularly weak, look at the food sector. They grow lettuce and it’s distributed and you can’t protect all those individual farms,” Jones said. “In financial services, they know who their partners are and where their money is and they protect it.”
Keogh added that while cybersecurity attacks against utilities are a legitimate and growing concern, the more proximate threats are much more mundane.
“The power grid is [tough]. It’s very hard to take down,” Keogh said. “The capacity for the power grid to absorb large amounts of abuse is amazing. Most of what’s causing outages isn’t coming from cyberspace. The big threat is trees. Most of what we spend dollars on is the terrifying menace of trees. But what we have right now is a spectrum of threats and they vary in severity and likelihood. Utilities don’t have infinite amounts of money. You especially want to focus on things that happen all the time and are really bad news.”
That threat model evolves over time, however, and Keogh said that the picture may look very different in a few years.
“Like every other sector, we’re integrating intelligence into our devices and it introduces new risks which five or ten or twenty years down the road could be the platform out of which this moves to a decent amount of likelihood. So we want to engineer those problems out before they show up.”