SAN FRANCISCO–The security of both government and private enterprise systems going forward relies on the ability of those two parties to share threat, attack and compromise information on a real-time basis, former Department of Homeland Security secretary Tom Ridge said. Without that cooperation, he said, the critical infrastructure of the United States will continue to be “a target-rich environment”.
The idea of information sharing is a well-worn one in the security industry. Private companies have been trying to get timely intelligence on attacks and threats from the federal government for years, without much success. On the other side of that coin, the government has been ingesting threat intelligence from the private sector for decades, while typically not reciprocating. Ridge, speaking at the Kaspersky Lab Cybersecurity Summit here Tuesday, said that the federal government needs to change that situation if it hopes to make any real improvement in security.
“We’ve been trying for three years to get the government to create a protected avenue to share information from the government down to the private sector and from the private sector up to the government,” he said. “We’ve been unsuccessful.”
Part of the reason for that failure, Ridge said, is that the federal government often defaults to over-classifying information, especially as it relates to attacks and threats. That information often could be valuable to organizations in the private sector that may be affected by the same kinds of threats, but is sitting dormant somewhere because it’s not cleared for release to private companies. That mindset must be changed, Ridge said.
“The knowledge in the hands of the federal government relating to critical infrastructure and the security of our economy shouldn’t be held and parceled out,” he said. “We need to go from a need-to-know basis to a need-to-share mindset.”
Private enterprises have their own set of challenges surrounding security, and Ridge said that one of the main issues he still sees in large organizations is a lack of awareness that attackers are targeting them specifically.
“This isn’t a preventable risk, it’s a manageable risk,” he said.
Ridge said one of the other key obstacles to improving critical infrastructure security is the fact that the federal government must rely on the private sector to do nearly all the work. The government itself doesn’t own much in the way of utilities, power grids, financial systems or other prime targets. That’s all in the hands of private companies. So there’s a clear incentive for the two parties to share information, he said.
“The government has no critical infrastructure of its own. It relies on the private sector for that, and when it goes down, the government goes down,” Ridge said. “National security and economic security are intertwined.”
Attackers, of course, are well aware of that fact, and know that going after a country’s power grid or utilities other vital systems is a quick path to crippling the country’s economy. Those kinds of attacks, Ridge said, could be precursors to armed conflicts in the near future or part of an ongoing war.
“What if at some point someone infiltrates the power grid and plants malware? Is that a precursor to a larger attack? How do you respond, kinetically or electronically? What’s the threshold for response?” he said.