In 1998, then President Bill Clinton recognized that the United States was especially vulnerable to a cyber attack to its critical infrastructure. Clinton addressed Critical Infrastructure Protection (CIP) by issuing Presidential Directive 63 (PDD-63).

Soon after PDD-63, Deputy Defense Secretary John Harme cautioned the US Congress about the importance of CIP by warning of a potential “cyber Pearl Harbor.” Harme stated that a devastating cyber attack “is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.”

It’s been 12 years since this dire warning and the general consensus is that US cyber security vulnerabilities are worse, not better. Barack Obama recognized this problem as a candidate and then as President. Upon taking the oath of office, the President called for a 60-day security review, and then addressed the media in May 2009. The President stated, “it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation. . . we’re not as prepared as we should be, as a government or as a country.”

The fundamental assumption here is that the US critical infrastructure is vulnerable to a cyber attack, but is this truly the case or just empty Washington rhetoric? Unfortunately, a recently published ESG Research Report reveals that the US critical infrastructure is vulnerable today and could become more vulnerable in the future without decisive near-term action.

ESG surveyed 285 security professionals working at organizations considered as “Critical Infrastructure and Key Resources” (CIKR) by the US Department of Homeland Security. Here are some key research findings:

1. Sixty-eight percent of the CIKR organizations surveyed suffered at least 1 security breach in the last 24 months. Alarmingly, the organizations with the strongest security policies, procedures, and defenses suffered the highest number of security breaches. It is possible that security-challenged CIKR organizations are under attack but lack the security skills and tools to remediate security incidents.
2. Twenty percent of those surveyed rated their CIKR organization’s security policies, procedures, and technology safeguards as “fair” or “poor.”
3. Seventy-one percent of survey respondents believe that the threat landscape will get worse in the next 24-36 months (26% believe it will be “much worse”).
4. Almost one-third of respondents (31%) believe that the US Federal Government “should be significantly more active with cyber security strategies and defenses.”

Most of the report focused on cyber supply chain security. Simply stated, cyber supply chain security extends cyber security policies, processes, and controls to all parties that touch IT–technology vendors, software developers, business partners, etc. Most CIKR organizations are way behind here. Technology vendor security gets little oversight. Secure software development processes are immature. External IT relationships are secured through informal agreements and security data sharing.

In aggregate, the report provides real data quantifying these and other cyber security issues. The entire report is available for free download here.

Critical infrastructure protection and cyber security have been part of the lexicon in Washington since at least 1998. It is about time for less talk or more action. Hopefully, this report helps accelerate this activity.

Related posts:

1. Critical Infrastructure Organizations Want Cyber Security Help From the Government
2. WikiLeaks, Critical Infrastructure, and Cyber Security
3. Are Critical Infrastructure Organizations Unaware of Security Incidents?
4. Corporate Executives Remain Lukewarm on Cyber Security
5. Are IT Vendors Getting a “Free Pass” On Cyber Security?

Tags: Barack Obama, Bill Clinton, CIP, Critical Infrastructure Protection, cyber security, cyber supply chain, Cyber supply chain assurance, cyber supply chain security, DHS, DOD, Howard Schmidt, John Harme, PDD-63