In 1998, then President Bill Clinton recognized that the United States was especially vulnerable to a cyber attack to its critical infrastructure. Clinton addressed Critical Infrastructure Protection (CIP) by issuing Presidential Directive 63 (PDD-63).
Soon after PDD-63, Deputy Defense Secretary John Harme cautioned the US Congress about the importance of CIP by warning of a potential “cyber Pearl Harbor.” Harme stated that a devastating cyber attack “is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.”
It’s been 12 years since this dire warning and the general consensus is that US cyber security vulnerabilities are worse, not better. Barack Obama recognized this problem as a candidate and then as President. Upon taking the oath of office, the President called for a 60-day security review, and then addressed the media in May 2009. The President stated, “it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation. . . we’re not as prepared as we should be, as a government or as a country.”
The fundamental assumption here is that the US critical infrastructure is vulnerable to a cyber attack, but is this truly the case or just empty Washington rhetoric? Unfortunately, a recently published ESG Research Report reveals that the US critical infrastructure is vulnerable today and could become more vulnerable in the future without decisive near-term action.
ESG surveyed 285 security professionals working at organizations considered as “Critical Infrastructure and Key Resources” (CIKR) by the US Department of Homeland Security. Here are some key research findings:
Most of the report focused on cyber supply chain security. Simply stated, cyber supply chain security extends cyber security policies, processes, and controls to all parties that touch IT–technology vendors, software developers, business partners, etc. Most CIKR organizations are way behind here. Technology vendor security gets little oversight. Secure software development processes are immature. External IT relationships are secured through informal agreements and security data sharing.
In aggregate, the report provides real data quantifying these and other cyber security issues. The entire report is available for free download here.
Critical infrastructure protection and cyber security have been part of the lexicon in Washington since at least 1998. It is about time for less talk or more action. Hopefully, this report helps accelerate this activity.
Related posts:
Tags: Barack Obama, Bill Clinton, CIP, Critical Infrastructure Protection, cyber security, cyber supply chain, Cyber supply chain assurance, cyber supply chain security, DHS, DOD, Howard Schmidt, John Harme, PDD-63
Name (required)
Mail (will not be published) (required)
Website
Your email: