The world is up in arms about the WikiLeaks release of a secret cable written in 2009 revealing over 100 facilities that the United States considers Critical Infrastructure and Key Resources (CIKR). The list includes undersea communications cables, hydroelectric plants, pharmaceutical facilities, and chemical manufacturing plants.
Yes, exposing specific facilities is a problem but it would be relatively easy for a diligent adversary to go through publicly-available information and piece together a similar list. WikiLeaks made this task easier but these critical infrastructure organizations and segments weren’t the best kept secret before the documents were posted.
Aside from focusing on these leaks, we must also ask ourselves an important related question: Are these critical infrastructure facilities vulnerable to attack?
I leave the question of physical vulnerability to the military, intelligence, and law enforcement community but I will comment on critical infrastructure vulnerability as it relates to cyber security. According to the recently published ESG Research Report, “Assessing Cyber Supply Chain Vulnerabilities in the U.S. Critical Infrastructure,” 20% of the critical infrastructure organizations surveyed said that their existing security policies, processes, and technology safeguards were “fair” or “poor.” (Note: The entire report is available for download on the ESG website, www.enterprisestrategygroup.com). Additionally, the research indicated that the health care sector tended to be less secure than other industries, which is particularly troubling in light of the WikiLeaks documents.
If I were the CISO at the pharmaceutical facilities identified in France and Denmark, I’d be doing emergency vulnerability assessments and making risk management decisions as a result of WikiLeaks. The ESG data indicates that this type of cyber security behavior shouldn’t be limited to facilities identified on WikiLeaks, however–rather it should be persistent across all critical infrastructure organizations.
Tags: CIKR, Critical Infrastructure, cyber security, cyber supply chain security, DHS, WikiLeaks Posted in Uncategorized | No Comments »
According to the recently published ESG Research Report, “Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure,” 68% of the critical infrastructure organizations surveyed had suffered at least one security breach over the past 24 months.
As if this wasn’t bad enough, the data reveals another alarming trend — organizations with the strongest levels of security are also the ones reporting the highest number of security incidents. Based upon survey responses about cyber supply chain security, ESG created a segmentation model with three groups: 1) Strong cyber supply chain security, 2) Marginal cyber supply chain security, and 3) Weak cyber supply chain security. As expected, organizations with strong cyber supply chain security had superior overall security as well.
Here is how the data breaks out when analyzed against the ESG cyber supply chain security taxonomy:
It could certainly be the case that the most secure organizations are the one under attack most often but there is another possible — and more frightening thesis — organizations with weak security may be unaware that they are under attack. After all, if you have weak processes, tools, controls, and security skills, it might be difficult to spot some of the more sophisticated malicious code or insider attacks.
If this is true, weak security at critical infrastructure organizations threatens national security and thus must be addressed.
Tags: CIP, Critical Infrastructure, cyber security, cyber supply chain security, DHS, malcode, malicious code, security attack Posted in Uncategorized | No Comments »
What’s needed for strong cyber security? Good security policies, processes, and technology safeguards, of course, but highly-secure organizations also integrate security into their corporate culture — from new employees to the corner office. Since the proverbial buck stops at the CEO’s desk, cyber security-conscious and proactive CEOs are a security professional’s best friend.
In its recent research report, “Assessing Cyber Supply Chain Vulnerabilities Within The US Critical Infrastructure” (Note: The report is available for download at www.enterprisestrategygroup.com), ESG Research asked security professionals working at critical infrastructure organizations (i.e., electric power, financial services, health care, etc.) to respond to the following question: “How would you rate your organization’s management team on its willingness to invest in and support cyber security initiatives?” The responses were as follows:
Obviously, executives need to sort through a maze of costs and spend shareholder dollars judiciously. Furthermore, security professionals are paid to be paranoid and will usually want more funding. That said, nearly one-fourth of respondents rated executive management support for cyber security as “fair” or “poor.” Remember too that we are talking about critical infrastructure here — our money, our power, our food, our health care, etc. Yikes! Even more frightening, 38% of survey respondents working at telecommunications companies rated their executive management’s support for cyber security initiatives as “fair” or “poor.” If your cell phone stops working soon, don’t be surprised.
I believe there are several problems here:
It’s time to address these issues. Business managers must realize that automation, digitization, and new applications come with a cyber security cost — period. Security professionals need better communications skills and tools to translate nerdy technospeak into more pedestrian language. Legislators need carrots and sticks to entice technically-challenged 60 year old CEOs to invest in cyber security. It’s that simple. Either we do these things or we wake up one day to darkness. It is our choice.
Tags: Barack Obama, CIP, Critical Infrastructure Protection, Cyber Coordinator, cyber security, cyber supply chain, Cyber supply chain assurance, cyber supply chain security, DHS, DOD, Enterprise Strategy Group, ESG, Howard Schmidt Posted in Uncategorized | No Comments »
Before buying an old house, most people do a thorough home inspection to make sure that plumbing, heating, and electricity infrastructure is safe and stable. When purchasing a car for a new driver, many parents check the vehicle’s crash test rating. These actions are simply common sense due diligence since we want to make sure that our homes and children are safe.
Along the same line of reasoning, one would assume that critical infrastructure organizations (i.e., electric utilities, financial services, health care, food processing/agriculture, etc.) do the same type of due diligence on IT equipment and their IT vendors. After all, these IT systems are the underpinning of their services and thus the backbone of the critical infrastructure at large. One would assume that critical infrastructure organizations do this type of security due diligence, but unfortunately this is usually not true.
According to the new ESG Research Report, “Assessing Cyber Supply Chain Security Within the US Critical Infrastructure” (the report is available for free download at www.enterprisestrategygroup.com), IT product and vendor security audits are performed in a random and haphazard fashion. For example:
Why are many vendors getting a security free pass? I’m not sure. It may be that vendor and product security was no big deal in the past when cyber security was composed of network firewalls and desktop antivirus software. It could be that vendors wow their customers with speeds, feeds, and functionality to keep them from digging into geeky security issues. Perhaps they schmooze customers with sporting event tickets and golf outings to take their minds off of product security.
In any case, this behavior should be unacceptable henceforth. The threat landscape is getting more and more sophisticated each day, so each product’s security must stand out on its own.
Note to critical infrastructure organizations: Many IT vendors virtually ignore security in their product design and development. You should be doing a heck of a lot more security due diligence on IT products, vendors, and services, and institute procurement rules that mandate specific security metrics. Vendors should no longer have security–or insecurity–carte blanche.
Tags: Barack Obama, CIP, Critical Infrastructure Protection, cyber security, cyber supply chain, Cyber supply chain assurance, cyber supply chain security, DHS, DOD, Enterprise Strategy Group, ESG, Howard Schmidt Posted in Uncategorized | No Comments »
ESG Recently Published a new Research Report titled “Cyber Supply Chain Security Vulnerabilities Within The U.S. Critical Infrastructure.” The report can be downloaded here.
As part of the survey, we asked respondents whether the U.S. Federal Government should be more active with cyber security strategies and defenses. Most respondents believe that the answer is “yes;” 31% said that the U.S. Federal Government should be “significantly more active with cyber security strategies and defenses” while 40% believe that the feds should be “somewhat more active with cyber security strategies and defenses.”
Okay, but what exactly should the government do? ESG asked this question as well–here are the results:
Interesting mix of carrot and stick suggestions. I don’t think the IT industry would be too thrilled with “black lists” or changes in liability laws, so expect lobbyists to push for federal incentives and programs.
One other interesting note here: Heavily regulated critical infrastructure organizations with the highest levels of security were most likely to push for more stringent regulations. It appears that something is lacking in current cyber security legislation that heavily regulated organizations recognize and want to change.
Tags: Barack Obama, Bill Clinton, CIP, Critical Infrastructure Protection, cyber security, cyber supply chain, Cyber supply chain assurance, cyber supply chain security, DHS, DOD, Enterprise Strategy Group, ESG, Howard Schmidt Posted in Uncategorized | 2 Comments »
In 1998, then President Bill Clinton recognized that the United States was especially vulnerable to a cyber attack to its critical infrastructure. Clinton addressed Critical Infrastructure Protection (CIP) by issuing Presidential Directive 63 (PDD-63).
Soon after PDD-63, Deputy Defense Secretary John Harme cautioned the US Congress about the importance of CIP by warning of a potential “cyber Pearl Harbor.” Harme stated that a devastating cyber attack “is not going to be against Navy ships sitting in a Navy shipyard. It is going to be against commercial infrastructure.”
It’s been 12 years since this dire warning and the general consensus is that US cyber security vulnerabilities are worse, not better. Barack Obama recognized this problem as a candidate and then as President. Upon taking the oath of office, the President called for a 60-day security review, and then addressed the media in May 2009. The President stated, “it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation. . . we’re not as prepared as we should be, as a government or as a country.”
The fundamental assumption here is that the US critical infrastructure is vulnerable to a cyber attack, but is this truly the case or just empty Washington rhetoric? Unfortunately, a recently published ESG Research Report reveals that the US critical infrastructure is vulnerable today and could become more vulnerable in the future without decisive near-term action.
ESG surveyed 285 security professionals working at organizations considered as “Critical Infrastructure and Key Resources” (CIKR) by the US Department of Homeland Security. Here are some key research findings:
Most of the report focused on cyber supply chain security. Simply stated, cyber supply chain security extends cyber security policies, processes, and controls to all parties that touch IT–technology vendors, software developers, business partners, etc. Most CIKR organizations are way behind here. Technology vendor security gets little oversight. Secure software development processes are immature. External IT relationships are secured through informal agreements and security data sharing.
In aggregate, the report provides real data quantifying these and other cyber security issues. The entire report is available for free download here.
Critical infrastructure protection and cyber security have been part of the lexicon in Washington since at least 1998. It is about time for less talk or more action. Hopefully, this report helps accelerate this activity.
Tags: Barack Obama, Bill Clinton, CIP, Critical Infrastructure Protection, cyber security, cyber supply chain, Cyber supply chain assurance, cyber supply chain security, DHS, DOD, Howard Schmidt, John Harme, PDD-63 Posted in Uncategorized | No Comments »
Have you heard of the Technology CEO Council? Neither had I until recently. The council is made up of a strange mix of tech CEOs from organizations including Applied Materials, , , IBM, Intel, Micron, and Motorola. Why this group and not Adobe, Cisco, HP, Juniper Networks, Microsoft, Oracle, and Symantec? Beats me.
Anyway, the group published a paper in early October called, “One Trillion Reasons: How Commercial Best Practices to Maximize Productivity Can Save Taxpayer Money and Enhance Government Services.” The paper stresses the need to reduce federal spending and suggests some IT initiatives in support of this objective. The initiatives include:
The paper is available at www.techceocouncil.org.
I agree with the spirit of this paper as there are plenty of ways to use IT costs savings to reduce overall federal spending. That said, the paper is pretty weak and self-serving. Specifically:
The CEOs also need to remember that their own internal IT organizations are far different than those in the federal government. When EMC executives mandate a massive VMware project, all of IT jumps into formation. It doesn’t work that way in the public sector.
There were certainly some good points in the paper, but overall it is really a marketing piece put out by a lobbying organization. In my humble opinion, there is some irony in this paper and organization–while the Technology CEO Council puts out a paper about how the federal government can save money on IT, companies like Dell, EMC, IBM, and Intel are happily wasting dough on a half-baked lobbying/PR organization. Funny world.
Tags: Applied Material, CIA, Cloud Computing, data center consolidation, Dell, DHS, DISA, EMC, Federal Enterprise Architecture, FedRAMP, FISMA, IBM, Intel, Klinger-Cohen Act, Micron, Motorola, NASA, Technology CEO Council, Vivek Kundra Posted in Uncategorized | No Comments »
Earlier this week, I participated in the Symantec Government Symposium, an event dedicated to IT and security professionals in the U.S. Federal government. As part of her kickoff presentation, Symantec Federal GM, Gigi Schaum, asked for audience responses to three questions. Here are the questions and the interesting responses:
My take is as follows: Cybersecurity is worse than it was 12 years ago — there are more threats and the threats have become more sophisticated. The nation has been effectively treading water in that time frame so the gap continues to grow. President Obama’s focus on cybersecurity and his appointment of Howard Schmidt were positive moves but not enough.
I agree that hostile foreign nations represent the biggest potential threat but on a day-to-day basis, organized crime is picking our pockets. To some extent, this response concerns me because it casts security into a military category. It is also interesting that 39% said “lack of federal security standards.” These people were either looking myopically at the Federal space alone, or believe that the Feds haven’t stepped up with cybersecurity leadership. The former answer reflects insular Washington, the latter is absolutely true.
As for the final question, I couldn’t agree more. If 80% of the critical infrastructure is in the private sector as the President suggests, then industry must be a major part of the solution. This “public/private” partnership has also been lagging.
In total, these answers tell me that things are getting worse and we aren’t doing enough. Pretty scary stuff.
Tags: Cybersecurity, DHS, DOD, Federal Government, President Obama, Symantec Posted in Uncategorized | No Comments »
Here is another must read New York Times article providing more details about the cyber attack at :
Apparently the bad guys became cyber stowaways — unwelcome and undetected network occupants. Once network access was secured, the cyber stowaways fished around until they found the source code to Google’s password system that controls access by millions of users to Google services. While Google has since added new layers of security, it is still possible that the attackers inserted a Trojan Horse/back door in the password system or studied the code to discover other software vulnerabilities.
Google has some of the smartest software engineers in the world so it is likely that they can stay one step ahead of the bad guys, but the lessons of the Google breach should send up a red flag elsewhere for several reasons:
The bad guys are extremely good at what they do and in many cases, we are several steps behind. There could be cyber stowaways on lots of major commercial, government, and military networks just sitting there, biding their time, and waiting for the right opportunity or target. I hope this realization is now emanating in corporate boardrooms, congress, DHS, DOD, and NSA.
Tags: China, cybercrime, DHS, DOD, Google, NSA Posted in Uncategorized | No Comments »
On May 29th of 2009, President Obama declared: “It’s now clear that this cyber threat is one of the most serious economic and national security challenges we face as a nation.” At FOSE this year, FBI Deputy Assistant Director, Stephen Chabinsky gave this ominous statement, “Cybercrime and cyber terrorism could be a game changer and thus represent an existential threat to our nation.”
With such strong words, you’d think that the Feds would have their act together on all things cybersecurity. Unfortunately, you’d be wrong. Speaking at the Interagency Resource Management Conference this week, Cybersecurity Coordinator Howard Schmidt reinforced this bad news. Schmidt’s wake up call pointed to the fact that the Federal government:
If you aren’t scared and angry right now, you should be. Since 2001, the Federal government has spent billions of dollars on cybersecurity yet these basic problems remain. Heck, we’ve spent hundreds of millions on the Einstein project, an uber network security monitoring technology effort, yet we aren’t doing basic intrusion detection. Ay, ay, ay!
Schmidt, a security veteran is clearly frustrated by what he is finding. The rest of us should be outraged.
Let’s hope that the President, Congress, DHS, DOD, and NSA can get its act together and fix these problems under Schmidt’s capable leadership. If not, we may be in serious trouble.
Tags: cybercrime, Cybersecurity, Cybersecurity coordinator, DHS, Federal Government, Howard Schmidt, President Obama, Stephen Chabinsky Posted in Uncategorized | 1 Comment »
Your email:
