U.S. Government Slow to React to Cyber Attacks
Perhaps that sounds a bit alarmist. But to some degree, truth does exist within these statements. Over the past decade, thousands of cyber attacks launched against U.S.-based corporations, colleges and universities, and the government itself have cost the country billions of dollars — and the trust of its citizens to keep them safe.
This is the first in a series of articles looking at critical infrastructure in the United States and exploring the consequences of cyber intrusions.
In the last three years, a slew of attacks against various government agencies have occurred, spilling sensitive information on civilians and government employees alike — such as the Department of Veterans Affairs, Department of Treasury, and most recently, the Office of Personnel and Management. In response, politicians attempted to create laws, policies and guidance to better protect the nation.
As early as 1998, the Clinton administration issued Presidential Decision Directive 63 (PDD-63) which sought to define, and thereby protect, the nation’s critical infrastructure. PDD-63 was a seminal policy document which set the stage for the future of critical infrastructure protection.
In 2001, pursuant to PDD-63, the Bush administration’s Patriot Act attempted to further define and protect critical infrastructure, including physical and virtual systems and assets which are vital to the health, safety and security of the United States.
As with any piece of policy or legislation, PDD-63 and the Patriot Act found themselves in need of updates, so in February 2013, the Obama administration issued Executive Order 13636 (EO-13636), or the “Cybersecurity Order.”
EO-13636 was designed to protect the country from an increased rash of attacks. It sought to strengthen the protection of the country’s critical infrastructure by improving cyber threat information sharing between the public and private sectors. It developed a technology neutral cyber security risk management framework. And it aimed to incentivize adoption of standardized cyber security practices. According to EO-13636, critical infrastructure includes the systems that provide citizens with power, water, emergency communications and any other services that are critical to daily life.
Within the United States are scores of antiquated defense systems, plants, refineries and other services that Americans depend upon every day. And many of these legacy systems rely on aging analog controls for operations. Nearly all of these controls were designed without any consideration to cyber security, with no thought about connectivity to the Internet, and with no knowledge of cyber attacks. Once those controls were updated and digitized, they were also connected: to other systems, the power grid and the Internet. And all those connections, while creating opportunities for more efficient and effective management, also created vulnerabilities.
In 2010, a host of countries were infected with a malware program by the name of Stuxnet. This radical malware was designed to attack unique systems and sensors within industrial structures and wreak havoc on digitized controls — causing signals to shut off and rendering responses useless. Iran, Indonesia, India and the United States suffered the first physical damages to non-computer equipment as a result of a sophisticated cyber weapon.
A number of similar attacks soon followed, including Duqu and Flame, comparable to Stuxnet, although causing a different kind of damage while exploiting the same vulnerabilities. These intrusions continued to evolve as the original code for Stuxnet remained open source — readily available for threat actors to re-purpose and tack on additional and more dangerous capabilities.
The need to protect physical as well as virtual infrastructure became clear. So dovetailing with EO-13636, President Obama issued Presidential Policy Directive 21 (PPD-21) to advance and strengthen the country’s infrastructure. PPD-21 identified 16 critical infrastructure sectors and designated specific entities to protect these sectors.
The 16 critical infrastructure sectors and their designated sector-specific agencies are: Information Technology Sector, Department of Homeland Security; Chemical Sector, DHS; Commercial Facilities Sector, DHS; Critical Manufacturing Sector, DHS; Government Facilities, DHS; Nuclear Reactors, Materials and Waste Sector, DHS; Dams Sector, DHS; Transportation Systems Sector, DHS and Department of Transportation; Defense Industrial Base Sector, Defense Department; Financial Services Sector, Department of Treasury; Healthcare and Public Health Sector, Health and Human Services; Food and Agriculture Sector, Department of Agriculture and Health and Human Services; Water and Wastewater Systems Sector, Environmental Protection Agency; Energy Sector, Department of Energy; Emergency Services Sector, state and local governments; and Communications Sector, the private sector.
The definition and assignment of specific agencies to these critical infrastructure sectors have far reaching implications, particularly to technology vendors. As we see a continued increase in third party breaches, data breaches and destruction, and attacks on critical infrastructure, government agencies will need solutions that improve their posture as it relates to not only cyber security, but infrastructure, big data, cloud computing, mobility, and business and operations. Each designated sector-specific agency will have different competencies, and therefore will have different needs.
Tim Larkins is director of market intelligence for immixGroup Inc., an Arrow Electronics company. He can be reached at email@example.com.