The Center for Strategic and International Studies (CSIS) and McAfee security company put on a panel this week to release their report “In the Crossfire: Critical Infrastructure in the Age of Cyber War.” A simultaneous release occurred in Davos.
The approach was a survey:
Six hundred IT and security executives from critical infrastructure enterprises across seven sectors in 14 countries all over the world anonymously answered an extensive series of detailed questions about their practices, attitudes and policies on security-the impact of regulation, their relationship with government, specific security measures employed on their networks, and the kinds of attacks they face.
If you weren’t nervous when you walked into the event, you should have been when you came out. The attacks are unrelenting, and, as one of the panelists pointed out, the bad guys are not faced with intractable problems of coordinating across large and sclerotic public and private bureaucracies and political jurisdictions, and they don’t spend all their time in meetings. In particular, governments are making inadequate use of the information and expertise that exists in the private sector.
It was a good, tough discussion, with lots of solid nuggets from people who know their business. (The audio is here.) There are some unexpected twists. Not surprisingly, the oil and gas industry is a prime target because its information is valuable. But the oil and gas industry can harden up; who hardens the water & sewer system, where the information is not valuable but the potential for disruption is very high? How do we reconcile an open and public Internet with increasing security concerns?
The report’s lead author was Stewart Baker, former assistant secretary of Homeland Security and former general counsel of the National Security Agency. After the session, he recommended a couple of other useful reports: SecDev’s “Tracking GhostNet: Investigating a Cyber Espionage Network” (2009), and “Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation,” prepared by Northrop Grumman for the U.S-China Economic & Security Review Commission.
Prepare to sleep with light on. The monsters may not be in the closet, but they are coming out of your computer.