Obama's Cybersecurity Push: What It Means for CIOs
President Obama aims to fix U.S. cybersecurity, but can the feds hit a moving target? Not without private sector support and practical solutions.
>
U.S. financial systems, of course, are a favorite target of both casual and serious hackers. The worry is that focused attacks will hit the 17 other sectors deemed critical infrastructure, which include energy, agriculture, transportation, telecommunications, health care, defense contractors and nuclear facilities. As companies collaborate over the Internet, and core IT systems rely more on the public network, vulnerabilities increase. Threats to federal and infrastructure IT systems "are evolving and growing," says the Government Accountability Office (GAO). Security incidents reported to US-CERT, a government organization that tracks security, tripled from 5,500 in 2006 to 16,800 last year.
In April, for example, government officials confirmed that since 2007, hackers have been slipping into computer systems behind the Joint Strike Fighter weapons project. They gained access through defense contractors on the project, which Lockheed Martin is leading. Through these private-sector entry points, the spies have gotten away with several terabytes of design and electronics system data, the officials told The Wall Street Journal. The invaders are thought to be in China.
In February, a FAA website was hacked, exposing data on 48,000 current and former employees, according to a recent audit by the Office of Inspector General (OIG). And in 2008, the OIG says, hackers took over FAA servers in Alaska, discovered the password of an administrator in Oklahoma and got access to 40,000 FAA user names and passwords. Security testing as part of the audit identified 763 high-risk vulnerabilities, such as computers that allowed the remote execution of commands that could shut systems down or reveal sensitive data.
The Central Intelligence Agency has revealed that hackers have caused power outages by breaking into the electricity grid in unnamed countries outside the United States. This month, the North American Energy Reliability Corp. (NERC)—the U.S. electricity industry's biggest trade group—starts auditing power companies to ensure they register critical cyberassets and comply with federal and NERC's own measures to protect them. In an April letter to members, NERC's chief security officer warns of "the potential for the simultaneous manipulation of all devices in the substation or, worse yet, across multiple substations."
"I'm not trying to be a doomsdayer," says John Gilligan, former CIO of the U.S. Air Force and a former executive specializing in telecommunications security at SRA International. "But I can't think of anyone with real knowledge of what's going on who would say he feels confident in our ability to defend ourselves."
Now an independent consultant, Gilligan recently produced what he calls the Consensus Audit Guidelines, one of many proposals for fixing federal and critical infrastructure security now zinging around Washington (see System Security: 5 Ways to Improve Your Defenses Against Attack). What has bothered Gilligan throughout his decades in IT, he says, is how many different computing standards, mandates, regulations and laws govern different parts of the government as well as critical infrastructure companies.
Security
Receive the latest security news as it breaks.
