When the Pacific Northwest Economic Region (PNWER) needed a regional cybersecurity vulnerability assessment, it didn’t run to the feds. Instead, the group developed its own exercise, called Blue Cascades, that explored what would happen if critical services like the electric grid or the Internet were lost. PNWER?a partnership of elected officials and corporate executives from five U.S. states, two Canadian provinces and one Canadian territory?sought advice from federal agencies but ran its own exercise in Welches, Ore., last June 12. “There has to be a place where industry is playing a lead role and there’s a climate of trust,” concludes Matt Morrison, PNWER’s executive director. “Every federal agency has been saying, Give us data about your vulnerabilities, but nobody knows what they’re going to do with it.”
Cyberthreats may be global, but cybersecurity is everyone’s responsibility. Regional, statewide or local partnerships can map out a ground-level view of critical services and what’s needed to defend them. Watch for more partnerships like PNWER’s Partnership for Regional Infrastructure Security to emerge this year. “This is our home turf, and we know it,” says Ray Nelson, executive director with the Commonwealth of Kentucky’s Office for Security Coordination. “What may be critical to the feds may not be critical to a county.”
Companies have an incentive to work with the government because it’s cheaper than going it alone. “You can spend all your own money trying to [be secure], or you can learn from other people in your industry and the government,” says Jacques Gansler, the Roger C. Lipitz chair in public policy and private enterprise at the University of Maryland School of Public Affairs. So far, most information-sharing has occurred between companies and the federal agencies that regulate them. The feds have also encouraged companies within the same industry to share information about specific threats, vulnerabilities, and countermeasures through Information Sharing and Analysis Centers (ISACs).
While the ISACs have developed industry-specific security plans, companies are often more comfortable sharing vulnerabilities with the business next door. “They have built relationships on trust,” notes Richard Clarke, special adviser to President Bush on cyberspace security. He says regional groups also know best, for example, which bridges carry fiber-optic cables or which local experts could secure a city’s 911 system.
William F. Pelgrin, director of the New York State Cybersecurity and Critical Infrastructure Coordination Office, wants to bring industry and government representatives together every quarter. “It’s not only so we don’t reinvent the wheel, but also so we can build relationships across sectors.” Those relationships are essential to address interdependencies, he says.
When PNWER did its attack simulation, scenarios included: shutting down the Internet; attacking electric utilities, telecommunications and gas pipelines; contaminating a city’s water supply; and threatening ports with nuclear weapons. Participants uncovered deficiencies in their ability to report and receive information about infrastructure failures, so the group wants to develop a regional communication system to warn companies and agencies about threats or attacks, and to connect the public and private organizations that would be responsible for restoring services. The federal government’s role, could be to provide funding or technical expertise to build that regional communication system, says Paula Scalingi, the former head of the U.S. Department of Energy’s Critical Infrastructure Protection Office who is now helping PNWER develop its regional partnership for infrastructure security.