When it Comes to Cybersecurity, the ‘Who is Responsible for What?’ Debate Continues

May 17, 2011
Cyber Security, FedCyber Wire
No Comment

via NDIA

Most experts seem to agree that the U.S. government’s collective efforts to secure the Internet from large-scale attacks and other nefarious activities are lacking. As for who is responsible for protecting this vital piece of infrastructure, the debate inside and outside the government is ongoing.

Generally, the Defense Department is responsible for its own networks, and the Departments of Homeland Security and Justice for the remainder of the nation. The FBI has the duty to investigate Internet-based crimes, espionage and attacks. DHS has made the Internet part of its critical infrastructure protection programs, but it has no regulatory authority to make an electric company, for example, update its computer security protocols.

The U.S. government is serious when it comes to developing its cyber-offense capabilities, “but is lackadaisical” when it comes to defense, said Michael Peters, a former National Security Agency employee, who currently serves as chief cybersecurity advisor to the Federal Energy Regulatory Commission.

An example of the federal disconnect is the growing smart grid movement. These new power distribution systems, designed to more efficiently move electricity to where customers need it most, are being promoted by the Obama administration with stimulus money, but there are no security requirements attached to the Department of Energy grants to ensure that utility companies are building security measures into the systems from the ground up.

“Smart grids are not so smart,” said Stewart Baker, a visiting fellow at the Center for Strategic and International Studies, and co-author of a report sponsored by Internet security provider, McAfee, “In the Dark: Critical Industries Confront Cyberattacks.”

He likened it to the very beginning of the Internet itself, when security measures were not built into the system. This is exactly what is happening with smart grids today, which rely on the Internet for command and control.

Should the government force critical infrastructure in private sector hands to comply with computer security requirements? The report showed that in countries such as Japan and China — where government auditors make sure that companies comply with computer network requirements — there is significantly better security, Baker noted during a panel discussion held in Washington, D.C.

Continued here.