For cybersecurity, it's share and share alike

National Infrastructure Advisory Council and briefing materials from Oct 14 meeting

The leaders responsible for the nation's critical infrastructures must create rules for working together in the event of a crisis, according to a presidential advisory group.

Those rules will be the first step in avoiding a calamitous domino-like crash of succeeding infrastructures if there is a unified attack, private-sector leaders concluded in a set of proposed recommendations for the Bush administration.

The National Infrastructure Advisory Council (NIAC), made up of 30 high-level executives from the private sector, is developing recommendations for President Bush and the Homeland Security Department. The group will make a wide range of recommendations, covering everything from how to disclose software vulnerabilities to where government regulation can enhance security.

The council includes representatives from every sector, but the group called on expertise from organizations at DHS, the FBI, national labs and several sector-specific organizations, such as the National Energy Resource Council and the financial services' Banking Industry Technology Secretariat, a technology consortium of the nation's largest banks, to develop the recommendations.

The goal of NIAC's recommendations is to alleviate the risks of any disruptions in infrastructures, which include everything from power companies to telecommunications networks.

The power of the potential failures was demonstrated this summer when a widespread power blackout spread over the Northeast and when a string of worms and viruses clogged Internet connections.

Incidents can have widespread, unanticipated effects, said council chairman Richard Davidson, chairman and chief executive officer of Union Pacific Corp.

The council's first set of recommendations will go to the White House soon. Others will be ready early next year.

The work that has already been done will be extremely helpful for the Information Analysis and Infrastructure Protection Directorate at DHS, said Robert Liscouski, assistant secretary of the infrastructure protection office.

"The working group has identified a lot of the things that we've identified as we're rolling out," he said.

The nine proposed recommendations, presented by the Working Group on Cross Sector Interdependencies and Risk Assessment Guidance at the quarterly NIAC meeting last week, have several short-term and long-term action items.

Consistency across sectors is a common theme running throughout the recommendations.

A critical step is for leaders of the critical infrastructures to name a coordinator, the group said. The coordinator must be a full-time position, "given the importance of this role and the magnitude of this role," said Susan Vismor, senior vice president of strategic technology at Mellon Financial Corp. and co-chairwoman of the working group.

The proposed recommendations focus on the policy, coordination and management aspects of problem prevention and incident response, because modeling interdependencies is a multiyear and multimillion-dollar process, Vismor said.

Once the recommendations are implemented, the working group plans to report back to NIAC through a score card that measures progress on each item.

The council also heard updates from working groups that are developing a common vulnerability reporting methodology, attempting to improve the implementation and use of information sharing and analysis centers in every sector, and looking at the potential role of government regulation in private-sector infrastructure security.

Experts have discussed the need for common reporting metrics. The shrinking cycle between a vulnerability's discovery and an attacker's exploitation — the Blaster worm this summer had a cycle time of less than a month — proves the need for immediate action, said John Chambers, vice chairman of NIAC and chairman of the vulnerability disclosure working group.

The working group's recommendations will go to the president in January, but during the next four to six months, experts will develop a common way to categorize vulnerabilities, because even organizations within a single sector can't seem to agree on this issue. "A common scoring method...will underpin the rest of the vulnerability disclosure guidelines," Chambers said.

DHS officials are anxious to get the recommendations from the information sharing and analysis center enhancement working group, because that is a situation that the department is trying to address, Liscouski said.

To determine how government regulation could assist in raising the level of infrastructure security, the working group's recommendations are "going to be extremely valuable to us," Liscouski said.

"This is probably one of the more critical areas that we're looking at" because of all the attention from industry, Congress and agencies, he said.

Responding to a direct request from President Bush in July, members also formed two new working groups to examine how to rank sectors' vulnerability to cyberattacks and determine how best to increase the overall security of the Internet.


Nine steps to better security

The United States should take nine steps to improve the security of critical infrastructures, according to a working group of the National Infrastructure Advisory Council.

* Create similar reporting structures across the various critical infrastructure sectors, such as energy and telecommunications.

* Better define and publicize the role of sector coordinators.

* Develop and test crisis management plans in each sector and across sectors.

* Create a cross-sector virtual command center to coordinate interaction with the private sector during crises.

* Take advantage of government-sponsored exercises to devise and test response plans.

* Enhance public awareness of the nation's dependency on the Internet and promote development of higher-quality software.

* Establish consistent coordination among public and private emergency management organizations.

* Find ways to defray the financial burden of securing critical infrastructures.

* Build on simulation and modeling technology created in national laboratories to conduct infrastructure research.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group