Cybersecurity

Can collaboration defend U.S. critical infrastructure?

power lines at sunset

America's power supply system is at risk of a cyberattack, NSA director warns. (Stock image)

Vulnerabilities in critical infrastructure, particularly through cybersecurity gaps, are a top concern for government officials and lawmakers. Legislation to address those gaps so far has failed, and key partnerships are crucial to shoring up weaknesses as best as possible until a bill passes, officials say.

Cybersecurity legislation recently passed the House and is moving onto the Senate after failing last year. Without it, however, certain sectors are at a serious security risk. Power companies and other utilities are particularly vulnerable, but collaboration among government agencies and with the private sector is critical, according to Gen. Keith Alexander, National Security Agency director and commander of U.S. Cyber Command.

"When you talk about legislation and developing standards, the power companies are really the ones who have the biggest problem, because if you say, 'We want you all to be here,' some of them can't get there," Alexander said, referring to cybersecurity standards. "I've heard people [say] they're 'below the poverty line' in cybersecurity. For them to leap above it, they don't have the cash on hand to do it. So to set a standard they can't meet is very difficult, and that's part of the pushback. This is one of the big problems we have."

Alexander called on members of industry attending a Northern Virginia Technology Council event on May 10 to help push for legislation, and he tried to clarify the intent of laws that would permit e-mail monitoring for malicious activity – emphasizing that the monitoring would involve no personally identifiable information.

Keith Alexander, DOD photo

Gen. Keith Alexander

"It's not hard technically, but it is hard for our nation to understand. The immediate thing people jump to is civil liberties and privacy; 'you're going to read all our email.' Let me make it clear we are not," he said. "We're asking for industry to look at that and tip that in a meta-data-like sense back to us."

Alexander said if such a measure does not pass, a future attack might lead to hastily written legislation in the future. "[T]wo years after that, we'll say, 'How did we do such terrible legislation?' We have the time to do this now, to get this right, and we should do that."

Meanwhile, agencies and industry are collaborating as best as they can with the current laws, he said. Alexander has frequently discussed the divisions of cybersecurity responsibilities between NSA, CyberCom, Homeland Security Department and the FBI, which he reiterated at the NVTC event. He also called for new guidance to better define how agencies and industry should collaborate.

"Industry owns 90 percent of this space. The government has a responsibility to help defend this space. We've got to come up with a framework for how government and industry work together," Alexander said. "What we're going to have to do is work with each of the sectors, and that's where the framework will come in – to help them get to the right standards. We have a long way to go, and that's a vulnerability we are concerned about, as are other sectors of our government."

It is an idea that DHS shares, according to Joe Jarzombek, director for software assurance within DHS' Office of Cyber Security and Communications.

"You look at the nation's critical infrastructure, and everyone relies on it...but the government does not own or operate it. Therein lies the collaboration needs," Jarzombek said at another industry event earlier in the week. "The point is that within the federal government, we're starting to move forward in this in the same manner... we have a responsibility of helping those who run our critical infrastructure."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Sun, May 19, 2013 Michael Elling United States

Until people are willing to share power, collaboration cannot occur. Information = power. This insightful article from Nicholas Johnson from 1970 indicates that the same issue plagued federal/state/local officials back then as they do now. Instead of it being a supply/technology issue, let's just agree it's a demand issue. http://www.uiowa.edu/~cyberlaw/cpsr/year2000.txt

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group