R&D work vulnerable to cyber threats

Cyber vulnerabilities could threaten research and development efforts, and action is needed to stop the commercial losses caused by cyber attacks, cybersecurity experts told a Senate committee today.

The group of experts testifying before the Senate Commerce, Science and Transportation Committee urged more education, research, private-sector involvement and regulations to close cyber vulnerabilities. Panelists also discussed the need to improve the cybersecurity of the systems used to control the delivery of electricity, water, gas and oil.

The government is working on a new Smart Grid that would use computer technologies to make the country's energy infrastructure more efficient.

But the government’s plans for increased technology research and a smart electric grid could be compromised if cybersecurity is not improved, said James Lewis, director of the Center for Strategic and International Studies’ Technology and Public Policy Program.

“Unfortunately, if the new smart meters are not secure, they can be hacked, taken over by attackers and used to disrupt the delivery of electricity,” Lewis said. “If the smart grid is built to existing standards, however, it will not be secure.”

Lewis said that although cybersecurity is often considered a homeland security and military problem, the primary vulnerability is economic, and he emphasized the Commerce Department's role in improving cybersecurity.

“The real risk lies in the long-term damage to our economic competitiveness and our technological leadership,” he said.

Joseph Weiss, a managing partner at Applied Control Solutions and an expert in cybersecurity for systems used to control infrastructure, said action is needed to protect critical assets controlled by computers.

Weiss said current efforts to secure computerized control systems are at the point mainstream information technology security efforts reached 15 years ago. Control systems are similar to standard IT systems, but specific strategies are needed to secure them, he added.

“While sharing basic constructs with IT systems, control systems are technologically, administratively and functionally different than IT systems,” Weiss said. “And this will have a significant impact on the Smart Grid.”

Experts also said increases in funding were necessary for general cybersecurity training, education and research.

Eugene Spafford, executive director of Purdue University’s Center for Education and Research in Information Assurance and Security, said cybersecurity problems involve technology, policy and people.

“We need significant, sustained efforts in education at every level to hope to meet the challenges posed by cybersecurity and privacy challenges,” he said. “We do not currently have the infrastructure to switch into high gear right away, nor do we have the students available.”

Spafford said the commercial losses due to cyber attacks are worth tens of billions per year, and losses stemming from intrusions into classified government systems are as large or larger.

“To put that in context, imagine a Hurricane Katrina-style event occurring every year and being ignored,” Spafford said.

Edward Amoroso, a senior vice president and chief security officer at AT&T, said the government must better address security requirements during the procurement process.

“I look almost daily at requests for proposal and requests for information that come from Washington to the private sector for the products and services that we would be selling them, and they generally don’t have sufficient security embedded in the set of requirements that come to us,” he said.