Can collaboration defend U.S. critical infrastructure?

Vulnerabilities in critical infrastructure, particularly through cybersecurity gaps, are a top concern for government officials and lawmakers. Legislation to address those gaps so far has failed, and key partnerships are crucial to shoring up weaknesses as best as possible until a bill passes, officials say.

Cybersecurity legislation recently passed the House and is moving onto the Senate after failing last year. Without it, however, certain sectors are at a serious security risk. Power companies and other utilities are particularly vulnerable, but collaboration among government agencies and with the private sector is critical, according to Gen. Keith Alexander, National Security Agency director and commander of U.S. Cyber Command.

"When you talk about legislation and developing standards, the power companies are really the ones who have the biggest problem, because if you say, 'We want you all to be here,' some of them can't get there," Alexander said, referring to cybersecurity standards. "I've heard people [say] they're 'below the poverty line' in cybersecurity. For them to leap above it, they don't have the cash on hand to do it. So to set a standard they can't meet is very difficult, and that's part of the pushback. This is one of the big problems we have."

Alexander called on members of industry attending a Northern Virginia Technology Council event on May 10 to help push for legislation, and he tried to clarify the intent of laws that would permit e-mail monitoring for malicious activity – emphasizing that the monitoring would involve no personally identifiable information.

"It's not hard technically, but it is hard for our nation to understand. The immediate thing people jump to is civil liberties and privacy; 'you're going to read all our email.' Let me make it clear we are not," he said. "We're asking for industry to look at that and tip that in a meta-data-like sense back to us."

Alexander said if such a measure does not pass, a future attack might lead to hastily written legislation in the future. "[T]wo years after that, we'll say, 'How did we do such terrible legislation?' We have the time to do this now, to get this right, and we should do that."

Meanwhile, agencies and industry are collaborating as best as they can with the current laws, he said. Alexander has frequently discussed the divisions of cybersecurity responsibilities between NSA, CyberCom, Homeland Security Department and the FBI, which he reiterated at the NVTC event. He also called for new guidance to better define how agencies and industry should collaborate.

"Industry owns 90 percent of this space. The government has a responsibility to help defend this space. We've got to come up with a framework for how government and industry work together," Alexander said. "What we're going to have to do is work with each of the sectors, and that's where the framework will come in – to help them get to the right standards. We have a long way to go, and that's a vulnerability we are concerned about, as are other sectors of our government."

It is an idea that DHS shares, according to Joe Jarzombek, director for software assurance within DHS' Office of Cyber Security and Communications.

"You look at the nation's critical infrastructure, and everyone relies on it...but the government does not own or operate it. Therein lies the collaboration needs," Jarzombek said at another industry event earlier in the week. "The point is that within the federal government, we're starting to move forward in this in the same manner... we have a responsibility of helping those who run our critical infrastructure."