Now that Web-based technologies control everything from the electric grid to the water supply, cyberattacks on critical infrastructure have become the most pressing threat to national security, according to a national intelligence report to Congress.
Andy Ozment, senior director for cybersecurity at the White House, embraced states as key partners in efforts to secure the nation's assets.
“You own and operate critical infrastructure,” he said Tuesday at a meeting of National Association of State Chief Information Officers. “Your own services constitute critical infrastructure in ways that are hugely important. We have to work with you to identify those portions of your systems and networks that are the most important and the most critical, and share with you whatever resources we can to help you secure those."
Federal legislation on cybersecurity appears stalled, so the White House is working on a strategy to protect such assets—which are often owned and operated by the private sector—through an executive order and presidential policy directive issued in February.
The executive order directs the Department of Homeland Security to share timely information on cyber threats with state and local governments and private sector companies with responsibility for critical infrastructure. It requires DHS to expedite clearances for state, local and private sector personnel to receive classified and sensitive threat information.
The executive order also requires the Commerce Department's National Institute of Standards and Technology to work with industry leaders to develop a cybersecurity framework for companies with responsibility for critical infrastructure. NIST is expected to finalize a framework that includes joint standards and best practices by February 2014. Compliance will be voluntary.
NASCIO warned against requiring states to take on responsibilities they don't have the resources to deliver and pleaded for support in comments about the framework's development submitted to NIST in April.
“States are a key partner in delivering over $600 billion in federal programs to citizens, and therefore the federal government has a direct interest in helping states secure their data and systems against attack,” NASCIO wrote. “The overarching demand to be efficient with taxpayer funds and ensure as much funding as possible goes to the end users of public services often means that veiled costs of operation such as cyber defenses, training, and identity management are severely neglected.”
A survey of state chief information security officers released by NASCIO and Deloitte in October found that only 24 percent are “very confident” that their state assets are protected against external threats. Only 32 percent said their staff have the required cybersecurity competency.
Teri Takai, chief information officer of the U.S. Department of Defense, said the approach in the executive order offers particular benefits to state governments protecting critical infrastructure within their borders.
“For the states, [the executive order] is important because they have limited resources to be able to deal with the cybersecurity challenge,” said Takai, who previously served as chief information officer of California and Michigan. “As much as the federal government can promote information sharing that the states can take advantage of, my belief is that it will be a benefit to them.”
Mark Reardon, Georgia's chief information security officer, credited the executive order with improving the quality of threat information that DHS is sharing with states and the private sector. “I see them working to improve that process every day,” he said.
Still, Reardon is concerned that private sector interests be protected as the executive order gets underway and if Congress takes up legislation requiring or incentivizing companies to share information. “The public sector needs to understand that the private sector is in business, and sharing information can impact their business in a bad way,” he said. “We need to understand that and put safeguards up so that the people sharing that kind of information with us are protected from fallout.”
As a first step, Reardon said Georgia has begun sharing information about particular threats with companies but is doing so carefully, with an eye toward not burning any bridges. “We don't expect anything in return except an occasional thank you and feedback about what I can do to improve what I'm giving them,” he said.