Protection of critical systems still haphazard

Two years after terrorists killed 3,000 people, the government and the private sector are still struggling to define priorities for the security of the nation’s critical infrastructure and to turn those priorities into real systems and programs.

“We’ve made significant progress toward shoring up the necessary layers of homeland security that have helped make America safer,” said Secretary of Homeland Security Tom Ridge, speaking last week at the American Enterprise Institute in Washington.

Ridge credited the intelligence community’s Terrorist Threat Integration Center and the U.S. Department of Homeland Security’s Information Analysis and Infrastructure Protection Directorate with helping to improve threat analysis and information sharing.

While those efforts were desperately needed, security experts said progress has been slowed by the departure of cybersecurity czar Richard Clarke in February, when the DHS was formed. They said the department has a long way to go toward asserting its leadership in building a more solid relationship with the private companies that own and operate more than 85 percent of the nation’s most critical facilities and information networks.

“From an information-sharing perspective, there has been progress, but much, much less than I had hoped for in two years,” said John Pescatore, an analyst at Gartner Inc. in Stamford, Conn.

Allen Paller, research director at the Bethesda, Md.-based SANS Institute, painted a bleak picture of homeland security, one marred by competing interests.

“Since September 2001, the government and other critical-infrastructure institutions have installed more than 1 million Internet-connected systems with significant vulnerabilities,” he said. “The staff who manage systems have fallen further behind in security skills, the automated attack tools have gotten more sophisticated and more effective, and the vendors have sent marketing people to Washington with the express purpose of keeping the government from exerting any real pressure on the vendors to improve the situation.”

Paller added that “only the vendors have the economies of scale to reduce the global vulnerability to cyberattacks. But they will not act until the government recognizes it must use its procurement power to persuade them to act in the national and global interest.”

Ken Watson, president of the Partnership for Critical Infrastructure Security, a Washington-based industry alliance, and director of critical-infrastructure protection at Cisco Systems Inc., said he has met several times with the new management team at the Information Analysis and Infrastructure Protection Directorate. Watson said he’s “very encouraged” by the priority the DHS is placing on working with the private sector on cybersecurity issues. However, he acknowledged, “almost all the DHS principals are new, and that newness brings with it an education and relationship-building process.”

One area where immediate action is needed is in infrastructure interdependency research. When asked by Congress during a hearing on Sept. 4 if there was one weak link in the security of the power grid, for example, Watson said the interdependent nature of all critical infrastructures makes it difficult to label any one sector of the economy as a weak link. “The first thing the government can do is provide guidance on priorities,” he said.

And though several efforts are under way to create infrastructure models to study public/private interdependencies, “a comprehensive infrastructure modeling project will require additional government funding,” said Watson. “Without higher funding levels, this may take a decade to accomplish and only marginally benefit the (private) sector.”