Frontline Impacts
This is vital to secure critical infrastructure --- impact is hege, the economy, food prices, energy shocks, and chemical industry
Sebastian ’09 (Rohan,- research for the office of Virginia Senator Mark Warner CS Computer Science from UVA, 6-24 “The Federal Government’s Role in Preserving Cybersecurity for Critical Infrastructure”)
The intersection of critical infrastructure and cyberspace has presented many challenges to policymakers. Critical infrastructure includes areas like the water and food supply, telecommunications, nuclear power, transportation, banking, and energy---areas crucial to the functioning of society. Eighty percent of this critical infrastructure is owned by the private sector. The continual delegation of control of critical infrastructure to cyberspace without regard to security has posed many vulnerabilities that malicious actors could exploit. To address these vulnerabilities, policymakers can utilize three options: strengthening partnerships between the public and private sectors, installing a White House official to deal solely with cyber security issues, and encouraging collaboration between critical infrastructure operators for coordinating best practices and crisis management. In conclusion, this analysis recommends that the federal government follow a course incorporating all three options because the effects could be mutually reinforcing. A long term solution to cybersecurity must take note of the private sector’s insight to be successful; a national dialogue on the importance of cyber security needs to take its cue from the White House; in the meanwhile, proprietors of critical infrastructure should ensure that they can reduce the damage caused by disasters or attacks by establishing clear lines of communication.
[End of Abstact – Start of Intro] Critical Infrastructure Government and the private sector have reaped digital networking’s benefits by using computer networks to control vital parts of critical infrastructure from cyberspace. However, remote access to critical infrastructure from cyberspace has placed these systems at risk of destruction by other countries, malicious actors, or terrorists. This analysis proposes three options that the federal government can implement: strengthening partnerships between the public and private sectors, integrating resources under a White House official, and increasing collaboration between levels of critical infrastructure. After scrutinizing these options under the criteria of political feasibility, industry acceptance, and efficacy, this analysis recommends that the federal government pursue a combination of all three policy options. Critical infrastructure includes areas such as transportation, water supplies, public health, telecommunications, energy, banking and finance, emergency and information services, nuclear facilities, food supplies, and defense and chemical industries (Moteff & Parfomak, 2004). According to the Department of Homeland Security’s National Strategy for Homeland Security, critical infrastructure consists of “assets, systems, and networks, whether physical or virtual, so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof” (Homeland Security Council, 2007). Figure 1 illustrates the myriad of infrastructures and their interdependencies with one another. Simply put, critical infrastructures comprise the foundation for the modern economy and national security, so the federal government shares responsibility for protecting them. However, the government rests in a precarious position because the private sector owns about eighty percent of critical infrastructure (Forest, 2006, p. 78). Furthermore, about eighty percent of all American commerce occurs on privately owned telecommunications networks, primarily the Internet (Theohary, 2009, p. 20). Even the most valuable national defense systems rely on privately owned telecommunications networks (National Security Agency, 2009). As digital networking proliferates through society, builders will delegate control of more and more parts of critical infrastructure to the realm of cyberspace. In fact, every piece of software added to a system expands the “attack surface” accessible to external actors (Welander, 2009, p. 42). Therefore, cybersecurity is necessary to safeguard this infrastructure. The Need for Cybersecurity Proprietors often control critical infrastructure from cyberspace. According to the National Security Presidential Directive 54 and Homeland Security Presidential Directive 23 issued by the George W. Bush Administration, cyberspace consists of the “interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries” (as cited in National Cyber Security Center, 2009, p. 11). The intersection of critical infrastructure and cyberspace means that policymakers should strive to establish security while retaining a relatively open cyberspace. Several government officials have emphasized the catastrophic effects of compromised cybersecurity. Paul Kurtz, an advisor on President Obama’s transition team, warned of a “cyber Katrina,” a cataclysm in which government agencies would fail to coordinate after a cyber attack and would subsequently collapse (Epstein, 2009). Mike McConnell, a former director of both the National Security Agency and National Intelligence, declared that if the September 11th, 2001, hijackers had launched a focused attack on an American bank, the economic ramifications would have been of “an order of magnitude greater” than the destruction of the World Trade Center (Harris, 2008). Former cyber security advisor Richard Clarke, who served in the Clinton and Bush Administrations, asserted that the primary target for a terrorist’s cyber attack would be the economy whereas casualties and chaos would be secondary (as cited in Rollins & Wilson, 2007, p. 3). In fact, Director of National Intelligence Dennis Blair stated that cyber attacks against financial sectors and physical infrastructure could “severely impact the national economy” and disturb energy sources like oil and electricity for an indefinite period (Annual Threat Assessment, 2009). Beyond threatening the private sector, intruders have been specifically targeting the federal government’s information technology infrastructure. A report by the International Business Machines Corporation revealed that of the 237 million security attacks carried out in the first half of 2005, more than twenty-two percent, the highest percentage against any given group, aimed for government agencies (Fitzgerald, 2006, p. 57). Between 2008 and March 2009, the number of attacks against federal computer networks swelled about forty percent (Smith, 2009). The Department of Defense dubbed the military’s electronic information infrastructure the American military’s “Achilles’ heel” (Defense Science Board, 2008). Though these assorted officials would concur on the gravity of cybersecurity, they might dissent on the correct policy solution. As the White House’s Cyberspace Policy Review pointed out, cyberspace policy envelops the following: security of and operations in cyberspace,…,the full range of threat reduction, vulnerability reduction, deterrence, international engagement, incident response, resiliency, and recovery policies and activities, including computer network operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications infrastructure (National Cyber Security Center, 2009, p. 5). This analysis will lay out three policy options to address these issues. Strengthening Partnerships between the Public and Private Sectors Any kind of long term solution to cybersecurity threats must consider the private sector since it owns about eighty percent of the nation’s critical infrastructure. Legislators cannot expect a law ignoring the private sector’s input to succeed because business’s efforts will ultimately determine effective cybersecurity policies. Thus, the government can continue encouraging the deepening of relationships with the private sector. Advocating a redefinition of government’s relationship to the software business, General James Cartwright stated that government should treat “cyber security as a weapon system” (Rutherford, 2008). A paradigm shift to Gen. Cartwright’s mindset would be favorable for government and business because the public sector widely uses private sector products. The Department of Defense, in particular, uses “Commercial-Off-the-Shelf” products since these packages are cheaper and more innovative than a government established standard. Communication between government and the private sector would be helpful for alleviating situations involving systemic software threats. For example, the Microsoft Windows operating system runs on “ninety-five percent of personal computers worldwide,” so hackers often exploit its vulnerabilities. In 2003, the Blaster worm infected “some 400,000 host PCs” in a single day. Microsoft responded by permitting “several governments across the world to take a peek at the precious Windows source code” for input and disclosure (Taylor, 2003). Thus, government benefitted by receiving insight into the potential problems the Blaster worm posed; business benefitted by receiving the government’s assistance with this problem. A number of forums already exist to serve as models for more formal mechanisms of public-private communication. Microsoft created a Security Response Center that works with the Department of Defense to secure its products (Information Technology in the 21st Century Battlespace, 2003). Learning from Carnegie Mellon University’s public-private alliance model, the Department of Homeland Security in 2003 founded the United States-Computer Emergency Readiness Team, a group of government and industry experts compiling software vulnerabilities (Barnes, 2004, p. 327). Similarly, the Protected Critical Infrastructure Information Program in the Department of Homeland Security represents the federal government’s first ever mechanism to collect and analyze data from private companies without fear of releasing that data to the public by the Freedom of Information Act (Grubesic & Murray, 2006, p. 65). In response to the government’s creation of federal agencies like the Critical Infrastructure Assurance Office and National Infrastructure Protection Center in 1998, industry responded with the creation of the Partnership for Critical Infrastructure Security as well as the generation of Information Sharing Analysis Centers (Michel-Kerjan, 2003, p. 136). Industry agents staff these Centers, which specialize in areas like telecommunications, electricity, and finance (Michel-Kerjan, 2003, p. 136). This analysis evaluates this option under the aforementioned criteria. Industry acceptance and political obstacles could obstruct the way to success. Politically, the Freedom of Information Act, which could force the disclosure of details of infrastructure weaknesses to the public, may make private companies apprehensive about sharing their data with the government. Laws like the Critical Infrastructure Information Act of 2002 protect the private sector from such disclosures, but companies may be reluctant nonetheless (Pozen, 2005, p. 678). Industry acceptance also affects this option’s efficacy. There are currently federal organizations like the United States-Computer Emergency Readiness Team bridging the communication gap between the public and private sectors, but only serious attention to these programs by both parties will evoke substantive results. Companies confront a tradeoff between security and efficiency as well as transparency and customer satisfaction. Noting this trend, Clay Wilson addressed studies revealing a low rate of cybercrime incident reporting because companies fear consumer backlash from “negative publicity” (Wilson, 2009, p. 24). According to a study conducted among Fortune 1000 companies, one of the most trenchant effects of compromised cyber security is damage to 6 reputation among consumers (Hansen, 2001, p. 1161). This option’s effectiveness is directly tied to political feasibility and industry acceptance.
Extinction
Adhikari ’09 (Richard,- leading journalist on advanced-IP issues for several major publications, including The Wall Street Journal “Civilization's High Stakes Cyber-Struggle: Q&A With Gen. Wesley Clark (ret.)”)
The conflicts in the Middle East and Afghanistan, to name the most prominent, are taking their toll on human life and limb. However, the escalating cyberconflict among nations is far more dangerous, argues retired general Wesley Clark, who spoke with TechNewsWorld in an exclusive interview. That cyberconflict will take a far greater toll on the world, contends Clark, who last led the NATO forces to end the ethnic cleansing in Albania. There is a pressing need for new institutions to cope with the ongoing conflict, in his view. Clark is a member of the boards of several organizations. He has a degree in philosophy, politics and economics from Oxford University and a master's degree in military science from the U.S. Army's Command and General Staff College. Background: In November 2008, the Center for Strategic and International Studies, a Washington-based bipartisan think tank, presented recommendations on national security to the then-incoming Obama administration. These called for an overhaul of the existing national cybersecurity organization. Since then, the state of national cybersecurity has appeared chaotic. In August, White House cybersecurity adviser Melissa Hathaway resigned for reasons that echoed the departure in 2004 of Amit Yoran, who then held essentially the same post. In an exclusive interview earlier this year, Yoran told TechNewsWorld that national cybersecurity was still a mess. TechNewsWorld: Security experts warn that nations are preparing for a new cyberwar. Is our government doing enough to protect our national cyber-infrastructure? Or is it in the process of protecting the cyber-infrastructure? Gen. Wesley K. Clark: I think we're in the process of trying to get it protected, but unlike conventional security considerations, where one can easily see an attack and take the appropriate response, the cyberstruggle is a daily, ongoing affair. It's a matter of thousands of probes a day, in and out, against systems that belong to obvious targets like the United States Department of Defense; not-so-obvious targets like banks and energy companies; and individual consumers or taxpayers. It's ongoing, it's undeclared, it's often unreported, and it's very much an ongoing concern at all levels -- business, commerce and individual privacy. TechNewsWorld: The national security infrastructure has repeatedly been reported to be sorely lacking. Is the government moving fast enough? Does it need to do more? Clark: It does need to do more. It's in the process of doing more, and there's a tremendous amount of public and private sector effort going into cybersecurity right now. Whether it's going to be adequate or not is not the issue. There are many approaches to this problem that are mainly based on software, but software is vulnerable. When you open up to communicate with the Web, when you bring in data and programs from another source, when you bring in applications -- all that entails huge risks. It's dealing with those risks and trying to gain the rewards of doing so that make it such a difficult proposition. Online banking was a novelty 20 years ago. Now, everything happens on the Internet. People pay their bills, they do business, they do their work with customers. People don't fax documents any more if they don't have to -- they do webinars and briefings. All of this exposes the opportunity for mischief. You don't know the source of the mischief. You don't know whether it's individuals trying to solve a difficult technical challenge on their own or if they're connected to governments, or if they're cells attached to governments -- and it's very difficult to pin down ... incoming probes to a source. TechNewsWorld: While it's generally agreed that the next war may be a cyberwar, much of our infrastructure is either hooked up to the Internet or in the process of being hooked up to the Internet. Electricity companies, for example, are agitating for the use of smart meters. That being the case, and with hackers increasing the frequency and sophistication of their attacks, does the increasing pace of hooking everything up to the Internet pose a real security threat? Clark: We're going into completely digitized medical records, which could lead to a huge invasion of privacy. It could also lead to things like blackmail and is physically dangerous because people can tamper with records of vital signs, or can alter prescriptions. There's no telling just what could be done. Companies could lose their supply chain management, lose their accounting records, lose their customer lists. Trying to rebuild this on paper when we've all been interconnected on the Internet will cause years of economic decline. We are, as a civilization, quite vulnerable to disruption, and this security problem doesn't just affect one nation but the whole global economic infrastructure. You can't conceive of the threats from the point of view of a traditional war. Cyber-efforts are ongoing today; we're in a cyber-struggle today. We don't know who the adversaries are in many cases, but we know what the stakes are: continued economic vitality and, ultimately, global civilization.
Share with your friends: |