Is the U.S. prepared for cyber war or are we sitting ducks?

Thursday, June 17, 2010

Ron Lepofsky

Before I say anything at all, please eyeball this quote from 60 Minutes by Admiral Mike McConnell, previously chief of national intelligence who oversaw CIA, DIA, and NSA, regarding the cyber terrorism and the US electricity infrastructure:

"If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, and I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker," McConnell explained.

"Do you believe our adversaries have the capability of bringing down a power grid?" Kroft (60 Minutes) asked.

"I do," McConnell replied.

This interview falls on the heels of my blog of June 9 about NERC CIP security  “Here’s a better idea for security of the nation’s electric grid (title courtesy of my  Network World publisher) .”

Asked if the U.S. is prepared for such an attack, McConnell told Kroft, "No. The United States is not prepared for such an attack."

Security of the electrical infrastructure is also mentioned  in most recent Cyberspace Policy Review on the White House web page.   Now the House of Representatives has passed a bill aimed at hardening the cyber security policies of the US Government and involves the Federal Information Security Management Act, (FISMA).  In turn, FISMA has an impact on NERC CIP.

Policy alone won’t make us safe. We need to spend big bucks on enforcement

While I read about “strong centralized oversight” and “update our comprehensive policy” I do not read anywhere about enforcement or funding compliance for NERC CIP.  We all know there can be huge gaps between policy and implementation, and similarly between oversight and enforcement.

It takes a lot of dollars to convert a demanding security policy into a desired security state.  Similarly it takes consistent enforcement of policy including penalties for compliance violations in order to rationalize the existence of oversight.

There are lots of comments about my previous blog regarding both the pros and cons of my suggestion for a bigger stick for  enforcing NERC CIP compliance.  In my comments I stuck to my guns.

Last night Pres Obama made a  speech to the nation about the BP oil spill.  One of his three central points dealt with preventing a future oil spill disaster.  Today the President  told BP to allocate billions of dollars to reimburse those who suffered as the result of BP’s oil spill. 

Perhaps now is the time to take similar action and allocate funds and sticks to prevent an electrical grid cyber disaster.

Have a secure week.

Possibly Related Articles:
Security Awareness
Federal Military Municipal State/County
Cyberwar Cyber Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.