A Service of Energy CentralEnergyBlogs.com Logo

On the topic of infrastructure cybersecurity, there is a long-held belief by some in our industry that the US federal government needs to find ways to share more information with the private sector. There are any number of problems when making this argument, starting with the fact that the beliefs behind it just aren't true. Mark Weatherford, former Deputy Undersecretary for Cyber at DHS and now with the Chertoff Group, just made this point at the recent DefCon event in Las Vegas and I wholly agree. We need to dispel these myths once and for all and talk about where to get the answers we need to align with the Presidential Executive Order on Cybersecurity and tackle the growing problem of cyberattacks on critical infrastructure.

This argument is based on beliefs that:

  • The US federal government has vast intelligence resources with the capability to identify cyberthreats to infrastructure.
  • The information held within government walls contains the solution needed by infrastructure operators and the communities who rely on them.
  • Once the Feds learn to share this knowledge better, the threat to water, power, transportation and other critical resources would be greatly reduced.


The first problem with such arguments is the fallacy that the US federal government holds a mysterious monopoly on related knowledge. The general public--and subject matter experts who should know better--carry a mental image of vast warehouses of government information. Remember the last scene from the 1980s movie "Raiders of the Lost Ark"? Presumably these warehouses include all possible technical vulnerabilities, hacktivists' plans, and foreign capabilities that threaten our infrastructure. Belief in such omniscient power should be seriously questioned when combined with known limits on bureaucratic capabilities, much less the common accusations of government incompetency.

The second problem is that the private sector already has as much knowledge as, and in most ways more knowledge than the government, to begin with. The oft-repeated and likely understated statistic that 85% of critical infrastructure is owned and operated by the private sector should be the first clue. The government's widely known weakness in acquiring and retaining a cybersecurity-skilled workforce is another. And in a truly globally connected world, the final fact that the overwhelming bulk of both infrastructure and workforce reside outside the legal and physical borders of the United States points us in another direction.

There are indeed capabilities contained within the public sector which have unique value, none more so than the American federal public sector. But the staggering majority of the potential cyberattack surface--and therefore also the sensory surface--of critical infrastructure is already in the hands of private sector infrastructure operators. All of the source code for all of the devices that make up critical infrastructure is already in the hands of the private sector entities who created it. All but some small portion of known vulnerabilities to applications, devices, and facilities is in the hands of the private sector. Almost all of the people with the requisite skills are already in the private sector, and their ranks are swelling with former public sector peers looking for better compensation.

So, while the Presidential Executive Order on Cybersecurity is a good thing that will likely lead to improvements in related capabilities on behalf of the US government, the order itself will not move the bar measurably toward the goal of a robustly defended cyberphysical infrastructure. In fact, the ability of the public sector to perform its own relatively small part of the overall task will remain limited regardless of its efforts, so long as the private sector continues to stand waiting for an answer from Washington DC.

Instead, the answers lie all around us in pieces ready to assemble--the work of vendors and integrators, researchers and asset owners, industry organizations and standards bodies. They lie in existing real-time sharing systems like REN-ISAC's Collective Intelligence Framework (CIF) and the Internet Systems Consortium's OPSEC-Trust. They also lie in existing incident sharing formats like IODEF, and emerging ones like STIX. The Situational Awareness Reference Architecture (SARA) being developed by the ICS-ISAC and its membership seeks to compile these capabilities from across the private sector.

Until the private sector takes greater ownership for capturing and utilizing knowledge that is already within its grasp, the public sector will remain unable to perform even the limited role it can play in addressing threats to our shared infrastructure. The search for security does not begin in Washington, it begins at home.

420 Views Comments 0 Comments Comments Add Comment Author BioAuthor Bio
ReportReport This Post as Foul/Inappropriate

There are times for finesse and then there are times for blunt force. Determining which is needed is often the defining characteristic of success in any endeavor. The ongoing efforts to address the...

Knowledge is power, and nowhere is that more true than in the area of cybersecurity. Maximum reduction of cyber risk to national critical infrastructure can only be achieved through improved op...

In the past few years we have heard a lot about the rising tide of attacks and vulnerabilities against Industrial Control Systems (ICS) such as those deployed in electric grids. There has been much...


Blog Editor
Recent EntriesRecent Entries
Recent CommentsRecent Comments

Sponsored Content

Copyright © 1996-2016 by CyberTech, Inc. All rights reserved.
Energy Central ® is a registered trademark of CyberTech, Incorporated.
CyberTech does not warrant that the information or services of Energy Central will meet any specific requirements; nor will it be error free or uninterrupted; nor shall CyberTech be liable for any indirect, incidental or consequential damages (including lost data, information or profits) sustained or incurred in connection with the use of, operation of, or inability to use Energy Central.
2821 S. Parker Rd. Ste 1105 Aurora, CO 80014
Contact: Phone - 303-782-5510 Fax - 303-782-5331 or service@energycentral.com.